Max CVSS 10.0 Min CVSS 1.9 Total Count6644
IDCVSSSummaryLast (major) updatePublished
CVE-2018-20556 6.5
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id parameter.
21-03-2019 - 12:00 21-03-2019 - 12:00
CVE-2018-20526 7.5
Roxy Fileman 1.4.5 allows unrestricted file upload in upload.php.
21-03-2019 - 12:00 21-03-2019 - 12:00
CVE-2018-20525 5.0
Roxy Fileman 1.4.5 allows Directory Traversal in copydir.php, copyfile.php, and fileslist.php.
21-03-2019 - 12:00 21-03-2019 - 12:00
CVE-2018-18798 7.5
Attendance Monitoring System 1.0 has SQL Injection via the 'id' parameter to student/index.php?view=view, event/index.php?view=view, and user/index.php?view=view.
21-03-2019 - 12:00 21-03-2019 - 12:00
CVE-2018-18762 4.3
SaltOS 3.1 r8126 contains a database download vulnerability.
21-03-2019 - 12:00 21-03-2019 - 12:00
CVE-2018-17997 4.3
LayerBB 1.1.1 allows XSS via the titles of conversations (PMs).
21-03-2019 - 12:00 21-03-2019 - 12:00
CVE-2018-17996 5.8
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.
21-03-2019 - 12:00 21-03-2019 - 12:00
CVE-2019-9692 4.0
class.showtime2_image.php in CMS Made Simple (CMSMS) before 2.2.10 does not ensure that a watermark file has a standard image file extension (GIF, JPG, JPEG, or PNG).
11-03-2019 - 14:29 11-03-2019 - 14:29
CVE-2019-9650 4.3
An XSS issue was discovered in upcoming_events.php in the Upcoming Events plugin before 1.33 for MyBB via a crafted name for an event.
10-03-2019 - 21:29 10-03-2019 - 21:29
CVE-2019-9625 6.8
JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to create a new admin account.
07-03-2019 - 10:29 07-03-2019 - 10:29
CVE-2019-9194 7.5
elFinder before 2.1.48 has a command injection vulnerability in the PHP connector.
26-02-2019 - 14:29 26-02-2019 - 14:29
CVE-2019-9184 7.5
SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the product_option[] parameter.
26-02-2019 - 10:29 26-02-2019 - 10:29
CVE-2019-9082 10.0
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
24-02-2019 - 13:29 24-02-2019 - 13:29
CVE-2019-9041 6.5
An issue was discovered in ZZZCMS zzzphp V1.6.1. In the inc/zzz_template.php file, the parserIfLabel() function's filtering is not strict, resulting in PHP code execution, as demonstrated by the if:assert substring.
23-02-2019 - 13:29 23-02-2019 - 13:29
CVE-2014-10079 5.0
In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the "ipaddress" hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash.
23-02-2019 - 09:29 23-02-2019 - 09:29
CVE-2014-10078 4.3
Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php.
23-02-2019 - 09:29 23-02-2019 - 09:29
CVE-2019-6340 6.8
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following co
21-02-2019 - 16:29 21-02-2019 - 16:29
CVE-2019-8953 4.3
The HAProxy package before 0.59_16 for pfSense has XSS via the desc (aka Description) or table_actionsaclN parameter, related to haproxy_listeners.php and haproxy_listeners_edit.php.
20-02-2019 - 11:29 20-02-2019 - 11:29
CVE-2019-8943 4.0
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filen
19-02-2019 - 22:29 19-02-2019 - 22:29
CVE-2019-8942 6.5
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can exe
19-02-2019 - 22:29 19-02-2019 - 22:29
CVE-2018-20782 5.0
The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages.
17-02-2019 - 13:29 17-02-2019 - 13:29
CVE-2019-7400 4.3
Rukovoditel before 2.4.1 allows XSS.
05-02-2019 - 01:29 05-02-2019 - 01:29
CVE-2018-19043 5.0
The Media File Manager plugin 1.4.2 for WordPress allows arbitrary file renaming (specifying a "from" and "to" filename) via a ../ directory traversal in the dir parameter of an mrelocator_rename action to the wp-admin/admin-ajax.php URI.
31-01-2019 - 14:29 31-01-2019 - 14:29
CVE-2018-19042 5.0
The Media File Manager plugin 1.4.2 for WordPress allows arbitrary file movement via a ../ directory traversal in the dir_from and dir_to parameters of an mrelocator_move action to the wp-admin/admin-ajax.php URI.
31-01-2019 - 14:29 31-01-2019 - 14:29
CVE-2018-19041 4.3
The Media File Manager plugin 1.4.2 for WordPress allows XSS via the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI.
31-01-2019 - 14:29 31-01-2019 - 14:29
CVE-2018-19040 5.0
The Media File Manager plugin 1.4.2 for WordPress allows directory listing via a ../ directory traversal in the dir parameter of an mrelocator_getdir action to the wp-admin/admin-ajax.php URI.
31-01-2019 - 14:29 31-01-2019 - 14:29
CVE-2018-19782 4.3
Multiple cross-site scripting (XSS) vulnerabilities in GET requests in FreshRSS 1.11.1 allow remote attackers to inject arbitrary web script or HTML via the (1) c parameter or (2) a parameter.
30-01-2019 - 10:29 30-01-2019 - 10:29
CVE-2019-6979 4.3
An issue was discovered in the User IP History Logs (aka IP_History_Logs) plugin 1.0.2 for MyBB. There is XSS via the admin/modules/tools/ip_history_logs.php useragent field.
28-01-2019 - 03:29 28-01-2019 - 03:29
CVE-2019-6780 5.8
The Wise Chat plugin before 2.7 for WordPress mishandles external links because rendering/filters/post/WiseChatLinksPostFilter.php omits noopener and noreferrer.
24-01-2019 - 15:29 24-01-2019 - 15:29
CVE-2019-6263 3.5
An issue was discovered in Joomla! before 3.9.2. Inadequate checks of the Global Configuration Text Filter settings allowed stored XSS.
16-01-2019 - 03:29 16-01-2019 - 03:29
CVE-2019-6249 6.8
An issue was discovered in HuCart v5.7.4. There is a CSRF vulnerability that can add an admin account via /adminsys/index.php?load=admins&act=edit_info&act_type=add.
13-01-2019 - 10:29 13-01-2019 - 10:29
CVE-2018-13045 7.5
SQL injection vulnerability in the "Bazar" page in Yeswiki Cercopitheque 2018-06-19-1 and earlier allows attackers to execute arbitrary SQL commands via the "id" parameter.
02-01-2019 - 13:29 02-01-2019 - 13:29
CVE-2019-3501 3.5
The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile.
02-01-2019 - 08:29 02-01-2019 - 08:29
CVE-2018-1000888 6.8
PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is ca
28-12-2018 - 11:29 28-12-2018 - 11:29
CVE-2018-19799 4.3
Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexport= XSS.
26-12-2018 - 16:29 26-12-2018 - 16:29
CVE-2018-20448 3.5
Frog CMS 0.9.5 has XSS via the Database name field to the /install/index.php URI.
25-12-2018 - 11:29 25-12-2018 - 11:29
CVE-2018-20418 3.5
index.php?p=admin/actions/entries/save-entry in Craft CMS 3.0.25 allows XSS by saving a new title from the console tab.
23-12-2018 - 23:29 23-12-2018 - 23:29
CVE-2018-1000811 6.5
bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a craf
20-12-2018 - 10:29 20-12-2018 - 10:29
CVE-2018-19829 5.8
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
18-12-2018 - 17:29 18-12-2018 - 17:29
CVE-2018-19933 4.3
Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry.
17-12-2018 - 14:29 17-12-2018 - 14:29
CVE-2018-19828 4.3
Artica Integria IMS 5.0.83 has XSS via the search_string parameter.
17-12-2018 - 14:29 17-12-2018 - 14:29
CVE-2018-18923 7.5
AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id a
13-12-2018 - 14:29 13-12-2018 - 14:29
CVE-2018-20011 3.5
DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Name or Stakeholder field.
10-12-2018 - 04:29 10-12-2018 - 04:29
CVE-2018-20010 3.5
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider-account.php username field.
10-12-2018 - 04:29 10-12-2018 - 04:29
CVE-2018-20009 3.5
DomainMOD 4.11.01 has XSS via the assets/add/ssl-provider.php SSL Provider Name or SSL Provider URL field.
10-12-2018 - 04:29 10-12-2018 - 04:29
CVE-2018-19915 3.5
DomainMOD through 4.11.01 has XSS via the assets/edit/host.php Web Host Name or Web Host URL field.
06-12-2018 - 14:29 06-12-2018 - 14:29
CVE-2018-19914 3.5
DomainMOD through 4.11.01 has XSS via the assets/add/dns.php Profile Name or notes field.
06-12-2018 - 14:29 06-12-2018 - 14:29
CVE-2018-19913 3.5
DomainMOD through 4.11.01 has XSS via the assets/add/registrar-accounts.php UserName, Reseller ID, or notes field.
06-12-2018 - 14:29 06-12-2018 - 14:29
CVE-2018-19908 9.0
An issue was discovered in MISP 2.4.9x before 2.4.99. In app/Model/Event.php (the STIX 1 import code), an unescaped filename string is used to construct a shell command. This vulnerability can be abused by a malicious authenticated user to execute ar
06-12-2018 - 11:29 06-12-2018 - 11:29
CVE-2018-19877 4.3
login.php in Adiscon LogAnalyzer before 4.1.7 has XSS via the Login Button Referer field.
05-12-2018 - 16:29 05-12-2018 - 16:29
CVE-2018-1002009 3.5
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in unsubscribe.html.php:3: via GET reuqest to the email
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002008 3.5
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variabl
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002007 3.5
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:15: via POST reque
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002006 3.5
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in integration-contact-form.html.php:14: via POST request variable classes
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002005 3.5
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in bft_list.html.php:43: via the filter_signup_date parameter.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002004 3.5
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002003 3.5
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002002 3.5
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002001 3.5
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit.
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-1002000 6.5
There is blind SQL injection in WordPress Arigato Autoresponder and Newsletter v2.5.1.8 These vulnerabilities require administrative privileges to exploit. There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST req
03-12-2018 - 11:29 03-12-2018 - 11:29
CVE-2018-15716 9.0
NUUO NVRMini2 version 3.9.1 is vulnerable to authenticated remote command injection. An attacker can send crafted requests to upgrade_handle.php to execute OS commands as root.
30-11-2018 - 15:29 30-11-2018 - 15:29
CVE-2018-19752 3.5
DomainMOD through 4.11.01 has XSS via the assets/add/registrar.php notes field for the Registrar.
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-19751 3.5
DomainMOD through 4.11.01 has XSS via the admin/ssl-fields/add.php notes field for Custom SSL Fields.
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-19750 3.5
DomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes field in an Add Custom Field action for Custom Domain Fields.
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-19749 3.5
DomainMOD through 4.11.01 has XSS via the assets/add/account-owner.php Owner name field.
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-18619 7.5
internal/advanced_comment_system/admin.php in Advanced Comment System 1.0 is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query, allowing remote attackers to execute th
29-11-2018 - 17:29 29-11-2018 - 17:29
CVE-2018-19458 5.0
In PHP Proxy 3.0.3, any user can read files from the server without authentication due to an index.php?q=file:/// LFI URI, a different vulnerability than CVE-2018-19246.
22-11-2018 - 15:29 22-11-2018 - 15:29
CVE-2018-18774 4.3
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter.
20-11-2018 - 14:29 20-11-2018 - 14:29
CVE-2018-18773 6.8
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password.
20-11-2018 - 14:29 20-11-2018 - 14:29
CVE-2018-18772 6.8
CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command.
20-11-2018 - 14:29 20-11-2018 - 14:29
CVE-2018-18805 7.5
PointOfSales 1.0 allows SQL injection via the login screen, related to LoginForm1.vb.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18804 7.5
Bakeshop Inventory System 1.0 has SQL injection via the login screen, related to include/publicfunction.vb.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18803 7.5
Curriculum Evaluation System 1.0 allows SQL Injection via the login screen, related to frmCourse.vb and includes/user.vb.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18801 7.5
The BSEN Ordering software 1.0 has SQL Injection via student/index.php?view=view&id=[SQL] or index.php?q=single-item&id=[SQL].
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18799 6.8
School Attendance Monitoring System 1.0 has CSRF via event/controller.php?action=photos.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18797 6.8
School Attendance Monitoring System 1.0 has CSRF via /user/user/edit.php.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18795 7.5
School Event Management System 1.0 has SQL Injection via the student/index.php or event/index.php id parameter.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18794 6.8
School Event Management System 1.0 allows CSRF via user/controller.php?action=edit.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18793 7.5
School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18763 7.5
SaltOS 3.1 r8126 allows action=ajax&query=numbers&page=usuarios&action2=[SQL] SQL Injection.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18761 7.5
SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18760 4.3
RhinOS 3.0 build 1190 allows CSRF.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-18755 7.5
K-iwi Framework 1775 has SQL Injection via the admin/user/group/update user_group_id parameter or the admin/user/user/update user_id parameter.
16-11-2018 - 13:29 16-11-2018 - 13:29
CVE-2018-19287 4.3
XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter.
15-11-2018 - 01:29 15-11-2018 - 01:29
CVE-2018-19246 5.0
PHP-Proxy 5.1.0 allows remote attackers to read local files if the default "pre-installed version" (intended for users who lack shell access to their web server) is used. This occurs because the aeb067ca0aa9a3193dce3a7264c90187 app_key value from the
13-11-2018 - 04:29 13-11-2018 - 04:29
CVE-2018-19135 6.8
ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload (enabled by default). This can be used by an attacker to perform actions for an admin (or any user with the file upload capability). With this vulnerability, one can automatic
10-11-2018 - 23:29 10-11-2018 - 23:29
CVE-2018-19136 4.3
DomainMOD through 4.11.01 has XSS via the assets/edit/registrar-account.php raid parameter.
09-11-2018 - 14:29 09-11-2018 - 14:29
CVE-2018-19126 7.5
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to execute arbitrary code via a file upload.
09-11-2018 - 06:29 09-11-2018 - 06:29
CVE-2018-19125 6.4
PrestaShop 1.6.x before 1.6.1.23 and 1.7.x before 1.7.4.4 allows remote attackers to delete an image directory.
09-11-2018 - 06:29 09-11-2018 - 06:29
CVE-2018-18924 6.5
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image
04-11-2018 - 01:29 04-11-2018 - 01:29
CVE-2018-18548 4.3
ajenticp (aka Ajenti Docker control panel) for Ajenti through v1.2.23.13 has XSS via a filename that is mishandled in File Manager.
24-10-2018 - 17:29 24-10-2018 - 17:29
CVE-2018-18419 3.5
Stored XSS has been discovered in the upload section of ARDAWAN.COM User Management 1.1, as demonstrated by a .jpg filename to the /account URI.
19-10-2018 - 18:29 19-10-2018 - 18:29
CVE-2018-18417 3.5
In the 3.1 version of Ekushey Project Manager CRM, Stored XSS has been discovered in the input and upload sections, as demonstrated by the name parameter to the index.php/admin/client/create URI.
19-10-2018 - 18:29 19-10-2018 - 18:29
CVE-2018-18416 3.5
LANGO Codeigniter Multilingual Script 1.0 has XSS in the input and upload sections, as demonstrated by the site_name parameter to the admin/settings/update URI.
19-10-2018 - 18:29 19-10-2018 - 18:29
CVE-2015-4633 7.5
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl
18-10-2018 - 17:29 18-10-2018 - 17:29
CVE-2015-4632 5.0
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path
18-10-2018 - 17:29 18-10-2018 - 17:29
CVE-2015-4631 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-
18-10-2018 - 17:29 18-10-2018 - 17:29
CVE-2015-4630 6.0
Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests th
18-10-2018 - 17:29 18-10-2018 - 17:29
CVE-2018-18308 4.3
In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).
16-10-2018 - 18:29 16-10-2018 - 18:29
CVE-2018-18324 4.3
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor
15-10-2018 - 03:29 15-10-2018 - 03:29
CVE-2018-18323 5.0
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.
15-10-2018 - 03:29 15-10-2018 - 03:29
CVE-2018-18322 7.5
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fulls