Security
Headlines
HeadlinesLatestCVEs

Tag

#chrome

CVE-2021-43258: ChurchInfo open source church database created with PHP & MySQL! - ChurchInfo open source church database created with PHP & MySQL!

CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.

CVE
Open in Source
#sql#web#windows#apache#git#php#rce#auth#chrome#firefox
CVE-2022-44139: bug_report/SQLi-1.md at main · 375978342/bug_report

Apartment Visitor Management System v1.0 is vulnerable to SQL Injection via /avms/index.php.

CVE-2022-43751: Antivirus, VPN, Identity & Privacy Protection | McAfee

McAfee Total Protection prior to version 16.0.49 contains an uncontrolled search path element vulnerability due to the use of a variable pointing to a subdirectory that may be controllable by an unprivileged user. This may have allowed the unprivileged user to execute arbitrary code with system privileges.

CVE-2022-45535: AeroCMS-v0.0.1-SQLi update_categories_sql_injection

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the edit parameter at \admin\categories.php. This vulnerability allows attackers to access database information.

CVE-2022-45331: CVE/post_sql_injection.md at master · rdyx0/CVE

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the p_id parameter at \post.php. This vulnerability allows attackers to access database information.

CVE-2022-45536: CVE/post_comments_sql_injection.md at master · rdyx0/CVE

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the id parameter at \admin\post_comments.php. This vulnerability allows attackers to access database information.

This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos

A malicious extension for Chromium-based web browsers has been observed to be distributed via a long-standing Windows information stealer called ViperSoftX. Czech-based cybersecurity company dubbed the rogue browser add-on VenomSoftX owing to its standalone features that enable it to access website visits, steal credentials and clipboard data, and even swap cryptocurrency addresses via an

CVE-2022-42989: CVEs/SankhyaERP_XSS_Account_Takeover.txt at main · 0xLUC4S/CVEs

ERP Sankhya before v4.11b81 was discovered to contain a cross-site scripting (XSS) vulnerability via the component Caixa de Entrada.

CVE-2022-43492: Comments – wpDiscuz

Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress.