Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2023-47446: PHPGrukul-Pre-School-Enrollment-System-v1.0/CVE-2023-47446 PHPGurukul-Pre-School-Enrollment-System-v1.0 Stored XSS Vulnerability.md at main · termanix/PHPGrukul-Pre-School-Enrollment-System-v1.0

Pre-School Enrollment version 1.0 is vulnerable to Cross Site Scripting (XSS) on the profile.php page via fullname parameter.

CVE
Open in Source
#xss#vulnerability#git#php
CVE-2023-41597: EyouCms v1.6.2 存在反射型XSS漏洞 · Issue #238 · emlog/emlog

EyouCms v1.6.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /admin/twitter.php?active_t.

CVE-2023-40923: [CVE-2023-40923] Improper neutralization of an SQL parameter in MyPrestaModules - Orders (CSV, Excel) Export PRO module for PrestaShop

MyPrestaModules ordersexport before v5.0 was discovered to contain multiple SQL injection vulnerabilities at send.php via the key and save_setting parameters.

CVE-2023-47309: [CVE-2023-47309] Improper Neutralization of Input During Web Page Generation in Nukium - NKM GLS module for PrestaShop

Nukium nkmgls before version 3.0.2 is vulnerable to Cross Site Scripting (XSS) via NkmGlsCheckoutModuleFrontController::displayAjaxSavePhoneMobile.

CVE-2023-43979: [CVE-2023-43979] Improper neutralization of SQL parameter in PrestaHero (ETS Soft) - BLOG - Drive High Traffic & Boost SEO module for PrestaShop

ETS Soft ybc_blog before v4.4.0 was discovered to contain a SQL injection vulnerability via the component Ybc_blogBlogModuleFrontController::getPosts().

GHSA-2r53-9295-3m86: Statamic CMS vulnerable to remote code execution via form uploads

### Impact Similar to [another advisory](https://github.com/statamic/cms/security/advisories/GHSA-72hg-5wr5-rmfc), certain additional PHP files crafted to look like images may be uploaded regardless of mime type validation rules. This affects front-end forms using the "Forms" feature, and asset upload fields in the control panel. ### Patches It has been patched in 3.4.14 and 4.34.0.

GHSA-mw2w-2hj2-fg8q: yiisoft/yii deserializing untrusted user input can lead to remote code execution

### Impact Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. ### Patches Upgrade `yiisoft/yii` to version 1.1.29 or higher. ### For more information See the following links for more details: - [Git commit](https://github.com/yiisoft/yii/commit/37142be4dc5831114a375392e86d6450d4951c06) - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).

CVE-2023-47524: WordPress CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.9 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability (requires PHP 8.x) in CodeBard CodeBard's Patron Button and Widgets for Patreon plugin <= 2.1.9 versions.

CVE-2023-46581: Code-Projects-Inventory-Management-1.0/CVE-2023-46581-Code-Projects-Inventory-Management-1.0-SQL-Injection-Vulnerability.md at main · ersinerenler/Code-Projects-Inventory-Management-1.0

SQL injection vulnerability in Inventory Management v.1.0 allows a local attacker to execute arbitrary code via the name, uname and email parameters in the registration.php component.