Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2023-3533: Security issues - Chamilo LMS

Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#mac#windows#apple#google#js#git#java#wordpress#php#rce#perl#ssrf#pdf#acer#auth#ssh#ibm#sap
CVE-2023-3545: Security issues - Chamilo LMS

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.

CVE-2023-49145: Apache NiFi Security Reports

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

CVE-2023-48188: [CVE-2023-48188] Improper neutralization of SQL parameter in Opart Devis for PrestaShop

SQL injection vulnerability in PrestaShop opartdevis v.4.5.18 thru v.4.6.12 allows a remote attacker to execute arbitrary code via a crafted script to the getModuleTranslation function.

CVE-2023-46349: [CVE-2023-46349] Improper neutralization of SQL parameter in MyPrestaModules - Product Catalog (CSV, Excel) Export/Update module for PrestaShop

In the module "Product Catalog (CSV, Excel) Export/Update" (updateproducts) < 3.8.5 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `productsUpdateModel::getExportIds()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

CVE-2023-49030: vulnerability/32ns-KLive-SQL-user.php.md at main · Chiaki2333/vulnerability

SQL Injection vulnerability in32ns KLive v.2019-1-19 and before allows a remote attacker to obtain sensitive information via a crafted script to the web/user.php component.

General Electric Probes Security Breach as Hackers Sell DARPA-Related Access

By Waqas According to the threat actor, the data includes "a lot of DARPA-related military information." This is a post from HackRead.com Read the original post: General Electric Probes Security Breach as Hackers Sell DARPA-Related Access

CVE-2023-49029: GitHub - smpn1smg/absis: Sistem Akademik K13/KTSP Berbasis Web

Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the nama parameter in the lock/lock.php file.

osCommerce 4 Cross Site Scripting

osCommerce version 4 suffers from a cross site scripting vulnerability.

Gentoo Linux Security Advisory 202311-17

Gentoo Linux Security Advisory 202311-17 - Multiple vulnerabilities have been discovered in phpMyAdmin, the worst of which allows for denial of service. Versions greater than or equal to 5.2.0 are affected.