Security
Headlines
HeadlinesLatestCVEs

Tag

#php

GHSA-7vcx-v65q-9wpg: XML-RPC for PHP's `Wrapper::buildClientWrapperCode` method allows code injection via malicious `$client` argument

In order for this weakness to be exploited, the following conditions have to apply, at the same time: - method `Wrapper::buildClientWrapperCode`, or any methods which depend on it, such as `Wrapper::wrapXmlrpcServer`, `Wrapper::wrapXmlrpcMethod` or `Wrapper::buildWrapMethodSource` must be in use. Note that they are _not_ used by default in either the Client or Server classes provided by the library; the developer has to specifically make use of them in his/her own code - the `$client` argument to either of those methods should have been built with malicious data, ie. data controlled by a 3rd party, passed to its constructor call This is most likely an uncommon usage scenario, and as such the chances of exploitation may be low. *NB* the graphical debugger which is shipped as part of the library is vulnerable to this, when used with the option "Generate stub for method call" selected. In that case, the debugger will _display_ but not _execute_ the malicious code, which would have to b...

ghsa
Open in Source
#php
GHSA-pxqj-xrv5-qvjf: XML-RPC for PHP's debugger vulnerable to possible XSS attack

The bundled xml-rpc debugger is susceptible to XSS attacks. Since the debugger is not designed to be exposed to end users but only to the developers using this library, and in the default configuration it is not exposed to requests from the web, the likelihood of exploitation may be low.

CVE-2015-10038: Added fix for SQL Injection · nym3r0s/pplv2@28f8b05

A vulnerability was found in nym3r0s pplv2. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to sql injection. The name of the patch is 28f8b0550104044da09f04659797487c59f85b00. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218023.

CVE-2014-125076

A vulnerability was found in NoxxieNl Criminals. It has been classified as critical. Affected is an unknown function of the file ingame/roulette.php. The manipulation of the argument gambleMoney leads to sql injection. The name of the patch is 0a60b31271d4cbf8babe4be993d2a3a1617f0897. It is recommended to apply a patch to fix this issue. VDB-218022 is the identifier assigned to this vulnerability.

Online Food Ordering System 2.0 Cross Site Scripting

Online Food Ordering System version 2.0 suffers from a cross site scripting vulnerability.

Tiki Wiki CMS Groupware 25.0 Cross Site Scripting

Tiki Wiki CMS Groupware version 25.0 suffers from a cross site scripting vulnerability.

Medisense-Healthcare Solutions CRM 2.0 Cross Site Request Forgery

Medisense-Healthcare Solutions CRM version 2.0 suffers from a cross site request forgery vulnerability.

ERPGo SaaS CRM 3.3 Arbitrary File Upload

ERPGo SaaS CRM version 3.3 suffers from an arbitrary file upload vulnerability.

CVE-2022-4415: security - systemd-coredump: CVE-2022-4415: local information leak due to systemd-coredump not respecting fs.suid_dumpable kernel setting

A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

CVE-2022-47864: Lead management system php open source free download

Lead Management System v1.0 is vulnerable to SQL Injection via the id parameter in removeCategories.php.