Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2022-4169: Vulnerability Advisories Continued - Wordfence

The Theme and plugin translation for Polylang is vulnerable to authorization bypass in versions up to, and including, 3.2.16 due to missing capability checks in the process_polylang_theme_translation_wp_loaded() function. This makes it possible for unauthenticated attackers to update plugin and theme translation settings and to import translation strings.

CVE
Open in Source
#xss#vulnerability#web#java#wordpress#php#backdoor#rce#ssrf#auth
CVE-2022-44399: bug_report/SQLi-1.md at main · tavenli/bug_report

Poultry Farm Management System v1.0 contains a SQL injection vulnerability via the del parameter at /Redcock-Farm/farm/category.php.

vBulletin 5.5.2 PHP Object Injection

vBulletin versions 5.5.2 and below suffers from an issue where user input passed through the "messageids" request parameter to /ajax/api/vb4_private/movepm is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.

Red Hat Security Advisory 2022-8650-01

Red Hat Security Advisory 2022-8650-01 - Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.

CVE-2022-44401: bug_report/RCE-1.md at main · lcg-22266/bug_report

Online Tours & Travels Management System v1.0 contains an arbitrary file upload vulnerability via /tour/admin/file.php.

CVE-2022-44400: bug_report/UPLOAD-1.md at main · lcg-22266/bug_report

Purchase Order Management System v1.0 contains a file upload vulnerability via /purchase_order/admin/?page=system_info.

CVE-2022-3490

The Checkout Field Editor (Checkout Manager) for WooCommerce WordPress plugin before 1.8.0 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

CVE-2022-45225: Book Store Management System 1.0 — Unrestricted input leads to xss

Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the book_title parameter.

CVE-2022-0698: GitHub - microweber/microweber: Drag and Drop Website Builder and CMS with E-commerce

Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the 'select-file' parameter.

CVE-2022-44859: bug_report/SQLi-2.md at main · thir3een/bug_report

Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /asms/admin/products/manage_product.php.