🚨 CVE-2024-51506
Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.
🎖@cveNotify
Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.
🎖@cveNotify
GitHub
Stored XSS on "Create a Wiki Pages" in Tikiwiki version 27.0 · Issue #8 · r0ck3t1973/xss_payload
Hi, Download and install CMS TikiWiki version 27.0 https://sourceforge.net/projects/tikiwiki/ Login into panel click a 'Wiki' -> 'Create a Wiki Pages' insert payload in descripti...
🚨 CVE-2024-51507
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.
🎖@cveNotify
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.
🎖@cveNotify
GitHub
Stored XSS on 'Create/Edit External Wiki' in TikiWiki version 27.0 · Issue #9 · r0ck3t1973/xss_payload
Hi, Download and install cms TikiWiki version 27.0 Login into panel click a Settings -> External Wikis (/tiki-27.0/tiki-admin_external_wikis.php) insert payload in description: Name and Index &l...
🚨 CVE-2024-51508
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.
🎖@cveNotify
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.
🎖@cveNotify
GitHub
Stored XSS on 'Create/Edit External Wiki' in TikiWiki version 27.0 · Issue #9 · r0ck3t1973/xss_payload
Hi, Download and install cms TikiWiki version 27.0 Login into panel click a Settings -> External Wikis (/tiki-27.0/tiki-admin_external_wikis.php) insert payload in description: Name and Index &l...
🚨 CVE-2024-51509
Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.
🎖@cveNotify
Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.
🎖@cveNotify
GitHub
Stored XSS on "Modules" in TikiWiki version 27.0 · Issue #10 · r0ck3t1973/xss_payload
Hi, Download and install cms TikiWiki version 27.0 Login into panel click a Settings -> Modules (/ttiki-27.0/tiki-admin_modules.php) insert payload in description: Name of Module <a href=&quo...
🚨 CVE-2024-10419
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /bloodrequest.php. The manipulation of the argument msg leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /bloodrequest.php. The manipulation of the argument msg leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
🚨 CVE-2024-10420
A vulnerability classified as critical has been found in SourceCodester Attendance and Payroll System 1.0. This affects the function upload of the file /marimar/guest/update.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability classified as critical has been found in SourceCodester Attendance and Payroll System 1.0. This affects the function upload of the file /marimar/guest/update.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
🚨 CVE-2024-10421
A vulnerability classified as critical was found in SourceCodester Attendance and Payroll System 1.0. This vulnerability affects unknown code of the file /admin/overtime_row.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability classified as critical was found in SourceCodester Attendance and Payroll System 1.0. This vulnerability affects unknown code of the file /admin/overtime_row.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
🚨 CVE-2024-10422
A vulnerability, which was classified as critical, has been found in SourceCodester Attendance and Payroll System 1.0. This issue affects some unknown processing of the file /admin/overtime_add.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability, which was classified as critical, has been found in SourceCodester Attendance and Payroll System 1.0. This issue affects some unknown processing of the file /admin/overtime_add.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
🚨 CVE-2024-10423
A vulnerability, which was classified as critical, was found in Project Worlds Student Project Allocation System 1.0. Affected is an unknown function of the file /student/project_selection/project_selection.php of the component Project Selection Page. The manipulation of the argument project_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability, which was classified as critical, was found in Project Worlds Student Project Allocation System 1.0. Affected is an unknown function of the file /student/project_selection/project_selection.php of the component Project Selection Page. The manipulation of the argument project_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
GitHub
CVE/phpgurukul_student_project_allocation_system_add_project_sqli.md at main · jadu101/CVE
Contribute to jadu101/CVE development by creating an account on GitHub.
🚨 CVE-2024-10418
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /file/infoAdd.php. The manipulation of the argument bg leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /file/infoAdd.php. The manipulation of the argument bg leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
👍1
🚨 CVE-2024-10424
A vulnerability has been found in Project Worlds Student Project Allocation System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /student/project_selection/remove_project.php of the component Project Selection Page. The manipulation of the argument no leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability has been found in Project Worlds Student Project Allocation System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /student/project_selection/remove_project.php of the component Project Selection Page. The manipulation of the argument no leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
GitHub
CVE/phpgurukul_student_project_allocation_system_remove_project_sqli.md at main · jadu101/CVE
Contribute to jadu101/CVE development by creating an account on GitHub.
🚨 CVE-2024-10425
A vulnerability was found in Project Worlds Student Project Allocation System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /student/project_selection/move_up_project.php of the component Project Selection Page. The manipulation of the argument up leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability was found in Project Worlds Student Project Allocation System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /student/project_selection/move_up_project.php of the component Project Selection Page. The manipulation of the argument up leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
GitHub
CVE/phpgurukul_student_project_allocation_system_move_up_project_sqli.md at main · jadu101/CVE
Contribute to jadu101/CVE development by creating an account on GitHub.
🚨 CVE-2024-10477
A vulnerability classified as problematic was found in LinZhaoguan pb-cms up to 2.0.1. This vulnerability affects unknown code of the file /admin#permissions of the component Permission Management Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability classified as problematic was found in LinZhaoguan pb-cms up to 2.0.1. This vulnerability affects unknown code of the file /admin#permissions of the component Permission Management Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
Gitee
LinZhaoguan/pb-cms
瀑布内容管理系统,采用SpringBoot + Apache Shiro + Mybatis Plus + Thymeleaf 实现的内容管理系统(附带权限管理),是搭建博客、网站的不二之选。致力于开发最精简、实用的CMS管理系统,适合搭建博客、企业网站等,持续开发中。
🚨 CVE-2024-10478
A vulnerability, which was classified as problematic, has been found in LinZhaoguan pb-cms up to 2.0.1. This issue affects some unknown processing of the file /admin#article/edit?id=2 of the component Edit Article Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability, which was classified as problematic, has been found in LinZhaoguan pb-cms up to 2.0.1. This issue affects some unknown processing of the file /admin#article/edit?id=2 of the component Edit Article Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
Gitee
LinZhaoguan/pb-cms: 瀑布内容管理系统,采用SpringBoot + Apache Shiro + Mybatis Plus + Thymeleaf 实现的内容管理系统(附带权限管理),是搭建博客、网站的不二之选。致力于开发最精简、实…
🚨 CVE-2024-45656
IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP.
🎖@cveNotify
IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP.
🎖@cveNotify
Ibm
Security Bulletin: This Power System update is being released to address CVE-2024-45656
IBM Flexible Service Processor (FSP) has static credentials which may allow network users to gain service privileges to the FSP.
🚨 CVE-2024-10000
The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the question's content parameter in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🎖@cveNotify
The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the question's content parameter in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🎖@cveNotify
🚨 CVE-2024-10008
The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students.
🎖@cveNotify
The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students.
🎖@cveNotify
🚨 CVE-2024-37672
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the idactivity parameter.
🎖@cveNotify
Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the idactivity parameter.
🎖@cveNotify
Tessi International
Gestion électronique des documents
Découvrez la solution GED/Workflow de Tessi. Gagnez en productivité jusqu'à 30-40% avec notre gestion électronique des documents.
🚨 CVE-2024-10048
The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
🎖@cveNotify
The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
🎖@cveNotify
🚨 CVE-2024-22066
There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V2 intelligent multi service router . An authenticated attacker could use the vulnerability to obtain sensitive information about the device.
🎖@cveNotify
There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V2 intelligent multi service router . An authenticated attacker could use the vulnerability to obtain sensitive information about the device.
🎖@cveNotify
🚨 CVE-2024-45477
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
🎖@cveNotify
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
🎖@cveNotify