The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an XSS payload from the AppPortal cookie into the page. Date published : 2022-04-28 https://github.com/the-emmons/CVE-Disclosures/blob/main/CVE-2022-29152/CVE-2022-29152.md https://www.ericom.com/powerterm/webconnect-hostview/
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents....
Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable. Date published : 2022-04-28 https://bugs.launchpad.net/mahara/+bug/1930171
Missing authentication for critical function in AssetView prior to Ver.13.2.0 allows a remote unauthenticated attacker with some knowledge on the system configuration to upload a crafted configuration file to the managing server, which may...
WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS). Date published : 2022-04-28 https://github.com/APTX-4879/CVE https://github.com/APTX-4879/CVE/blob/main/CVE-2022-28477..pdf
Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS). Date published : 2022-04-28 Homepage https://github.com/YavuzSahbaz/Limbas-4.3.36.1319-is-vulnerable-to-Cross-Site-Scripting-XSS-
A Server-Side Request Forgery (SSRF) in feed_parser class of Navigate CMS v2.9.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter. Date published...
DSCMS v3.0 was discovered to contain an arbitrary file deletion vulnerability via /controller/Adv.php. Date published : 2022-04-28 https://gitee.com/csdeshang/DSCMS_open/issues/3
A cross-site scripting (XSS) vulnerability in PHP MySQL Admin Panel Generator v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected at /edit-db.php. Date published : 2022-04-28 http://php-mysql-admin-panel-generator.com https://github.com/housamz/php-mysql-admin-panel-generator/issues/19
Turtlapp Turtle Note v0.7.2.6 does not filter the tag during markdown parsing, allowing attackers to execute HTML injection. Date published : 2022-04-28 https://github.com/turtl/tracker/issues/404 https://www.cybercitadel.com/html-injection-turtl/
SQL Injection vulnerability in Victor CMS v1.0, via the user_name parameter to /includes/login.php. Date published : 2022-04-28 https://github.com/JiuBanSec/CVE/blob/main/VictorCMS%20SQL.md https://github.com/JiuBanSec/CVE_LIST/blob/main/CVE-2022-28060/CVE-2022-28060.pdf
Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge’s Footer Text plugin
Lexmark products through 2022-02-10 have Incorrect Access Control. Date published : 2022-04-28 https://lexmark.com https://publications.lexmark.com/publications/security-alerts/CVE-2022-24935.pdf
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file...