Page 236 of 8664 results (0.022 seconds)

CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. • https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5w https://jira.xwiki.org/browse/XWIKI-20385 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hgpw-6p4h-j6h5 https://jira.xwiki.org/browse/XWIKI-20386 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.2EPSS: 0%CPEs: 15EXPL: 3

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. • https://jvn.jp/en/jp/JVN29195731 https://www.ec-cube.net/info/weakness/20231026/index.php https://www.ec-cube.net/info/weakness/20231026/index_3.php https://www.ec-cube.net/info/weakness/20231026/index_40.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Menno Luitjes Foyer allows Code Injection.This issue affects Foyer: from n/a through 1.7.5. La neutralización inadecuada de etiquetas HTML relacionadas con scripts en una vulnerabilidad de página web (XSS básico) en Menno Luitjes Foyer permite la inyección de código. Este problema afecta a Foyer: desde n/a hasta 1.7.5. The Foyer – Digital Signage for WordPress plugin for WordPress is vulnerable to unauthorized content injection due to an insufficient capability check on the editing functionality in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with contributor access and above, to publish arbitrary content via slides. • https://patchstack.com/database/vulnerability/foyer/wordpress-foyer-plugin-1-7-5-content-injection-vulnerability?_s_id=cve • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-285: Improper Authorization •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in ARI Soft ARI Stream Quiz allows Code Injection.This issue affects ARI Stream Quiz: from n/a through 1.3.2. Neutralización inadecuada de etiquetas HTML relacionadas con secuencias de comandos en una vulnerabilidad de página web (XSS básico) en ARI Soft ARI Stream Quiz permite la inyección de código. Este problema afecta a ARI Stream Quiz: desde n/a hasta 1.3.2. The ARI Stream Quiz – WordPress Quizzes Builder plugin for WordPress is vulnerable to content injection due to improper capability checks on the quiz editing functionality in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with contributor access and above, to publish quizzes containing arbitrary content on the site without review. • https://patchstack.com/database/vulnerability/ari-stream-quiz/wordpress-ari-stream-quiz-wordpress-quizzes-builder-plugin-1-2-32-content-injection-vulnerability?_s_id=cve • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-285: Improper Authorization •