| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Luocms v2.0 is affected by Cross Site Scripting (XSS) in /admin/news/sort_add.php and /inc/function.php. |
| Luocms v2.0 is affected by SQL Injection in /admin/news/news_ok.php. |
| Luocms v2.0 is affected by SQL Injection in /admin/news/sort_ok.php. |
| Luocms v2.0 is affected by SQL Injection in /admin/link/link_ok.php. |
| Luocms v2.0 is affected by SQL Injection in /admin/link/link_mod.php. |
| Luocms v2.0 is affected by SQL Injection in /admin/news/sort_mod.php. |
| Luocms v2.0 is affected by SQL Injection in /admin/news/news_mod.php. |
| Luocms v2.0 is affected by SQL Injection in /admin/manager/admin_mod.php. An attacker can obtain sensitive information through SQL injection statements. |
| Luocms v2.0 is affected by SQL Injection through /admin/login.php. An attacker can log in to the background through SQL injection statements. |
| Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5 is affected by Incorrect Access Control in usr/bin/afb-daemon. To exploit the vulnerability, an attacker should send a well-crafted HTTP (or WebSocket) request to the socket listened by the afb-daemon process. No credentials nor user interactions are required. |
| In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address. |
| A stored cross-site scripting (XSS) vulnerability in the Add Link function of BackdropCMS v1.21.1 allows attackers to execute arbitrary web scripts or HTML. |
| Burden v3.0 was discovered to contain a stored cross-site scripting (XSS) in the Add Category function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the task parameter. |
| Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS) vulnerability in the Upload SVG File function. |
| A stored cross-site scripting (XSS) vulnerability in the component core/admin/medias.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML. |
| A stored cross-site scripting (XSS) vulnerability in the component /core/admin/categories.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the content and thumbnail parameters. |
| A stored cross-site scripting (XSS) vulnerability in the component /core/admin/comment.php of PluXml v5.8.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the author parameter. |
| Incorrect access control in Yubico OTP functionality of the YubiKey hardware tokens along with the Yubico OTP validation server. The Yubico OTP supposedly creates hardware bound second factor credentials. When a user reprograms the OTP functionality by "writing" it on a token using the Yubico Personalization Tool, they can then upload the new configuration to Yubicos OTP validation servers. NOTE: the vendor disputes this because there is no way for a YubiKey device to prevent a user from deciding that a secret value, which is imported into the device, should also be stored elsewhere |
| Accounting Journal Management 1.0 is vulnerable to XSS-PHPSESSID-Hijacking. The parameter manage_user from User lists is vulnerable to XSS-Stored and PHPSESSID attacks. The malicious user can attack the system by using the already session which he has from inside and outside of the network. |
| ACEweb Online Portal 3.5.065 allows unauthenticated SMB hash capture via UNC. By specifying the UNC file path of an external SMB share when uploading a file, an attacker can induce the victim server to disclose the username and password hash of the user executing the ACEweb Online software. |
