Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2021-36761: Advisory - Joshua CybeRiskVision

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF.

CVE
Open in Source
#sql#xss#vulnerability#web#dos#js#java#oracle#php#ssrf#auth
GHSA-25mq-v84q-4j7r: CURLOPT_HTTPAUTH option not cleared on change of origin

### Impact `Authorization` headers on requests are sensitive information. When using our Curl handler, it is possible to use the `CURLOPT_HTTPAUTH` option to specify an `Authorization` header. On making a request which responds with a redirect to a URI with a different origin, if we choose to follow it, we should remove the `CURLOPT_HTTPAUTH` and `CURLOPT_USERPWD` options before continuing, stopping curl from appending the `Authorization` header to the new request. Previously, we would only consider a change in host. Now, we consider any change in host, port or scheme to be a change in origin. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.4.5 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.8 or 7.4.5. Note that a partial fix was implemented in Guzzle 7.4.2, where a change in host would trigger removal of the curl-added Authorization header, however this earlier fix did not cover change in scheme or change in port. ...

CVE-2022-33056: bug_report/SQLi-4.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/schedules/manage_schedule.php.

CVE-2022-33055: bug_report/SQLi-3.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/trains/manage_train.php.

CVE-2022-33049: bug_report/SQLi-2.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/?page=user/manage_user.

CVE-2022-33048: bug_report/SQLi-1.md at main · k0xx11/bug_report

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /orrs/admin/reservations/view_details.php.

CVE-2022-31478: ILIAS LMS UserTakeOver < 4.0.1 Vulnerability - BCK Security Inc - Medium

The UserTakeOver plugin before 4.0.1 for ILIAS allows an attacker to list all users via the search function.

CVE-2022-33119: nuuo-xss/README.md at main · badboycxcc/nuuo-xss

NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via login.php.

CVE-2022-31374: GitHub - badboycxcc/SolarView_Compact_6.0_upload

An arbitrary file upload vulnerability /images/background/1.php in of SolarView Compact 6.0 allows attackers to execute arbitrary code via a crafted php file.