Cybozu Garoon 3.5.0 to 4.6.1 allows remote authenticated attackers to bypass access restriction to view the closed title of "Cabinet" via unspecified vectors. Date published : 2018-04-16 https://support.cybozu.com/ja-jp/article/10056 http://jvn.jp/en/jp/JVN65268217/index.html
Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.6.0 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Date published : 2018-04-16 https://support.cybozu.com/ja-jp/article/10058 http://jvn.jp/en/jp/JVN65268217/index.html
Cybozu Garoon 4.0.0 to 4.6.0 allows remote authenticated attackers to bypass access restriction to view the closed title of "Space" via unspecified vectors. Date published : 2018-04-16 https://support.cybozu.com/ja-jp/article/9886 http://jvn.jp/en/jp/JVN65268217/index.html
Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to alter setting data of session authentication via unspecified vectors. Date published : 2018-04-16 https://support.cybozu.com/ja-jp/article/9375 http://jvn.jp/en/jp/JVN65268217/index.html
Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to alter setting data of the Standard database via unspecified vectors. Date published : 2018-04-16 https://support.cybozu.com/ja-jp/article/9378 http://jvn.jp/en/jp/JVN65268217/index.html
Cybozu Garoon 3.0.0 to 4.2.6 allows remote authenticated attackers to bypass access restriction to view or alter an access privilege of a folder and/or notification settings via unspecified vectors. Date published : 2018-04-16 https://support.cybozu.com/ja-jp/article/9349...
SQL injection vulnerability in the Cybozu Garoon 3.5.0 to 4.2.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. Date published : 2018-04-16 https://support.cybozu.com/ja-jp/article/9326 http://jvn.jp/en/jp/JVN65268217/index.html
Z-BlogPHP 1.5.1 has XSS via the zb_users/plugin/AppCentre/plugin_edit.php app_id parameter. The component must be accessed directly by an administrator, or through CSRF. Date published : 2018-04-15 https://xz.aliyun.com/t/2277
The plugin upload component in Z-BlogPHP 1.5.1 allows remote attackers to execute arbitrary PHP code via the app_id parameter to zb_users/plugin/AppCentre/plugin_edit.php because of an unanchored regular expression, a different vulnerability than CVE-2018-8893. The component...
QingDao Nature Easy Soft Chanzhi Enterprise Portal System (aka chanzhieps) pro1.6 allows remote attackers to read arbitrary files via directory traversal sequences in the pathname parameter to www/file.php. Date published : 2018-04-15 https://github.com/goodrain-apps/chanzhieps/issues/1
plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has access to the editor role, and enters the payload in the title section of an admin/index.php?id=pages&action=edit_page&name=error404 (aka Edit 404 page)...
The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx in LibreOffice before 5.4.6.1 and 6.x before 6.0.2.1 does not validate a customizations index, which allows remote attackers to cause a denial of service (heap-based buffer overflow with write...
sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1 uses an incorrect integer data type in the StgSmallStrm class, which allows remote attackers to cause a denial of service (use-after-free with write access) or...
Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php. Date published : 2018-04-15 https://www.exploit-db.com/exploits/44855/ https://github.com/monstra-cms/monstra/issues/436