CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16790 – Remote Code Execution in Tiny File Manager
https://notcve.org/view.php?id=CVE-2019-16790
In Tiny File Manager before 2.3.9, there is a remote code execution via Upload from URL and Edit/Rename files. Only authenticated users are impacted. En Tiny File Manager versiones anteriores a la versión 2.3.9, Hay una ejecución de código remota por medio Upload desde URL y Edit/Rename files. Solo los usuarios autenticados están afectados. • https://github.com/prasathmani/tinyfilemanager/commit/9a499734c5084e3c2eb505f100d50baac1793bd8 https://github.com/prasathmani/tinyfilemanager/security/advisories/GHSA-w72h-v37j-rrwr • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2019-1010091
https://notcve.org/view.php?id=CVE-2019-1010091
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab. tinymce versiones 4.7.11, 4.7.12, está afectada por: CWE-79: Neutralización Inapropiada de la Entrada Durante la Generación de Páginas Web. El impacto es: ejecución de código JavaScript. • https://github.com/ossf-cve-benchmark/CVE-2019-1010091 https://github.com/tinymce/tinymce/issues/4394 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2019-10012
https://notcve.org/view.php?id=CVE-2019-10012
Jenzabar JICS (aka Internet Campus Solution) before 9 allows remote attackers to upload and execute arbitrary .aspx code by placing it in a ZIP archive and using the MoxieManager (for .NET) plugin before 2.1.4 in the moxiemanager directory within the installation folder ICS\ICS.NET\ICSFileServer. Jenzabar JICS (también se conoce como Internet Campus Solution) anterior a versión 9, permite que los atacantes remotos carguen y ejecuten código .aspx arbitrario colocándolo en un archivo ZIP y utilizando el plugin MoxieManager (para .NET) anterior a versión 2.1.4 en el directorio moxiemanager dentro de la carpeta de instalación ICS\ICS.NET\ICSFileServer. • https://medium.com/%40mdavis332/critical-vulnerability-in-higher-ed-erp-55580f8880c https://www.sjoerdlangkemper.nl/2016/09/15/uploading-webshells-with-moxiemanager • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2019-9002
https://notcve.org/view.php?id=CVE-2019-9002
An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c. install/config-setup.php allows remote attackers to execute arbitrary PHP code via the database_host parameter if the installer remains present in its original directory after installation is completed. Se ha descubierto un problema en Tiny Issue 1.3.1 y pixeline Bugs hasta la versión 1.3.2c. install/config-setup.php permite que los atacantes remotos ejecuten código PHP arbitrario mediante el parámetro database_host si el instalador sigue presente en su directorio original tras haber completado la instalación. • https://github.com/mikelbring/tinyissue/issues/237 https://github.com/pixeline/bugs/commit/9d2d3fcdea22e94f7b497f6ed83791ab3a31ee41 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2017-16097
https://notcve.org/view.php?id=CVE-2017-16097
tiny-http is a simple http server. tiny-http is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. "tiny-http" es un servidor http sencillo. "tiny-http" es vulnerable a un problema de salto de directorio que otorga a un atacante acceso al sistema de archivos colocando "../" en la URL. • https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/tiny- https://nodesecurity.io/advisories/342 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •