Security
Headlines
HeadlinesLatestCVEs

Tag

#php

Lilac-Reloaded For Nagios 2.0.8 Remote Code Execution

Lilac-Reloaded for Nagios version 2.0.l8 remote code execution exploit.

Packet Storm
#ios#windows#google#debian#php#rce#acer#auth
Serendipity 2.4.0 Shell Upload

Serendipity version 2.4.0 suffers from a remote shell upload vulnerability.

CVE-2014-125099: Release 3.7.3: Fixed a Possible SQL injection vulnerability reported by [Oskar Adin]… · wp-plugins/i-recommend-this

A vulnerability has been found in I Recommend This Plugin up to 3.7.2 on WordPress and classified as critical. Affected by this vulnerability is an unknown functionality of the file dot-irecommendthis.php. The manipulation leads to sql injection. The attack can be launched remotely. Upgrading to version 3.7.3 is able to address this issue. The name of the patch is 058b3ef5c7577bf557557904a53ecc8599b13649. It is recommended to upgrade the affected component. The identifier VDB-226309 was assigned to this vulnerability.

CVE-2023-22894: Multiple Critical Vulnerabilities in Strapi Versions <=4.7.1

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.

CVE-2023-29586: CWE - CWE-285: Improper Authorization (4.10)

Code Sector TeraCopy 3.9.7 does not perform proper access validation on the source folder during a copy operation. This leads to Arbitrary File Read by allowing any user to copy any directory in the system to a directory they control.

CVE-2023-27776: GitHub - lohyt/Persistent-Cross-Site-Scripting-found-in-Online-Jewellery-Store-from-Sourcecodester-website.

A stored cross-site scripting (XSS) vulnerability in /index.php?page=category_list of Online Jewelry Shop v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter.

CVE-2023-2170: Diff [2774153:2868795] for simple-tags/trunk – WordPress Plugin Repository

The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Related Posts functionality in versions up to, and including, 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Editor+ permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2021-28254: Laravel8 new pop chain mining process

A deserialization vulnerability in the destruct() function of Laravel v8.5.9 allows attackers to execute arbitrary commands.