An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add. Date published : 2018-04-10 https://www.exploit-db.com/exploits/44439/ http://www.iwantacve.cn/index.php/archives/6/
An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists via the nickname field in an admincp.php?app=user&do=save&frame=iPHP request. Date published : 2018-04-10 https://github.com/idreamsoft/iCMS/issues/18
An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request. Date published : 2018-04-10 https://github.com/idreamsoft/iCMS/issues/19
An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists in admincp.php, as demonstrated by adding an article via an app=article&do=save&frame=iPHP request. Date published : 2018-04-10 https://github.com/idreamsoft/iCMS/issues/17
An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path leakage exists via an invalid nickname field that reveals a core/library/weixin.class.php pathname. Date published : 2018-04-10 https://github.com/idreamsoft/iCMS/issues/16
libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary key but found non-name object" cases, allowing remote attackers to cause a denial of service (stack exhaustion), related to the QPDFObjectHandle and QPDF_Dictionary classes, because...
The Open Whisper Signal app before 2.23.2 for iOS allows physically proximate attackers to bypass the screen locker feature via certain rapid sequences of actions that include app opening, clicking on cancel, and using...
Monstra CMS 3.0.4 allows remote attackers to delete files via an admin/index.php?id=filesmanager&delete_dir=./&path=uploads/ request. Date published : 2018-04-10 https://www.exploit-db.com/exploits/44512/ https://github.com/monstra-cms/monstra/issues/434
Monstra CMS 3.0.4 allows remote code execution via an upload_file request for a .zip file, which is automatically extracted and may contain .php files. Date published : 2018-04-10 https://www.exploit-db.com/exploits/44621/ https://github.com/monstra-cms/monstra/issues/433
Coship RT3052 4.0.0.48 devices allow XSS via a crafted SSID field on the "Wireless Setting – Basic" screen. Date published : 2018-04-10 https://0day4u.wordpress.com/2018/03/19/coship-rt3052-wireless-router-persistent-cross-site-scripting-xss/
Various administrative application link resources in Atlassian Application Links before version 5.4.4 allow remote attackers with administration rights to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the display...
An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution....
An exploitable information vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An...
An exploitable information disclosure vulnerability exists in the PCX image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure...