CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1302 – SourceCodester File Tracker Manager System borrow1.php cross site scripting
https://notcve.org/view.php?id=CVE-2023-1302
09 Mar 2023 — A vulnerability, which was classified as problematic, was found in SourceCodester File Tracker Manager System 1.0. This affects an unknown part of the file normal/borrow1.php. The manipulation of the argument id with the input 1"><script>alert(1111)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/godownio/bug_report/blob/main/vendors/hemedy99/File%20Tracker%20Manager%20System/XSS-1.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1294 – SourceCodester File Tracker Manager System POST Parameter login.php sql injection
https://notcve.org/view.php?id=CVE-2023-1294
09 Mar 2023 — A vulnerability was found in SourceCodester File Tracker Manager System 1.0. It has been classified as critical. Affected is an unknown function of the file /file_manager/login.php of the component POST Parameter Handler. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. • https://github.com/godownio/bug_report/blob/main/vendors/hemedy99/File%20Tracker%20Manager%20System/SQLi-1.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25781 – WordPress Upload File Type Settings Plugin Plugin <= 1.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25781
15 Feb 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sebastian Krysmanski Upload File Type Settings plugin <= 1.1 versions. The Upload File Type Settings Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-level permissions and above, to inject arbitrary web scripts in pages that will execute wh... • https://patchstack.com/database/vulnerability/upload-file-type-settings-plugin/wordpress-upload-file-type-settings-plugin-plugin-1-1-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4764 – Simple File Downloader <= 1.0.4 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4764
05 Jan 2023 — The Simple File Downloader WordPress plugin through 1.0.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The Simple File Downloader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.0.4 due to insufficient input sanitization and output e... • https://wpscan.com/vulnerability/788c6aa2-14cc-411f-95e8-5994f8c82d70 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45475
https://notcve.org/view.php?id=CVE-2022-45475
25 Nov 2022 — Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. La versión 2.4.8 de Tiny File Manager permite que un atacante remoto no autenticado acceda a los archivos internos de la aplicación. Esto es posible porque la aplicación es vulnerable a un control de acceso roto. • https://fluidattacks.com/advisories/mosey •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-45476
https://notcve.org/view.php?id=CVE-2022-45476
25 Nov 2022 — Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. La versión 2.4.8 de Tiny File Manager ejecuta el código de los archivos cargados por los usuarios de la aplicación, en lugar de simplemente devolverlos para su descarga. Esto es posible porque la aplicación es vulnerable a la carga de archivos no segura. • https://fluidattacks.com/advisories/mosey • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-23044
https://notcve.org/view.php?id=CVE-2022-23044
25 Nov 2022 — Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to persuade users to perform unintended actions within the application. This is possible because the application is vulnerable to CSRF. La versión 2.4.8 de Tiny File Manager permite a un atacante remoto no autenticado persuadir a los usuarios para que realicen acciones no deseadas dentro de la aplicación. Esto es posible porque la aplicación es vulnerable a CSRF. • https://fluidattacks.com/advisories/mosey • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-40721
https://notcve.org/view.php?id=CVE-2022-40721
03 Oct 2022 — Arbitrary file upload vulnerability in php uploader Una vulnerabilidad de carga de archivos Arbitrarios en php uploader • http://www.openwall.com/lists/oss-security/2022/10/03/3 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36313 – file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop
https://notcve.org/view.php?id=CVE-2022-36313
21 Jul 2022 — An issue was discovered in the file-type package before 16.5.4 and 17.x before 17.1.3 for Node.js. A malformed MKV file could cause the file type detector to get caught in an infinite loop. This would make the application become unresponsive and could be used to cause a DoS attack. Se ha detectado un problema en el paquete file-type versiones anteriores a 16.5.4 y 17.x anteriores a 17.1.3 para Node.js. Un archivo MKV malformado podía causar que el detector de tipo de archivo quedara atrapado en un bucle inf... • https://github.com/sindresorhus/file-type/releases/tag/v16.5.4 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31527
https://notcve.org/view.php?id=CVE-2022-31527
11 Jul 2022 — The Wildog/flask-file-server repository through 2020-02-20 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. El repositorio Wildog/flask-file-server versiones hasta 20-02-20 en GitHub, permite un salto de ruta absoluto porque la función send_file de Flask es usada de forma no segura • https://github.com/github/securitylab/issues/669#issuecomment-1117265726 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •