Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2021-37502: Storage XSS vulnerability in /gui/accounts.php · Issue #29 · marcantondahmen/automad

Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows remote attackers to run arbitrary code via the user name field when adding a user.

CVE
Open in Source
#xss#vulnerability#git#php
CVE-2021-36443: CSRF vulnerability in imcat v5.4 · Issue #9 · peacexie/imcat

Cross Site Request Forgery vulnerability in imcat 5.4 allows remote attackers to escalate privilege via lack of token verification.

CVE-2021-36426: Arbitrary file upload vulnerability · Issue #312 · slackero/phpwcms

File Upload vulnerability in phpwcms 1.9.25 allows remote attackers to run arbitrary code via crafted file upload to include/inc_lib/general.inc.php.

CVE-2021-36425: Arbitrary file deletion vulnerability · Issue #311 · slackero/phpwcms

Directory traversal vulnerability in phpcms 1.9.25 allows remote attackers to delete arbitrary files via unfiltered $file parameter to unlink method in include/inc_act/act_ftptakeover.php file.

CVE-2021-36424: Code execution during installation · Issue #310 · slackero/phpwcms

An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.

CISA Alert: Oracle E-Business Suite and SugarCRM Vulnerabilities Under Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on February 2 added two security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The first of the two vulnerabilities is CVE-2022-21587 (CVSS score: 9.8), a critical issue impacting versions 12.2.3 to 12.2.11 of the Oracle Web Applications Desktop Integrator product. "Oracle

CVE-2023-25135: Unserializable, but unreachable: Remote code execution on vBulletin

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1.

CVE-2022-48140: dedecms/xss.docx at main · ChandlerChin/dedecms

DedeCMS v5.7.97 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /file_manage_view.php?fmdo=edit&filename.

CVE-2022-48079: 梦奈宝塔主机系统 - 官方网站

Monnai aaPanel host system v1.5 contains an access control issue which allows attackers to escalate privileges and execute arbitrary code via uploading a crafted PHP file to the virtual host directory of the system.

WordPress Quick Restaurant 2.0.2 XSS / CSRF / IDOR / Missing Authorization

On January 16, 2023, the Wordfence Threat Intelligence team responsibly disclosed several vulnerabilities in Quick Restaurant Menu, a WordPress plugin that allows users to set up restaurant menus on their sites. This plugin is vulnerable to missing authorization, insecure direct object reference, cross site request forgery as well as cross site scripting in versions up to, and including, 2.0.2.