Security
Headlines
HeadlinesLatestCVEs

Tag

#php

GeoServer 2.25.1 Code Injection

GeoServer version 2.25.1 suffers from a PHP code injection vulnerability.

Packet Storm
Open in Source
#vulnerability#windows#google#js#git#php#auth#firefox
Gambio Online Webshop 4.9.2.0 Code Injection

Gambio Online Webshop version 4.9.2.0 suffers from a PHP code injection vulnerability.

ABB Cylon Aspect 3.08.00 (syslogSwitch.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'SYSLOG' HTTP POST parameter called by the syslogSwitch.php script.

ABB Cylon Aspect 3.08.01 (caldavUtil.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'Footer' HTTP POST parameter called by the caldavUtil.php script.

ABB Cylon Aspect 3.08.00 (setTimeServer.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'timeserver' HTTP POST parameter called by the setTimeServer.php script.

ABB Cylon Aspect 3.08.01 (logYumLookup.php) Unauthenticated File Disclosure

The building management system suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'logFile' GET parameter via the 'logYumLookup.php' script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

ABB Cylon Aspect 3.07.02 Authenticated File Disclosure

ABB Cylon Aspect version 3.07.02 suffers from an authenticated arbitrary file disclosure vulnerability. Input passed through the file GET parameter through the downloadDb.php script is not properly verified before being used to download database files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

MD-Pro 1.0.76 Shell Upload / SQL Injection

MD-Pro version 1.0.76 suffers from remote SQL injection and shell upload vulnerabilities.

GHSA-q898-frwq-f3qp: Minecraft MOTD Parser's HtmlGenerator vulnerable to XSS

### Summary The `HtmlGenerator` class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD. ### Context Minecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player's Minecraft client. The Minecraft server sends the MOTD in the `description` property of the [Status Response](https://wiki.vg/Server_List_Ping#Status_Response) packet. The [jgniecki/MinecraftMotdParser](https://github.com/jgniecki/MinecraftMotdParser) PHP library is able to parse the value of the `description` property, which can be either a string or an array of text components. By utilizing the aforementioned `HtmlGenerator` class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page. ### Details The `HtmlGenerator` iterates through objects of `MotdItem` that are contained in an...