Monthly Archive: April 2022

HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete. Date published : 2022-04-26 https://github.com/Neeke/HongCMS/issues/17

ZCMS v20170206 was discovered to contain a stored cross-site scripting (XSS) vulnerability via index.php?m=home&c=message&a=add. Date published : 2022-04-26 https://github.com/jorycn/thinkphp-zcms/issues/5 https://github.com/zhendezuile/bug_report/blob/main/zcms

ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config. Date published : 2022-04-26 https://github.com/jorycn/thinkphp-zcms/issues/4 https://github.com/zhendezuile/bug_report/blob/main/zcms%EF%BC%9Aphp%20file%20inclusion

nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the "Text" parameter (forums) when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser. Date published...

nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At Apply for vendor account feature, an attacker can upload an arbitrary file to the system. Date published : 2022-04-26 https://github.com/nopSolutions/nopCommerce/issues/6192

nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). An attacker (role customer) can inject javascript code to First name or Last name at Customer Info. Date published : 2022-04-26 https://github.com/nopSolutions/nopCommerce/issues/6191

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor...

A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in the function pdf_write_names in ps-pdf.cxx may lead to arbitrary code execution and Denial of Service (DoS). Date published : 2022-04-26 https://github.com/michaelrsweet/htmldoc/commit/46c8ec2b9bccb8ccabff52d998c5eee77a228348...

Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via backenddatabase_controller.php. Date published : 2022-04-26 https://github.com/Verytops/verydows/issues/21 https://github.com/zhendezuile/bug_report/blob/main/bug_d

Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via backendfile_controller.php. Date published : 2022-04-26 https://github.com/Verytops/verydows/issues/20 https://github.com/zhendezuile/bug_report/blob/main/bug_c

Foundry Issues service versions 2.244.0 to 2.249.0 was found to be logging in a manner that captured sensitive information (session tokens). This issue was fixed in 2.249.1. Date published : 2022-04-26 https://github.com/palantir/security-bulletins/blob/main/PLTRSEC-2022-01.md

Stored Cross-Site Scripting (XSS) vulnerability in Alexander Ustimenko’s Psychological tests & quizzes plugin

An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication. This vulnerability can allow attackers to execute phishing attacks or cause a Denial of Service...

An access control issue in Zammad v5.0.3 broadcasts administrative configuration changes to all users who have an active application instance, including settings that should only be visible to authenticated users. Date published : 2022-04-26...