The Serendipity 2.5.0 allows remote attackers to execute arbitrary code via crafted input in a filename parameter in a serendipity_admin.php mediaFileUpload action. This vulnerability was discovered by Ahmet Ümit BAYRAM on 26.04.2024.
XOOPS is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information and to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
The XOOPS application fails to properly sanitize user-supplied input, leading to multiple cross-site scripting vulnerabilities. An attacker can exploit these vulnerabilities to execute arbitrary script code in the context of the affected site, potentially stealing authentication credentials and launching further attacks.
This vulnerability allows an attacker to include local files on the server by manipulating the 'lang' parameter in the 'index.php' file. By using a relative path traversal technique, an attacker can access sensitive files such as the '/etc/passwd' file. This vulnerability affects all files within the MolyX BOARD 2.5.0 web application.
The Anydesk installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
Joomla Core - Stored XSS issue in the Global Configuration textfilter settings. Joomla fails to perform adequate checks at the Global Configuration Text Filter settings which allows a stored XSS.
A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in GoAhead web server version 2.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack. PS: Affected on most of embedded webservers on hardware such as switches, routers, IOT and IP cameras.
A Cross-Site Request Forgery (XSRF) vulnerability exists in Super Multimedia Library 2.5.0, which allows an attacker to add an admin user to the system. An attacker can craft a malicious HTML form and submit it to the vulnerable application, which will add the specified user to the system without any authentication.
Tandis CMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Services By CQR