The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBox) is susceptible to Stored XSS in the Settings Menu inc/class-easyfancybox.php due to improper encoding of arbitrarily submitted settings parameters. This occurs because there is...
In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpublished versions of files are publicly exposed to anyone who can guess their URL. This guess could be highly informed by a basic understanding...
An issue was discovered in CKFinder through 2.6.2.1 and 3.x through 3.5.0. The documentation has misleading information that could lead to a conclusion that the application has a built-in bulletproof content sniffing protection. Date...
An issue was discovered in CKFinder through 2.6.2.1. Improper checks of file names allows remote attackers to upload files without any extension (even if the application was configured to accept files only with a...
A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including 1.17.x, in the way a Kerberos client could crash the KDC by sending one of the RFC 4556 "enctypes". A remote...
In SilverStripe assets 4.0, there is broken access control on files. Date published : 2019-09-26 https://www.silverstripe.org/download/security-releases/CVE-2019-14273 https://forum.silverstripe.org/c/releases
In SilverStripe asset-admin 4.0, there is XSS in file titles managed through the CMS. Date published : 2019-09-26 https://www.silverstripe.org/download/security-releases/CVE-2019-14272 https://forum.silverstripe.org/c/releases
In Honeywell Performance IP Cameras and Performance NVRs, the integrated web server of the affected devices could allow remote attackers to obtain web configuration data in JSON format for IP cameras and NVRs (Network...
In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution. Date published : 2019-09-26 https://www.silverstripe.org/download/security-releases/CVE-2019-12617 https://forum.silverstripe.org/c/releases
Stored Cross-Site Scripting in DotNetNuke (DNN) Version before 9.4.0 allows remote attackers to store and embed the malicious script into the admin notification page. The exploit could be used to perfom any action with...
The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NTSYSTEM privilege, accepts network connections from localhost. The connection handling function in this service suffers from command injection vulnerability. Local users...
CF UAA versions prior to 74.1.0 can request scopes for a client that shouldn’t be allowed by submitting an array of requested scopes. A remote malicious user can escalate their own privileges to any...
CF UAA versions prior to 74.1.0, allow external input to be directly queried against. A remote malicious user with ‘client.write’ and ‘groups.update’ can craft a SCIM query, which leaks information that allows an escalation...
The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NTSYSTEM privilege, accepts network connections from localhost. The connection handling function in this service suffers from a stack based buffer overflow...