Flightio.com suffers from a remote SQL injection vulnerability. The researchers reporting this claimed the site has not responded to their reports so we are posting this to add visibility to the issue.
287e946136487edac1a8bcbedb409990ac26461ab1f6840438934159773b37daWordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.
8c7f57a620a7f2e630146822105069ce7c8d705a9661a1a56006b6c19ee5ae88Daily Expense Manager version 1.0 suffers from a remote SQL injection vulnerability.
3036d5c35514225ac7efd5fae884b642a5c6e16478440cce60456af20f3c8957Open Source Medicine Ordering System version 1.0 suffers from a remote SQL Injection vulnerability.
ddcd59d819ea5c59b6d5493517cad43c4bfefe50707cf9b222d8705aea3e670bZenML allows for remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. This is the proof of concept exploit. All ZenML versions below 0.46.7 are vulnerable, with the exception being patched versions 0.44.4, 0.43.1, and 0.42.2.
3c2c8e3882d5e4c0257dbb5b27f3d5dfe82d1a0ce0a5f485af9c54a883d48594Invision Community versions 4.7.16 and below suffer from a remote code execution vulnerability in toolbar.php.
79e57c6d95c397c23ce4c4203e72406e2900a93befed691fbc0ae540ed7a9cf4Invision Community versions 4.4.0 through 4.7.15 suffer from a remote SQL injection vulnerability in store.php.
f3e99d07ab1ab0d469a1a39ceb456ac6dc86fdcbd9071ad8690ce38ecca5a7ffOpen eShop version 2.7.0 suffers from a cross site scripting vulnerability.
ffc1ccc2b126ca15fb375709398eeafd3eb66b2b5e4657e3a0744439ad777b8cHTMLy version 2.9.6 suffers from a persistent cross site scripting vulnerability.
7c364eb28a81f6893bdac09aa21445e515fda3d2ede1335da9224b08d6224934UP-RESULT version 0.1 2024 suffers from a remote SQL injection vulnerability.
4add65ea93ae55c77a16552103ce0483201e157f530ea8a0e1e38f32c5d69671Trojan.Win32.Razy.abc malware suffers from an insecure permissions vulnerability.
f42f962b787317ec42e0f8896a6024f38f8e96776bcebf7c0600a7ee39d21c1fAnyDesk version 7.0.15 suffers from an unquoted service path vulnerability.
1235bdf38715b85c279dda71fade5447c43a019867ab310c382db75e713ca4e1PowerVR has an issue where DevmemIntUnexportCtx destroys export before unlinking it, leading to a use-after-free condition.
6f9202099fe090be7419d76b62ea9327f8db8be77898b1207baaaa4a3a3cd10eAuthenticated attackers can exploit a weakness in the XML parser functionality of the Visual Planning application in order to obtain read access to arbitrary files on the application server. Depending on configured access permissions, this vulnerability could be used by an attacker to exfiltrate secrets stored on the local file system. All versions prior to Visual Planning 8 (Build 240207) are affected.
bdf19a1c93a8a216cff1545664827634a9baef8a83c8ebb7ba571f139ed08b7aUnauthenticated attackers can exploit a weakness in the password reset functionality of the Visual Planning application in order to obtain access to arbitrary user accounts including administrators. In case administrative (in the context of Visual Planning) accounts are compromised, attackers can install malicious modules into the application to take over the application server hosting the Visual Planning application. All versions prior to Visual Planning 8 (Build 240207) are affected.
317fc4e9931be1f5637f8b1a9a92f3305f2b80aa897d807f8b7b94af2fd3c671A wildcard injection inside a prepared SQL statement was found in an undocumented Visual Planning 8 REST API route. The combination of fuzzy matching (via LIKE operator) and user-controlled input allows exfiltrating the REST API key based on distinguishable server responses. If exploited, attackers are able to gain administrative access to the REST API version 2.0.
c55674b96230c64cac5bca2736c46d82917b5d83954b7346ec654295bd66eda4Feng Office version 3.10.8.21 suffers from a persistent cross site scripting vulnerability.
ad3a7614cba9fce96ba0ef2c4100acb2e516bae93834f646720f56ca266fd5e3DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/racer.inc.
c59f5b4f5d044eb7838a408a25e1ddb8966666ed55c708660903f015ccf7e1b5DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/award.inc.
635f60dcea426f833c149bf378a0e8ce1585c3548641f81eb1702cf39c8c50deDerbyNet 9.0 suffers from a remote SQL injection vulnerability in ajax/query.slide.next.inc.
4d58e0287f76d2e5689e86c7f6907829d0e768e9a60e0f2ac317c9153ee4e3b6DerbyNet version 9.0 suffers from a cross site scripting vulnerability in playlist.php.
33a3298bf5768c9f7a9fcd2deaa459729d65f2eb60c8601a0d2dd30561151395DerbyNet version 9.0 suffers from a cross site scripting vulnerability in racer-results.php.
e1f0ec83ec56b1d3ebff89be4223a47e4c6caea8be38185b375b827447078473DerbyNet version 9.0 suffers from a cross site scripting vulnerability in inc/kiosks.inc.
74c4544a3c0353807fe286b034266f311ce4af6f554209e73f1d797e5fbff5ccDerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo-thumbs.php.
e33a05805911bcd786fdff15a7d4ac31f136e43e12a0f9ec5b25c0db38d7fe3eDerbyNet version 9.0 suffers from a cross site scripting vulnerability in checkin.php.
8f9e6fd28f6cfe91749cb218425046ee910787a3a9fd05dafed94fca09da5a72
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed