| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via the Nest library module. |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly. |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation or sanitization of upload filenames, an externally reachable, unauthenticated update function permits writing files outside the intended target location. Achieving remote code execution is possible, e.g., by uploading an executable file. |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient output encoding of user-supplied data, the web application is vulnerable to cross-site scripting (XSS) at various locations. |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to exposed CORBA management services, arbitrary system commands can be executed on the server. |
| Certain HP ENVY, OfficeJet, and DeskJet printers may be vulnerable to a Denial of Service attack. |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). |
| A stored cross-site scripting (XSS) vulnerability in the Add function of Eramba GRC Software c2.8.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the KPI Title text field. |
| EyouCMS V1.5.9-UTF8-SP1 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Top Up Balance component under the Edit Member module. |
| Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to perform directory traversal and download arbitrary files via a crafted web request. |
| A cross-site scripting (XSS) vulnerability in Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the name of an uploaded file. |
| SeaCms before v12.6 was discovered to contain a SQL injection vulnerability via the component /js/player/dmplayer/dmku/index.php. |
| An arbitrary file upload vulnerability in the /attachments component of Hoosk v1.8 allows attackers to execute arbitrary code via a crafted PHP file. |
| Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php. |
