Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2022-43023: opencats_zero-days/SQLI_imports_errors.md at main · hansmach1ne/opencats_zero-days

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerrors function.

CVE
Open in Source
#sql#vulnerability#mac#php#zero_day
CVE-2022-43418: security - Multiple vulnerabilities in Jenkins plugins

A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2022-43185: Stored XSS Vulnerability on "name" parameter in Rukovoditel-3.2.1 · Issue #1 · Kubozz/rukovoditel-3.2.1

A stored cross-site scripting (XSS) vulnerability in the Configuration/Holidays module of Rukovoditel v3.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter.

CVE-2022-3608: Stored XSS and possible RCE/LFI in case of misconfiguration in phpmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-alpha.

CVE-2022-40798: CVE-2022-40798 - OcoMon Account Takeover

OcoMon 4.0RC1 is vulnerable to Incorrect Access Control. Through a request the user can obtain the real email, sending the same request with correct email its possible to account takeover.

CVE-2022-42218: bug_report/SQLi-1.md at main · CNchenjiabao/bug_report

Open Source SACCO Management System v1.0 vulnerable to SQL Injection via /sacco_shield/manage_loan.php.

CVE-2022-21587: Oracle Critical Patch Update Advisory - October 2022

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

GHSA-43qq-qw4x-28f8: Kirby CMS vulnerable to user enumeration in the code-based login and password reset forms

### TL;DR This vulnerability only affects you if you are using the `code` or `password-reset` auth method with the `auth.methods` option. It can only be successfully exploited under server configuration conditions outside of the attacker's control. ---- ### Introduction User enumeration is a type of vulnerability that allows attackers to confirm which users are registered in a Kirby installation. This information can be abused for social engineering attacks against users of the site or to find out the organizational structure of the company. User enumeration attacks are performed by entering an existing and a non-existing user into the email address field of the login form. If the system returns a different response or behaves differently depending on whether the user exists, the attacker can enter unknown email addresses and use the different behavior as a clue for the (non-)existing user. ### Impact Under normal circumstances, entering an invalid email address results in a "fa...

CVE-2022-42188: CVE-nu11secur1ty/vendors/LavaLite at main · nu11secur1ty/CVE-nu11secur1ty

In Lavalite 9.0.0, the XSRF-TOKEN cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

CVE-2022-41544: Remote command execution vulnerability in 3.3.16 · Issue #1352 · GetSimpleCMS/GetSimpleCMS

GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.