An arbitrary file deletion vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability gave attackers the ability to send a crafted request to /lib/ajaxHandlers/ajaxDeleteAllLoggingFiles.php by specifying a path in the path parameter...
A server-side request forgery (SSRF) vulnerability in rConfig 3.9.5 has been fixed for 3.9.6. This vulnerability allowed remote authenticated attackers to open a connection to the machine via the deviceIpAddr and connPort parameters. Date...
A stored cross-site scripting (XSS) vulnerability in the /devices.php function inrConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote attackers to perform arbitrary Javascript execution through entering a crafted payload into...
An information disclosure vulnerability in rConfig 3.9.5 has been fixed for version 3.9.6. This vulnerability allowed remote authenticated attackers to read files on the system via a crafted request sent to to the /lib/crud/configcompare.crud.php...
A cross site request forgery (CSRF) vulnerability in the configure.html component of Ponzu 0.11.0 allows attackers to change user and administrator credentials, and add or delete administrator accounts. Date published : 2021-08-20 https://github.com/ponzu-cms/ponzu/issues/352
Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component ‘admin/upload_file_do.php’. Date published : 2021-08-20 https://github.com/gaozhifeng/PHPMyWind/issues/5
Command Injection in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the "text color" field of the component ‘/admin/web_config.php’. Date published : 2021-08-20 https://github.com/gaozhifeng/PHPMyWind/issues/4
Unrestricted File Upload in Bludit v3.8.1 allows remote attackers to execute arbitrary code by uploading malicious files via the component ‘bl-kereln/ajax/upload-logo.php’. Date published : 2021-08-20 https://github.com/bludit/bludit/issues/1011
Directory Traversal in Skycaiji v1.3 allows remote attackers to obtain sensitive information via the component ‘index.php?m=admin&c=Tool&a=log&file=D%3A%5CphpStudy%5CWWW%5Cindex.php’. Date published : 2021-08-20 https://github.com/zorlan/skycaiji/issues/13
SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the ‘flag’ parameter in the component ‘/coreframe/app/order/admin/index.php’. Date published : 2021-08-20 https://github.com/wuzhicms/wuzhicms/issues/175
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions[‘org’] value. Date published : 2021-08-19 https://github.com/MISP/MISP/commit/20d9020b76d1f6790c4d84e020d0cc97c929f66b
In XeroSecurity Sn1per 9.0 (free version), insecure directory permissions (0777) are set during installation, allowing an unprivileged user to modify the main application and the application configuration file. This results in arbitrary code execution...
In XeroSecurity Sn1per 9.0 (free version), insecure permissions (0777) are set upon application execution, allowing an unprivileged user to modify the application, modules, and configuration files. This leads to arbitrary code execution with root...
Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not...