Security
Headlines
HeadlinesLatestCVEs

Tag

#php

ManageEngine ADManager 7183 Password Hash Disclosure

ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.

Packet Storm
#vulnerability#windows#google#php#auth#firefox#ssl
ABB Cylon Aspect 3.07.02 (downloadDb.php) Authenticated File Disclosure

The building management system suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'downloadDb.php' script is not properly verified before being used to download database files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

GHSA-6784-9c82-vr85: Injection of arbitrary HTML/JavaScript code through the media download URL

### Impact This vulnerability allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS. It affects the SuluMediaBundle component. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue, which could potentially allow attackers to steal sensitive information, manipulate the website's content, or perform actions on behalf of the victim. ### Patches The problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are: * 2.6.4 * 2.5.20 ### Workarounds Until an official patch is released, users can implement additional input validation and output encoding for the 'slug' parameter in the MediaStreamController's downloadAction method. Alternatively, configuring a Web Application Firewall (WAF) to filter potentially malicious input could serve as a temporary mitigation. ### References * GitHub repository: https://github.com/sulu/sulu * Vulnerable code: https://g...

Debian Security Advisory 5780-1

Debian Linux Security Advisory 5780-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in incorrect parsing of multipart/form-data, bypass of the cgi.force_direct directive or incorrect logging.

openSIS 9.1 SQL Injection

openSIS version 9.1 suffers from a remote SQL injection vulnerability.

WordPress Bricks Builder Theme 1.9.6 Code Injection

WordPress Bricks Builder Theme version 1.9.6 suffers from a PHP code injection vulnerability.

WordPress Hash Form 1.1.0 Code Injection

WordPress Hash Form plugin version 1.1.0 suffers from a PHP code injection vulnerability.

WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection

WordPress GiveWP Donation Fundraising Platform version 3.14.1 suffers from a PHP code injection vulnerability.

ViciDial 2.0.5 Cross Site Request Forgery

ViciDial version 2.0.5 suffers from a cross site request forgery vulnerability.