CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41256 – Intent URI permissions manipulation in nextcloud news-android
https://notcve.org/view.php?id=CVE-2021-41256
30 Nov 2021 — nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible. nextcloud news-android es un cliente Android para... • https://github.com/nextcloud/news-android/blob/master/security/GHSL-2021-1033_Nextcloud_News_for_Android.md • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12724
https://notcve.org/view.php?id=CVE-2019-12724
10 Jul 2019 — An issue was discovered in the Teclib News plugin through 1.5.2 for GLPI. It allows a stored XSS attack via the $_POST['name'] parameter. Se detectó un problema en el plugin News de Teclib hasta la versión 1.5.2 para GLPI. Permite un ataque de tipo XSS almacenado por medio del parámetro $_POST['nombre']. • https://github.com/pluginsGLPI/news/blob/master/front/alert.form.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2014-6290
https://notcve.org/view.php?id=CVE-2014-6290
03 Oct 2014 — The News (tt_news) extension before 3.5.2 for TYPO3 allows remote attackers to have unspecified impact via vectors related to an "insecure unserialize" issue. La extensión News (tt_news) anterior a 3.5.2 para TYPO3 permite a atacantes remotos tener un impacto no especificado a través de vectores relacionados con un problema de 'la deserialización insegura'. • http://typo3.org/extensions/repository/view/tt_news • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4748
https://notcve.org/view.php?id=CVE-2013-4748
01 Jul 2013 — SQL injection vulnerability in the News system (news) extension before 1.3.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en la extensión News system (news) antes de 1.3.3 para TYPO3, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://osvdb.org/89134 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2011-3851 – News <= 0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-3851
27 Sep 2011 — Cross-site scripting (XSS) vulnerability in the News theme before 0.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el tema News anteriores a v0.2 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro "cpage". • https://sitewat.ch/en/Advisories/9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2006-3386
https://notcve.org/view.php?id=CVE-2006-3386
06 Jul 2006 — index.php in Vincent Leclercq News 5.2 allows remote attackers to obtain sensitive information, such as the installation path, via a mail[] parameter with invalid values. index.php en Vincent Leclercq News 5.2 permite a los atacantes remotos obtener información sensible, como la ruta de instalación, a través del parámetro mail[] con valores no válidos. • http://secunia.com/advisories/20936 •