Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2022-0698: GitHub - microweber/microweber: Drag and Drop Website Builder and CMS with E-commerce

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.

CVE
Open in Source
#sql#xss#web#microsoft#apache#git#php#nginx#auth#mongo#postgres#ssl
CVE-2022-23044: Tiny File Manager 2.4.8 - Remote Command Execution | Advisories | Fluid Attacks

Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to execute arbitrary code remotely on the server. This is possible because the application is vulnerable to CSRF, processes uploaded files server-side (instead of just returning them for download), and allows unauthenticated users to access uploaded files.

CVE-2022-38813

PHPGurukul Blood Donor Management System 1.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, delete the users, add and manage Blood Group, and Submit Report.

CVE-2022-37721: The PHP CMS built for Laravel.

PyroCMS 3.9 is vulnerable to a stored Cross Site Scripting (XSS_ when a low privileged user such as an author, injects a crafted html and javascript payload in a blog post, leading to full admin account takeover or privilege escalation.

CVE-2022-45039: WBCE CMS v1.5.4 getshell

An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-45038: WBCE CMS v1.5.4 is vulnerable to XSS via /admin/settings/save.php

A cross-site scripting (XSS) vulnerability in /admin/settings/save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Footer field.

CVE-2022-45037: WBCE CMS v1.5.4 is vulnerable to XSS via /admin/users/index.php

A cross-site scripting (XSS) vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field.

CVE-2022-45036: WBCE CMS v1.5.4 is vulnerable to XSS via /search/index.php

A cross-site scripting (XSS) vulnerability in the Search Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the No Results field.

CVE-2022-44411: Web Based Quiz System v1.0 is vulnerable to brute force attack

Web Based Quiz System v1.0 transmits user passwords in plaintext during the authentication process, allowing attackers to obtain users' passwords via a bruteforce attack.

CVE-2022-45040: WBCE CMS v1.5.4 is vulnerable to XSS via /admin/pages/sections_save.php

A cross-site scripting (XSS) vulnerability in /admin/pages/sections_save.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name Section field.