The Exclusive Addons for Exclusive Addons for Elementor for WordPress, in versions up to and including 2.6.9, is vulnerable to stored cross-site scripting (XSS) via the 's' parameter. Improper input sanitization and output escaping allow an attacker with contributor-level permissions or higher to inject arbitrary JavaScript that executes when a user views the affected page.
The MiniCMS version 1.10 is vulnerable to a Cross Site Scripting (XSS) attack. By injecting malicious script code into the 'date' parameter of the 'page.php' script, an attacker can execute arbitrary scripts in the context of the user's browser.
A Cross-Site Scripting (XSS) vulnerability was found in CodeAstro Online Railway Reservation System version 1.0. This vulnerability allows attackers to insert and run malicious JavaScript code in the user's browser session.
The exploit allows an attacker to execute remote code in FoxCMS v.1.2.5. By sending a specially crafted payload to the target, an attacker can run arbitrary commands on the system. This vulnerability is identified as CVE-2025-29306.
A CSRF vulnerability is found in the ABB Cylon FLXeon series. Exploitation is restricted due to the server's CORS configuration, which lacks Access-Control-Allow-Credentials. The exploit conditions include hosting the malicious page on the same domain, Man-in-the-Middle attacks, LAN access, subdomain hosting, and misconfigured CORS policies.
In ProConf version before 6.1, an Insecure Direct Object Reference (IDOR) vulnerability exists. This vulnerability allows any author to access and retrieve all submitted papers including titles, abstracts, and personal information of authors (such as Name, Email, Organization, and Position) by manipulating the Paper ID parameter.
Blood Bank & Donor Management System version 2.4 is vulnerable to CSRF attacks due to the lack of CSRF tokens for essential functions like logout. By creating a malicious iframe with the logout URL, an attacker can deceive a user into clicking it, resulting in the user being logged out without their knowledge.
Gitea version 1.24.0 is susceptible to HTML Injection and potentially Reflected Cross-Site Scripting (XSS) through the 'description' parameter on the user settings page. The lack of proper sanitization of user-supplied HTML content allows malicious scripts to be executed in the user's browser, leading to potential attacks. An attacker can inject malicious HTML or JavaScript code into their profile description, which gets executed when saved, demonstrating the presence of the vulnerability.
The Ethercreative Logs plugin for Craft CMS 3.0.3 allows authenticated users to perform a path traversal attack via the 'Logs' functionality. This vulnerability (CVE-2022-23409) enables an attacker to access arbitrary files on the file system with the permissions of the web service user by manipulating the requested log file.
The exploit allows an attacker to enumerate valid usernames on Webmin Usermin version 2.100. By sending requests to the password change endpoint with different usernames, the attacker can identify existing user accounts based on the server's responses.
Services By CQR