The User Profile & Membership plugin before 2.0.7 for WordPress has no mitigations implemented against cross site request forgery attacks. This is a structural finding throughout the entire plugin. Date published : 2018-04-23 https://github.com/RiieCco/write-ups/tree/master/CVE-2018-10233...
SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI. Date published : 2018-04-22 https://edricteo.com/kliqqi-cms-sqli-vulnerability-in-version-3.5.2/
Kliqqi CMS 3.5.2 has XSS via a crafted group name in pligg/groups.php, a crafted Homepage string in a profile, or a crafted string in Tags or Description within pligg/submit.php. Date published : 2018-04-22 https://edricteo.com/kliqqi-cms-xss-vulnerability-in-version-3.5.2/
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating...
Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content. Date published : 2018-04-22 https://laworigin.github.io/2018/04/22/Discuz-x-portal-Stored-XSS/
Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images. Date published : 2018-04-22 https://laworigin.github.io/2018/04/22/Discuz-x-portal-Stored-XSS/
MiniCMS V1.10 has XSS via the mc-admin/post-edit.php title parameter. Date published : 2018-04-22 https://github.com/bg5sbk/MiniCMS/issues/17
ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account. Date published : 2018-04-22 https://github.com/chemcms/ChemCMS/issues/1
In MuPDF 1.13.0, there is an infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file. A remote adversary could leverage this vulnerability to cause a denial of service via a crafted pdf file....
The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to certain HTTP POST requests. In order...
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication. Date published : 2018-04-22 https://www.exploit-db.com/exploits/44515/ https://gist.github.com/berkgoksel/b8e15cb5742540c6987e9d837d6fa8b1
app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip parameter. Date published : 2018-04-21 https://github.com/phpipam/phpipam/issues/1521 https://github.com/phpipam/phpipam/releases/tag/1.3.1
Adaltech G-Ticket v70 EME104 has SQL Injection via the mobile-loja/mensagem.asp eve_cod parameter. Date published : 2018-04-21 https://lab.insightsecurity.com.br/g-tickets-sql-injection/
CliqueMania loja virtual 14 has SQL Injection via the patch/remote.php id parameter in a recomendar action. Date published : 2018-04-21 https://lab.insightsecurity.com.br/clickmania-0day-sql-injection-2/