Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2023-34842: 织梦 (DedeCMS) 官方网站 - 内容管理系统

Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows remote attackers to run arbitrary code via crafted POST request to /dede/tpl.php.

CVE
Open in Source
#vulnerability#php#rce
CVE-2023-37647: 404 Not Found

SEMCMS v1.5 was discovered to contain a SQL injection vulnerability via the id parameter at /Ant_Suxin.php.

GHSA-q9vm-29ph-p7mp: phpMyFAQ Stored Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.16.

GHSA-2xvx-368h-qcmv: phpMyFAQ Improper Neutralization of Formula Elements in a CSV File vulnerability

Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16.

CVE-2023-4007: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@40eb968

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.16.

CVE-2023-4006: huntr – Security Bounties for any GitHub repository

Improper Neutralization of Formula Elements in a CSV File in GitHub repository thorsten/phpmyfaq prior to 3.1.16.

GHSA-q386-w6fg-gmgp: XML External Entity (XXE) vulnerability in the XML data handler

### TL;DR This vulnerability only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods. If you use an affected method and cannot rule out XML input controlled by an attacker, we strongly recommend to update to a patch release. ---- ### Introduction XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF). ### Impact Kirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing...

CVE-2023-31937: BugReport/php/Rail-Pass-Management-System/bug3-SQL-Injection-editid.md at main · DiliLearngent/BugReport

Sql injection vulnerability found in Rail Pass Management System v.1.0 allows a remote attacker to execute arbitrary code via the editid parameter of the edit-cateogry-detail.php file.

CVE-2023-31933: BugReport/php/Rail-Pass-Management-System/bug4-SQL-Injection-editid2.md at main · DiliLearngent/BugReport

Sql injection vulnerability found in Rail Pass Management System v.1.0 allows a remote attacker to execute arbitrary code via the editid parameter of the edit-pass-detail.php file.

CVE-2023-31935: BugReport/php/Rail-Pass-Management-System/bug1-XSS-in-Admin-Name.md at main · DiliLearngent/BugReport

Cross Site Scripting vulnerability found in Rail Pass Management System v.1.0 allows a remote attacker to obtain sensitive information via the emial parameter of admin-profile.php.