Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2022-39988: Centreon 22.04.0 Cross Site Scripting ≈ Packet Storm

A cross-site scripting (XSS) vulnerability in Centreon 22.04.0 allows attackers to execute arbitrary web script or HTML via a crafted payload injected into the Service>Templates service_alias parameter.

CVE
Open in Source
#xss#vulnerability#web#php#auth
CVE-2022-39265: Version 1.8.31 - MyBB

MyBB is a free and open source forum software. The _Mail Settings_ ? Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2022-40895: NeDi Community - Index

In certain Nedi products, a vulnerability in the web UI of NeDi login & Community login could allow an unauthenticated, remote attacker to affect the integrity of a device via a User Enumeration vulnerability. The vulnerability is due to insecure design, where a difference in forgot password utility could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users. This affects NeDi 1.0.7 for OS X 1.0.7 <= and NeDi for Suse 1.0.7 <= and NeDi for FreeBSD 1.0.7 <=.

Joomla KSAdvertiser 2.5.37 Cross Site Scripting

Joomla KSAdvertiser extension version 2.5.37 suffers from a cross site scripting vulnerability.

Joomla JoomBri Freelance 4.5.0 Cross Site Scripting

Joomla JoomBri Freelance extension version 4.5.0 suffers from a cross site scripting vulnerability.

WordPress WPvivid Backup Path Traversal

WordPress WPvivid Backup plugin versions prior to 0.9.76 suffer from a path traversal vulnerability.

WordPress Elementor 3.6.2 Shell Upload

WordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.

Joomla Solidres 2.12.9 Cross Site Scripting

Joomla Solidres extension version 2.12.9 suffers from a cross site scripting vulnerability.