Monthly Archive: September 2021

UReport v2.2.9 contains a Server-Side Request Forgery (SSRF) in the designer page which allows attackers to detect intranet device ports. Date published : 2021-09-15 https://github.com/youseries/ureport/issues/483

Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file. Date published : 2021-09-15 https://github.com/Kliqqi-CMS/Kliqqi-CMS/issues/259

Cross Site Request Forgery (CSRF) in LaikeTui v3 allows remote attackers to execute arbitrary code via the component ‘/index.php?module=member&action=add’. Date published : 2021-09-15 https://github.com/TL-swallow/swallow/blob/master/laikecsrf

Cross Site Scripting (XSS) in S-CMS build 20191014 and earlier allows remote attackers to execute arbitrary code via the ‘Site Title’ parameter of the component ‘/data/admin/#/app/config/’. Date published : 2021-09-15 https://github.com/TL-swallow/swallow/blob/master/S-CMS%20XSS1.docx

Cross Site Scripting (CSS) in Wenku CMS v3.4 allows remote attackers to execute arbitrary code via the ‘Intro’ parameter for the component ‘/index.php?m=ucenter&a=index’. Date published : 2021-09-15 https://github.com/TL-swallow/swallow/issues/14

Cross Site Scripting (XSS) in Ari Adminer v1 allows remote attackers to execute arbitrary code via the ‘Title’ parameter of the ‘Add New Connections’ component when the ‘save()’ function is called. Date published :...

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information and/or execute arbitrary code via the ‘FileManager.rename()’ function in the component ‘modules/filemanager/FileManagerController.java’. Date published : 2021-09-15 https://www.seebug.org/vuldb/ssvid-97886

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the ‘FileManager.editFile()’ function in the component ‘modules/filemanager/FileManagerController.java’. Date published : 2021-09-15 https://www.seebug.org/vuldb/ssvid-97882

Command Injection in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code by uploading a malicious HTML template file via the component ‘jfinal_cms/admin/filemanager/list’. Date published : 2021-09-15 https://www.seebug.org/vuldb/ssvid-97881

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information or cause a denial of service via the ‘FileManager.delete()’ function in the component ‘modules/filemanager/FileManagerController.java’. Date published : 2021-09-15...

Cross Site Scripting (XSS) in Jfinal CMS v4.7.1 and earlier allows remote attackers to execute arbitrary code via the ‘Nickname’ parameter in the component ‘/jfinal_cms/front/person/profile.html’. Date published : 2021-09-15 https://www.seebug.org/vuldb/ssvid-97879

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive infromation via the ‘getFolder()’ function in the component ‘/modules/filemanager/FileManager.java’. Date published : 2021-09-15 https://www.seebug.org/vuldb/ssvid-97883

Improper Access Control in Jfinal CMS v4.7.1 and earlier allows remote attackers to obtain sensitive information via the ‘TemplatePath’ parameter in the component ‘jfinal_cms/admin/folder/list’. Date published : 2021-09-15 https://www.seebug.org/vuldb/ssvid-97884

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior (if...