CVSS: 9.8EPSS: 6%CPEs: 1EXPL: 2CVE-2018-18793 – School Event Management System 1.0 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2018-18793
School Event Management System 1.0 allows Arbitrary File Upload via event/controller.php?action=photos. School Event Management System 1.0 permite la subida de archivos arbitrarios mediante event/controller.php?action=photos. School Event Management System version 1.0 suffers from a remote shell upload vulnerability. • https://www.exploit-db.com/exploits/45723 http://packetstormsecurity.com/files/150006/School-Event-Management-System-1.0-Shell-Upload.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2017-17616 – Event Calendar Category Script 1.0 - 'city' SQL Injection
https://notcve.org/view.php?id=CVE-2017-17616
Event Search Script 1.0 has SQL Injection via the /event-list city parameter. Event Search Script 1.0 tiene una inyección SQL mediante el parámetro city en /event-list. • https://www.exploit-db.com/exploits/43279 https://packetstormsecurity.com/files/145306/Event-Search-Script-1.0-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-12068 – Event List <= 0.7.9 - Unauthenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-12068
The Event List plugin 0.7.9 for WordPress has XSS in the slug array parameter to wp-admin/admin.php in an el_admin_categories delete_bulk action. El plugin Event List en su versión 0.7.9 para WordPress tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el parámetro slug array para wp-admin/admin.php en una acción el_admin_categories delete_bulk. • https://github.com/kevins1022/cve/blob/master/wordpress-event-list.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9429 – Event List < 0.7.9 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2017-9429
SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress allows an authenticated user to execute arbitrary SQL commands via the id parameter to wp-admin/admin.php. Una vulnerabilidad de inyección SQL en el plugin Event List versión 0.7.8 para WordPress, permite a un usuario autenticado ejecutar comandos SQL arbitrarios por medio del parámetro id en el archivo wp-admin/admin.php. The Event List plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in versions before 0.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. WordPress Event List versions 0.7.8 and below suffer from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/42173 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18576 – Event Notifier <= 1.2.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18576
The event-notifier plugin before 1.2.1 for WordPress has XSS via the loading animation. El de notificación de eventos anterior a la versión 1.2.1 para WordPress tiene XSS a través de la animación de carga. • https://wordpress.org/plugins/event-notifier/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •