Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2023-41539: CVE-nu11secur1ty/vendors/phpjabbers/2023/Business-Directory-Script-Version:3.2/SQLi at main · nu11secur1ty/CVE-nu11secur1ty

phpjabbers Business Directory Script 3.2 is vulnerable to SQL Injection via the column parameter.

CVE
Open in Source
#sql#vulnerability#git#php
CVE-2023-41537: CVE-nu11secur1ty/vendors/phpjabbers/2023/Business-Directory-Script-Version:3.2 at main · nu11secur1ty/CVE-nu11secur1ty

phpjabbers Business Directory Script 3.2 is vulnerable to Cross Site Scripting (XSS) via the keyword parameter.

CVE-2023-41538: CVE-nu11secur1ty/vendors/phpjabbers/2023/PHP-Forum-Script-3.0 at main · nu11secur1ty/CVE-nu11secur1ty

phpjabbers PHP Forum Script 3.0 is vulnerable to Cross Site Scripting (XSS) via the keyword parameter.

CVE-2023-4624: Security: Added new SSR allow list and validator · BookStackApp/BookStack@c324ad9

Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08.

CVE-2023-4600: Changelog - AffiliateWP

The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwp_activate_addons_page_plugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate arbitrary plugins.

Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits

Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports. The Shadowserver Foundation said that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC)

CVE-2023-4599: class-email-encoder-bundle-run.php in email-encoder-bundle/tags/2.1.7/core/includes/classes – WordPress Plugin Repository

The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-4596: OffSec’s Exploit Database Archive

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVE-2020-18912: 微盾PHP脚本加密专家解密算法 - 独行客 - 博客园

An issue found in Earcms Ear App v.20181124 allows a remote attacker to execute arbitrary code via the uload/index-uplog.php.

CVE-2023-41153: webmin-changelog

A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configuration tab in Usermin 2.001 allows remote attackers to inject arbitrary web script or HTML via options for the host value while editing the host options.