Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2022-25048: GitHub - Immersive-Labs-Sec/CentOS-WebPanel: Proof of concepts scripts for vulnerabilities in CentOS Web Panel

Command injection vulnerability in CWP v0.9.8.1126 that allows normal users to run commands as the root user.

CVE
Open in Source
#sql#vulnerability#web#git#php#rce#auth#ssl
The Age of Collaborative Security: What Tens of Thousands of Machines Witness

Disclaimer: This article is meant to give insight into cyber threats as seen by the community of users of CrowdSec. What can tens of thousands of machines tell us about illegal hacker activities? Do you remember that scene in Batman - The Dark Knight, where Batman uses a system that aggregates active sound data from countless mobile phones to create a meta sonar feed of what is going on at any

CVE-2015-3173

custom-content-type-manager Wordpress plugin can be used by an administrator to achieve arbitrary PHP remote code execution.

CVE-2022-31131: Update phpdoc for local attachment and outbox by kesselb · Pull Request #6600 · nextcloud/mail

Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com)

CVE-2021-31678: GitHub - RO6OTXX/pescms_vulnerability

An issue was discovered in PESCMS-V2.3.3. There is a CSRF vulnerability that can delete import information about a user's company.

CVE-2022-35229: [ZBX-21306] Reflected XSS in discovery page of Zabbix Frontend [CVE-2022-35229]

An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

CVE-2022-35230: [ZBX-21305] Reflected XSS in graphs page of Zabbix Frontend [CVE-2022-35230]

An authenticated user can create a link with reflected Javascript code inside it for the graphs page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict.

CVE-2022-32533: security - CVE-2022-32533: Apache Portals Jetspeed XSS, CSRF, SSRF, and XXE issues

** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue.

CVE-2022-34972: OpenCart 3.x So Filter Shop By SQL Injection ≈ Packet Storm

So Filter Shop v3.x was discovered to contain multiple blind SQL injection vulnerabilities via the att_value_id , manu_value_id , opt_value_id , and subcate_value_id parameters at /index.php?route=extension/module/so_filter_shop_by/filter_data.

CVE-2022-32311: Ingredient Stock Management System 1.0 SQL Injection ≈ Packet Storm

Ingredient Stock Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /isms/admin/stocks/view_stock.php.