Monthly Archive: August 2018

An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/slideshow.php has XSS. Date published : 2018-08-06 https://github.com/AvaterXXX/QCMS/blob/master/README.md

An issue was discovered in QCMS 3.0.1. upload/System/Controller/backend/system.php has XSS. Date published : 2018-08-06 https://github.com/AvaterXXX/QCMS/blob/master/README.md

An issue was discovered in EMLsoft 5.4.5. uploademlactionaction.address.php has SQL Injection via the numPerPage parameter. Date published : 2018-08-06 https://github.com/AvaterXXX/emlsoft/blob/master/README.md

An issue was discovered in EMLsoft 5.4.5. uploademlactionaction.user.php has SQL Injection via the numPerPage parameter. Date published : 2018-08-06 https://github.com/AvaterXXX/emlsoft/blob/master/README.md

An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=user&do=add page allows CSRF. Date published : 2018-08-06 https://github.com/AvaterXXX/emlsoft/blob/master/README.md

An issue was discovered in EMLsoft 5.4.5. The eml/upload/eml/?action=address&do=add page allows CSRF. Date published : 2018-08-06 https://github.com/AvaterXXX/emlsoft/blob/master/README.md

An issue was discovered in EMLsoft 5.4.5. XSS exists via the eml/upload/eml/?action=address&do=edit page. Date published : 2018-08-06 https://github.com/AvaterXXX/emlsoft/blob/master/README.md

zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI. Date published : 2018-08-06 https://github.com/AvaterXXX/ZZCMS/blob/master/README.md

zzcms 8.3 has stored XSS related to the content variable in user/manage.php and zt/show.php. Date published : 2018-08-06 https://github.com/AvaterXXX/ZZCMS/blob/master/README.md

dl/dl_sendmail.php in zzcms 8.3 has SQL Injection via the sql parameter. Date published : 2018-08-06 https://blog.csdn.net/weixin_42813492/article/details/81240523 https://github.com/AvaterXXX/ZZCMS/blob/master/README.md

Xiao5uCompany 1.7 has CSRF via admin/Admin.asp. Date published : 2018-08-06 http://blog.whiterabbitxyj.com/cve/Xiao5uCompany_1.7_csrf.doc https://github.com/WhiteRabbitc/WhiteRabbitc.github.io/blob/master/cve/Xiao5uCompany_1.7_csrf.doc

PHP Template Store Script 3.0.6 allows XSS via the Address line 1, Address Line 2, Bank name, or A/C Holder name field in a profile. Date published : 2018-08-06 https://www.exploit-db.com/exploits/45143/ https://googlequeens.com/2018/08/03/cve-2018-14869-php-template-store-script-3-0-6-stored-xss-vulnerability/

Unrestricted file upload (with remote code execution) in require/mail/NotificationMail.php in Webconsole in OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file...

A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don’t match any elements incorrectly generate the canonicalUrl, and can lead to execution of...