CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41472
https://notcve.org/view.php?id=CVE-2021-41472
24 Jan 2022 — SQL injection vulnerability in Sourcecodester Simple Membership System v1 by oretnom23, allows attackers to execute arbitrary SQL commands via the username and password parameters. Una vulnerabilidad de inyección SQL en Sourcecodester Simple Membership System versión v1 por oretnom23, permite a atacantes ejecutar comandos SQL arbitrarios por medio de los parámetros username y password • https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.6EPSS: 1%CPEs: 1EXPL: 1CVE-2021-40909
https://notcve.org/view.php?id=CVE-2021-40909
24 Jan 2022 — Cross site scripting (XSS) vulnerability in sourcecodester PHP CRUD without Refresh/Reload using Ajax and DataTables Tutorial v1 by oretnom23, allows remote attackers to execute arbitrary code via the first_name, last_name, and email parameters to /ajax_crud. Una vulnerabilidad de tipo cross site scripting (XSS) en sourcecodester PHP CRUD sin Refresh/Reload usando Ajax y DataTables Tutorial versión v1 por oretnom23, permite a atacantes remotos ejecutar código arbitrario por medio de los parámetros first_nam... • https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/CVE-nu11-10-09102021 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23227 – WordPress PHP Everywhere Plugin <= 2.0.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2021-23227
13 Jan 2022 — Cross-Site Request Forgery (CSRF) vulnerability in Alexander Fuchs PHP Everywhere plugin <= 2.0.2 versions. Se ha detectado una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en PHP Everywhere (plugin de WordPress) versiones (anteriores a 2.0.2 incluyéndola) The PHP Everywhere plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to conduct unspecified potential attacks via forged request grant... • https://patchstack.com/database/vulnerability/php-everywhere/wordpress-php-everywhere-plugin-2-0-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 1%CPEs: 1EXPL: 2CVE-2022-24665 – Remote Code Execution by by Contributor+ users via WordPress gutenberg block
https://notcve.org/view.php?id=CVE-2022-24665
04 Jan 2022 — PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts. PHP Everywhere versiones anteriores a 2.0.3 incluyéndola, incluía una funcionalidad que permitía una ejecución de fragmentos de código PHP por medio de un bloque gutenberg de WordPress por parte de cualquier usuario capaz de editar publicaciones PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities. • https://packetstorm.news/files/id/165895 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 1%CPEs: 1EXPL: 1CVE-2022-24663 – Remote Code Execution by Subscriber+ users via WordPress shortcode
https://notcve.org/view.php?id=CVE-2022-24663
04 Jan 2022 — PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user. PHP Everywhere versiones anteriores a 2.0.3 incluyéndola, incluía una funcionalidad que permitía una ejecución de PHP Code Snippets por medio de los shortcodes de WordPress, que podían ser usados por cualquier usuario autenticado PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities. • https://packetstorm.news/files/id/165895 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24664 – Remote Code Execution by by Contributor+ users via WordPress metabox
https://notcve.org/view.php?id=CVE-2022-24664
04 Jan 2022 — PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress metaboxes, which could be used by any user able to edit posts. PHP Everywhere versiones anteriores a 2.0.3 incluyéndola, incluía una funcionalidad que permitía una ejecución de PHP Code Snippets por medio de los metaboxes de WordPress, que podían ser usados por cualquier usuario capaz de editar entradas PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities. • https://packetstorm.news/files/id/165895 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43678
https://notcve.org/view.php?id=CVE-2021-43678
17 Dec 2021 — Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in Wechat.php. Wechat-php-sdk versión v1.10.2, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) en el archivo Wechat.php • https://github.com/gaoming13/wechat-php-sdk • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26800
https://notcve.org/view.php?id=CVE-2021-26800
16 Dec 2021 — Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account. Una vulnerabilidad de tipo Cross Site Request Forgery (CSRF) en el archivo Change-password.php en phpgurukul user management system in php usando procedimiento de almacenamiento versión V1.0, permite a atacantes cambiar la contraseña a una cuenta arbitraria • https://gist.github.com/Kavisha3/59dac95b268f0d32eab53e659ab59311 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43692
https://notcve.org/view.php?id=CVE-2021-43692
29 Nov 2021 — youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php. youtube-php-mirroring (última actualización 9 de junio de 2017) está afectado por una vulnerabilidad de Cross Site Scripting (XSS) en el archivo ytproxy/index.php • https://github.com/zxq2233/youtube-php-mirroring/issues/3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 1CVE-2021-21707 – Special characters break path parsing in XML functions
https://notcve.org/view.php?id=CVE-2021-21707
29 Nov 2021 — In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus interpreting the filename differently from what the user intended, which may lead it to reading a different file than intended. En PHP versiones 7.3.x anteriores a 7.3.33, 7.4.x anteriores a 7.4.26 y 8.... • https://bugs.php.net/bug.php?id=79971 • CWE-20: Improper Input Validation CWE-159: Improper Handling of Invalid Use of Special Elements •