Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-44043: GitHub - Gi0rgi0R/xss_installation_blackcat_cms_1.4.1: XSS in install page in BlackCat CMS 1.4.1

A stored cross-site scripting (XSS) vulnerability in /settings/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website footer parameter.

CVE
Open in Source
#xss#vulnerability#web#git#php#auth
CVE-2023-44044: Superstore-sql-poc/SQL at main · TishaManandhar/Superstore-sql-poc

Super Store Finder v3.6 and below was discovered to contain a SQL injection vulnerability via the Search parameter at /admin/stores.php.

CVE-2023-44042: GitHub - Gi0rgi0R/xss_frontend_settings_blackcat_cms_1.4.1: XSS in frontend settings in BlackCat CMS 1.4.1

A stored cross-site scripting (XSS) vulnerability in /settings/index.php of Black Cat CMS 1.4.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website header parameter.

CVE-2023-43830: GitHub - al3zx/xss_financial_subrion_4.2.1: XSS in financial page in Subrion 4.2.1

A Cross-site scripting (XSS) vulnerability in /panel/configuration/financial/ of Subrion v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into several fields: 'Minimum deposit', 'Maximum deposit' and/or 'Maximum balance'.

CVE-2023-43187: CVE/CVE-2023-43187 at main · jagat-singh-chaudhary/CVE

A remote code execution (RCE) vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests.

CVE-2023-4423: WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce <= 3.1.37.1 - Authenticated (Admin+) Stored Cross-Site Scripting — Wordfence Intelligence

The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.1.37.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2023-43825: Shihonkanri Plus vulnerable to relative path traversal

Relative path traversal vulnerability in Shihonkanri Plus Ver9.0.3 and earlier allows a local attacker to execute an arbitrary code by having a legitimate user import a specially crafted backup file of the product..

CVE-2023-43154: GitHub - ally-petitt/CVE-2023-43154-PoC: PoC for the type confusion vulnerability in Mac's CMS that results in authentication bypass and administrator account takeover.

In Macrob7 Macs Framework Content Management System (CMS) 1.1.4f, loose comparison in "isValidLogin()" function during login attempt results in PHP type confusion vulnerability that leads to authentication bypass and takeover of the administrator account.

CVE-2023-42820: perf: 修复随机 error · jumpserver/jumpserver@42337f0

JumpServer is an open source bastion host. This vulnerability is due to exposing the random number seed to the API, potentially allowing the randomly generated verification codes to be replayed, which could lead to password resets. If MFA is enabled users are not affect. Users not using local authentication are also not affected. Users are advised to upgrade to either version 2.28.19 or to 3.6.5. There are no known workarounds or this issue.

CVE-2023-43381: CVE-2023-43381

SQL Injection vulnerability in Tianchoy Blog v.1.8.8 allows a remote attacker to obtain sensitive information via the id parameter in the login.php