Tag
#java
iCMS v7.0.16 was discovered to contain a SQL injection vulnerability via the where parameter at admincp.php.
Ubuntu Security Notice 6281-1 - Alvaro Munoz discovered that Velocity Engine incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code.
DriverPack Solution CMS version 17.11.108 suffers from a cross site scripting vulnerability.
Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.
Deprixa version 3.2.5 suffers from a cross site request forgery vulnerability.
An issue was discovered in LWsystems Benno MailArchiv 2.10.1. Attackers can cause XSS via JavaScript content to a mailbox.
A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense before 23.7 allows attackers to execute arbitrary system commands.
A reflected cross-site scripting (XSS) vulnerability in the component /ui/diagnostics/log/core/ of OPNsense before 23.7 allows attackers to inject arbitrary JavaScript via the URL path.
Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token is accessible even after the setup process has been completed. With this token a user is able to submit the setup functionality to create a new database. When creating a new database, an H2 database string is created with a TRIGGER that allows for code execution. We use a sample database for our connection string to prevent corrupting real databases. Successfully tested against Metabase 0.46.6.
Lucee version 5.4.2.17 suffers from a cross site scripting vulnerability.