HIGH

thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the artlang parameter. This has been fixed in 3.1.12.
References

https://nvd.nist.gov/vuln/detail/CVE-2023-1880
https://git…

thorsten/phpmyfaq prior to 3.1.12 is vulnerable to DOM cross-site scripting (XSS) because it fails to sanitize user input in the configuration privacy note URL parameter. This has been fixed in 3.1.12.
References

https://nvd.nist.gov/vuln/detail/CVE-2…

microweber/microweber prior to 1.3.3 is vulnerable to stored cross-site scripting (XSS) via the X-Forwarded-For header. This was fixed in version 1.3.3.
References

https://nvd.nist.gov/vuln/detail/CVE-2023-1881
https://github.com/microweber/microweber…

thorsten/phpmyfaq prior to 3.1.12 is vulnerable to authentication bypass by capture-relay that allows unlimited comments to be sent. This has been fixed in 3.1.12.
References

https://nvd.nist.gov/vuln/detail/CVE-2023-1886
https://github.com/thorsten/p…

thorsten/phpmyfaq prior to 3.1.12 allows users with edit-only permissions to add and delete categories and add FAQs. This has been fixed in 3.1.12.
References

https://nvd.nist.gov/vuln/detail/CVE-2023-1887
https://github.com/thorsten/phpmyfaq/commit/4…

thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the FAQ News link parameter. This has been fixed in 3.1.12.
References

https://nvd.nist.gov/vuln/detail/CVE-2023-1757
https…

Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers.
References

https://nvd.nist.gov/vuln/detail/CVE…

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.
References

https://nvd.nist.gov/vuln/detail/CVE-2023…

Summary
The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods.
SvelteKit provides out-of-the-box cross-site request forgery (C…

Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-19278
https://github.com/phachon/mm-w…