Security
Headlines
HeadlinesLatestCVEs

Tag

#php

Desenvolvido C3iM CMS 2.0 Cross Site Scripting

Desenvolvido C3iM CMS version 2.0 suffers from a cross site scripting vulnerability.

Packet Storm
Open in Source
#sql#xss#csrf#vulnerability#web#ios#mac#windows#apple#google#ubuntu#linux#debian#cisco#java#php#perl#auth#ruby#firefox
Deprixa 3.2.5 Cross Site Request Forgery

Deprixa version 3.2.5 suffers from a cross site request forgery vulnerability.

CVE-2023-4283: Changeset 2950211 for embedpress – WordPress Plugin Repository

The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedpress_calendar' shortcode in versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-4277: class-realia-post-type-user.php in realia/tags/1.4.0/includes/post-types – WordPress Plugin Repository

The Realia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.0. This is due to missing nonce validation on the 'process_change_profile_form' function. This makes it possible for unauthenticated attackers to change user email via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-4276: profile_page.php in absolute-privacy/trunk – WordPress Plugin Repository

The Absolute Privacy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing nonce validation on the 'abpr_profileShortcode' function. This makes it possible for unauthenticated attackers to change user email and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-39008: LogicalTrust - [EN] A-Z: OPNsense - Penetration Test

A command injection vulnerability in the component /api/cron/settings/setJob/ of OPNsense before 23.7 allows attackers to execute arbitrary system commands.

EuroTel ETL3100 Transmitter Information Disclosure

The EuroTel ETL3100 TV and FM transmitters suffer from an unauthenticated configuration and log download vulnerability. This will enable the attacker to disclose sensitive information and help him in authentication bypass, privilege escalation and full system access.

EuroTel ETL3100 Transmitter Authorization Bypass / Insecure Direct Object Reference

The EuroTel ETL3100 transmitter is vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access the hidden resources on the system and execute privileged functionalities.

EuroTel ETL3100 Transmitter Default Credentials

EuroTel ETL3100 transmitters use a weak set of default administrative credentials that can be guessed in remote password attacks and gain full control of the system.