#php

RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 suffer from a directory traversal vulnerability.

WordPress Neon Text plugin versions 1.1 and below suffer from a persistent cross site scripting vulnerability.

### Impact _What kind of vulnerability is it? Who is impacted?_ Access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. ### Patches Has the problem been patched? What versions should users upgrade to? The problem is patched with Version `2.4.17` and `2.5.13`. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Remove following lines from `vendor/symfony/security-http/HttpUtils.php`: ``` - // Shortcut if request has already been matched before - if ($request->attributes->has('_route')) { - return $path === $request->attributes->get('_route'); - } ``` Or do not install `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`. ### References _Are there any links users can visit to find out more?_ Currently no references.

Wallos versions prior to 1.11.2 suffer from a remote shell upload vulnerability.

Petrol Pump Management System version 1.0 suffers from a remote shell upload vulnerability. This is a variant vector of attack in comparison to the original discovery attributed to SoSPiro in February of 2024.

Petrol Pump Management Software version 1.0 suffers from a remote SQL injectionvulnerability.

Petrol Pump Management Software version 1.0 suffers from multiple cross site scripting vulnerabilities.

Employee Management System version 1.0-2024 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. An attacker can construct a malformed certificate containing an extremely large prime to cause a denial of service (CPU consumption for an isPrime primality check). NOTE: this issue was introduced when attempting to fix CVE-2023-27560.

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).