The Exclusive Addons for Exclusive Addons for Elementor for WordPress, in versions up to and including 2.6.9, is vulnerable to stored cross-site scripting (XSS) via the 's' parameter. Improper input sanitization and output escaping allow an attacker with contributor-level permissions or higher to inject arbitrary JavaScript that executes when a user views the affected page.
The Hitachi NAS (HNAS) System Management Unit (SMU) version 14.8.7825 and below is prone to an information disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information. This vulnerability has been assigned CVE-2023-6538.
Casdoor version 1.331.0 and below is vulnerable to a CSRF attack in the '/api/set-password' endpoint. This allows an attacker to change a victim user's password by sending a specially crafted URL.
The 'rename', 'remail', 'rphone', and 'rcity' parameters in the 'updateprofile.php' file of Code-Projects Blood Bank V1.0 are vulnerable to Stored Cross-Site Scripting (XSS) due to lack of proper input validation. An attacker can inject malicious scripts into these parameters, and when stored on the server, these scripts may get executed when viewed by other users.
The HTMLy version v2.9.6 is vulnerable to stored XSS. An attacker can inject malicious code into the 'Blog title' field, triggering a cross-site scripting attack. This could lead to unauthorized access to user sessions, defacement of the website, or theft of sensitive information.
Simple Task List version 1.0 is vulnerable to SQL Injection in the 'status' parameter of the addTask.php file. An attacker can exploit this vulnerability to execute malicious SQL queries, potentially leading to unauthorized access and extraction of sensitive data from the database.
WhatsUp Gold 2022 (v.22.1.0 Build 39) is susceptible to a stored cross-site scripting (XSS) attack via the sysName SNMP parameter. An attacker can insert malicious scripts into the admin console by manipulating the SNMP device name. Once saved, the injected code executes in the admin user's context, potentially leading to data theft or unauthorized activities. This exploit can create a Powershell reverse shell connecting to the attacker at intervals.
The vulnerability in SISQUALWFM version 7.1.319.103 allows attackers to manipulate webpage links or redirect users to malicious sites by tampering with the host header. This specifically targets the /sisqualIdentityServer/core endpoint.
The vulnerability in ManageEngine ADManager Plus Build < 7183 allows helpdesk technicians without backup/recovery privileges to view passwords of restored user accounts. This could lead to compromise of user accounts through password spraying attacks in the Active Directory environment. By configuring restore and recycle options in the Recovery Settings, deleted user accounts can be restored with a defined password.
The Hitachi NAS (HNAS) System Management Unit (SMU) before version 14.8.7825.01 is vulnerable to an Insecure Direct Object Reference (IDOR) issue. An attacker can exploit this vulnerability to download arbitrary files from the server. This vulnerability has been assigned CVE-2023-5808.
Services By CQR