HTML Injection has been discovered in the v0.19.0 version of the Fat Free CRM product via an authenticated request to the /comments URI.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10226
http://packetstormsecurity.com/files/152263/Fat-Free-CR…
「ユニクロ(UNIQLO)」とイタリアンブランド「マルニ(MARNI)」の初コラボレーションコレクシ…
新たなセキュリティ機能で対応ホスト機器のブート、セキュアなデータ管理と「保守修理規則」対応 カリフォ…
デンマーク コペンハーゲン発のプレミアムゲーミングオーディオブランド「EPOS」配信用のマイクやフル…
ゲームをプレイする際に音は非常に重要な要素の1つです。しかしオーディオの世界は青天井で、突き詰めてい…
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrar…
The _validatePost function in libs/controller/components/security.php in CakePHP 1.3.x through 1.3.5 and 1.2.8 allows remote attackers to modify the internal Cake cache and execute arbitrary code via a crafted data[_Token][fields] value that is process…
CakePHP 1.3.7 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by dispatcher.php and certain other files.
References
https://nvd.nist….
Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model’s attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a “mass assignment” vuln…
app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
References
https…
