| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A flaw has been found in itsourcecode University Management System 1.0. Affected is an unknown function of the file /add_result.php. Executing a manipulation of the argument vr can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. |
| A vulnerability was identified in atjiu pybbs 6.0.0. This affects the function create of the file src/main/java/co/yiiu/pybbs/controller/api/TopicApiController.java. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. |
| A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector. |
| A security vulnerability has been detected in itsourcecode Payroll Management System 1.0. This vulnerability affects unknown code of the file /manage_employee_deductions.php. Such manipulation of the argument ID leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. |
| A vulnerability was found in Wavlink WL-NU516U1 240425. The impacted element is the function sub_404F68 of the file /cgi-bin/login.cgi. The manipulation of the argument homepage/hostname results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. |
| A vulnerability was identified in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The presence of this vulnerability remains uncertain at this time. The affected component should be upgraded. The vendor explained: "I was not able to reproduce the same exploit as the TCExam version was already advanced in the meanwhile." Therefore, it can be assumed that this issue got fixed in a later release. |
| A vulnerability has been found in Worksuite HR, CRM and Project Management up to 5.5.25. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. |
| A security flaw has been discovered in LockerProject Locker 0.0.0/0.0.1/0.1.0. Affected is the function authIsAwesome of the file source-code/Locker-master/Ops/registry.js of the component Error Response Handler. The manipulation of the argument ID results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. |
| Improper Control of Generation of Code ('Code Injection') vulnerability in ILLID Advanced Woo Labels advanced-woo-labels allows Remote Code Inclusion.This issue affects Advanced Woo Labels: from n/a through <= 2.36. |
| A vulnerability has been found in AutohomeCorp frostmourne up to 1.0. This affects the function scriptEngine.eval of the file ExpressionRule.java of the component Oracle Nashorn JavaScript Engine. Such manipulation of the argument EXPRESSION leads to code injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue affects Modal Dialog: from n/a through <= 3.5.16. |
| A vulnerability was identified in Jcharis Machine-Learning-Web-Apps up to a6996b634d98ccec4701ac8934016e8175b60eb5. The impacted element is the function render_template of the file Machine-Learning-Web-Apps-master/Build-n-Deploy-Flask-App-with-Waypoint/app/app.py of the component Jinja2 Template Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. |
| A security flaw has been discovered in CesiumGS CesiumJS up to 1.137.0. Affected by this issue is some unknown functionality of the file Apps/Sandcastle/standalone.html. The manipulation of the argument c results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The presence of this vulnerability remains uncertain at this time. The vendor was contacted early about this disclosure but did not respond in any way. According to CVE-2023-48094, "the vendor's position is that Apps/Sandcastle/standalone.html is part of the CesiumGS/cesium GitHub repository, but is demo code that is not part of the CesiumJS JavaScript library product." |
| A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. The manipulation of the argument game_name results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. |
| A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. This manipulation of the argument a_name causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. |
| A vulnerability was determined in itsourcecode University Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /view_result.php. Executing a manipulation of the argument vr can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. |
| A security vulnerability has been detected in elecV2P up to 3.8.3. Affected by this issue is the function runJSFile of the file source-code/elecV2P-master/webser/wbjs.js of the component jsfile Endpoint. Such manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. |
| The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request. |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion.This issue affects JetEngine: from n/a through <= 3.7.2. |
