Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2023-43192: cve_sql/jfinalcms_sql.md at main · etn0tw/cve_sql

SQL injection can exist in a newly created part of the JFinalcms background, and the parameters submitted by users are not filtered. As a result, special characters in parameters destroy the original logic of SQL statements. Attackers can use this vulnerability to execute any SQL statement.

CVE
#sql#vulnerability#git
CVE-2023-44047: SQLI-TollTax/README.md at main · xcodeOn1/SQLI-TollTax

Sourcecodester Toll Tax Management System v1 is vulnerable to SQL Injection.

CVE-2023-33972: Privilege escalation from having CREATE access on a keyspace to full permission on a table in that keyspace

Scylladb is a NoSQL data store using the seastar framework, compatible with Apache Cassandra. Authenticated users who are authorized to create tables in a keyspace can escalate their privileges to access a table in the same keyspace, even if they don't have permissions for that table. This issue has not yet been patched. A workaround to address this issue is to disable CREATE privileges on a keyspace, and create new tables on behalf of other users.

CVE-2023-43381: CVE-2023-43381

SQL Injection vulnerability in Tianchoy Blog v.1.8.8 allows a remote attacker to obtain sensitive information via the id parameter in the login.php

CVE-2023-43291: CVE-2023-43291.md

Deserialization of Untrusted Data in emlog pro v.2.1.15 and earlier allows a remote attacker to execute arbitrary code via the cache.php component.

CVE-2023-5161: shortcode.php in modal-window/tags/5.3.5/public – WordPress Plugin Repository

The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-43484: Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce"

Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.

CVE-2023-44044: Superstore-sql-poc/SQL at main · TishaManandhar/Superstore-sql-poc

Super Store Finder v3.6 and below was discovered to contain a SQL injection vulnerability via the Search parameter at /admin/stores.php.

CVE-2023-43234: 穆云智能科技 - DedeBIZ管理系统 - 我们致力于管理系统开源提供动力

DedeBIZ v6.2.11 was discovered to contain multiple remote code execution (RCE) vulnerabilities at /admin/file_manage_control.php via the $activepath and $filename parameters.

CVE-2023-43154: GitHub - ally-petitt/CVE-2023-43154-PoC: PoC for the type confusion vulnerability in Mac's CMS that results in authentication bypass and administrator account takeover.

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.