Security
Headlines
HeadlinesLatestCVEs

Tag

#php

Citrix Devices Under Attack: NetScaler Flaw Exploited to Capture User Credentials

A recently disclosed critical flaw in Citrix NetScaler ADC and Gateway devices is being exploited by threat actors to conduct a credential harvesting campaign. IBM X-Force, which uncovered the activity last month, said adversaries exploited "CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user

The Hacker News
#vulnerability#web#mac#linux#ddos#java#php#rce#botnet#auth#ibm#wifi#The Hacker News
CVE-2023-5467: class-gmw-single-location.php in geo-my-wp/tags/4.0.1/plugins/single-location/includes – WordPress Plugin Repository

The GEO my WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-5471: cve/Farmacia System.pdf at main · miziha6/cve

A vulnerability, which was classified as critical, was found in codeprojects Farmacia 1.0. Affected is an unknown function of the file index.php. The manipulation of the argument usario/senha leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-241608.

CVE-2023-44846

An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ notify.php component.

CVE-2023-44848

An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_template.php component.

CVE-2023-44812: GitHub - ahrixia/CVE-2023-44812: mooSocial v3.1.8 is vulnerable to cross-site scripting on Admin redirect function.

Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the admin_redirect_url parameter of the user login function.

CVE-2023-5365: HP LIFE Android Mobile – Potential Escalation of Privilege, Information Disclosure

HP LIFE Android Mobile application is potentially vulnerable to escalation of privilege and/or information disclosure.

CVE-2023-44393: Reflected XSS in /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]

Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the ...