Monthly Archive: February 2019

The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages. Date published : 2019-02-17 https://www.exploit-db.com/exploits/46414/ https://github.com/GloBee-Official/woocommerce-payment-api-plugin/issues/3

imcat 4.5 has Stored XSS via the root/run/adm.php fm[instop][note] parameter. Date published : 2019-02-17 https://github.com/peacexie/imcat/issues/1

admin/default.php in PHPMyWind v5.5 has XSS via an HTTP Host header. Date published : 2019-02-17 https://github.com/gaozhifeng/PHPMyWind/issues/3

In CmsEasy 7.0, there is XSS via the ckplayer.php autoplay parameter. Date published : 2019-02-17 https://github.com/fakerrr/CmsEasy_7.0/issues/2

JTBC(PHP) 3.0.1.8 allows Arbitrary File Upload via the console/#/console/file/manage.php?type=list URI, as demonstrated by a .php file. Date published : 2019-02-17 https://github.com/jetiben/jtbc/issues/6

In CmsEasy 7.0, there is XSS via the ckplayer.php url parameter. Date published : 2019-02-17 https://github.com/fakerrr/CmsEasy_7.0/issues/1

ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. Date published : 2019-02-17 https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#ajaxstatusphp-line-393-sql-injection https://www.seebug.org/vuldb/ssvid-97762

ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value. Date published : 2019-02-17 https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#skinsclassicviewscontrolphp-line-35-second-order-sqli https://www.seebug.org/vuldb/ssvid-97765

daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. Date published : 2019-02-17 https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#includesfunctionsphp-daemoncontrol-command-injection

skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. Date published : 2019-02-17 https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#skinsclassicviewscontrolcapphp-reflected-xss https://www.seebug.org/vuldb/ssvid-97766

includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. Date published : 2019-02-17 https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#sql-query-error-reflected-xss https://www.seebug.org/vuldb/ssvid-97764

ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. Date published : 2019-02-17 https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#ajaxstatusphp-line-276-orderby-sql-injection https://www.seebug.org/vuldb/ssvid-97763

ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter. Date published : 2019-02-17 https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#skinsclassicviewseventsphp-line-44-sql-injection https://www.seebug.org/vuldb/ssvid-97761

A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the description parameter in appsadmincontrollercontentContentController.php. Date published : 2019-02-17 https://github.com/wowwooo/vnotes/blob/master/PbootCMS%20SQL%20Injection%20Description.md