#php

Deep Sea Electronics DSE855 is vulnerable to configuration disclosure when direct object reference is made to the Backup.bin file using an HTTP GET request. This will enable an attacker to disclose sensitive information and help her in authentication bypass, privilege escalation, and full system access.

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. "MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard

WordPress FooGallery plugin version 2.4.16 suffers from a persistent cross site scripting vulnerability.

WordPress Gallery version 2.3.6 suffers from a persistent cross site scripting vulnerability.

Simple Laboratory Management System version 1.0 suffers from a remote time-based SQL injection vulnerability.

Azon Dominator Affiliate Marketing Script suffers from a remote SQL injection vulnerability.

WordPress WPCode Lite plugin version 2.1.14 suffers from a persistent cross site scripting vulnerability.

Customer Support System version 1.0 suffers from a persistent cross site scripting vulnerability. Original discovery of cross site scripting in this version is attributed to Ahmed Abba in November of 2020.

In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x before 3.0.33, some characters in Subject Alternative Name fields in TLS certificates are incorrectly allowed to have a special meaning in regular expressions (such as a + wildcard), leading to name confusion in X.509 certificate host verification.

Automad version 2.0.0-alpha.4 suffers from a persistent cross site scripting vulnerability.