A Cross-Site Scripting (XSS) vulnerability was found in Sitefinity CMS versions prior to 15.0.0. The vulnerability exists in all features using SF-Editor in the backend of the CMS. An attacker with lower privileges can insert malicious XSS payloads in the content form, which will be executed when a user with higher privileges, the victim, views the affected page.
Craft CMS Logs Plugin version 3.0.3 allows an authenticated attacker to perform path traversal by exploiting a lack of proper validation in the log file reading functionality. This can lead to the unauthorized access of arbitrary files on the underlying file system with the permissions of the web service user. This has been assigned CVE-2022-23409.
The script aims to exploit a vulnerability in a cluster manager by searching for a specific 'Alias' parameter in the href attribute of HTML links. If the parameter is found, the script proceeds with the exploitation process. It utilizes BeautifulSoup for parsing HTML content and requests library for making HTTP requests. The vulnerability can potentially lead to information disclosure.
The Hitachi NAS (HNAS) System Management Unit (SMU) version 14.8.7825 and below is prone to an information disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information. This vulnerability has been assigned CVE-2023-6538.
A Stored Cross-Site Scripting (XSS) vulnerability exists in WordPress File Upload plugin version 4.23.3 and prior. By inserting a malicious shortcode in a post, an attacker can trigger an XSS attack when a file is uploaded, leading to potential script execution in the victim's browser. This vulnerability has been assigned CVE-2023-4811.
Casdoor version 1.331.0 and below is vulnerable to a CSRF attack in the '/api/set-password' endpoint. This allows an attacker to change a victim user's password by sending a specially crafted URL.
The 'rename', 'remail', 'rphone', and 'rcity' parameters in the 'updateprofile.php' file of Code-Projects Blood Bank V1.0 are vulnerable to Stored Cross-Site Scripting (XSS) due to lack of proper input validation. An attacker can inject malicious scripts into these parameters, and when stored on the server, these scripts may get executed when viewed by other users.
In TYPO3 11.5.24, there exists a path traversal vulnerability in the filelist component. Attackers, with access to the administrator panel, can exploit this vulnerability to read arbitrary files by using directory traversal via the baseuri field. An authenticated attacker can manipulate the base URI by sending a crafted POST request to /typo3/record/edit with specific parameters, ultimately allowing them to access sensitive files on the server.
The HTMLy version v2.9.6 is vulnerable to stored XSS. An attacker can inject malicious code into the 'Blog title' field, triggering a cross-site scripting attack. This could lead to unauthorized access to user sessions, defacement of the website, or theft of sensitive information.
Simple Task List version 1.0 is vulnerable to SQL Injection in the 'status' parameter of the addTask.php file. An attacker can exploit this vulnerability to execute malicious SQL queries, potentially leading to unauthorized access and extraction of sensitive data from the database.