CVE-2019-19989
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. Several PHP pages, and other type of files, are reachable by any user without checking for user identity and authorization.
Source: CVE-2019-19989
[월:] 2020년 02월
CVE-2019-19987
CVE-2019-19987
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. It allows Cross-Site Request Forgery (CSRF) on any HTML form. An attacker can exploit the vulnerability to abuse functionalities such as change password, add user, add privilege, and so on.
Source: CVE-2019-19987
CVE-2019-19986
CVE-2019-19986
An issue was discovered in Selesta Visual Access Manager (VAM) 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP (POST or GET) parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based (this means that relies on error messages thrown by the database server to obtain information about the structure of the database).
Source: CVE-2019-19986
CVE-2019-19134
CVE-2019-19134
The Hero Maps Premium plugin 2.2.1 and prior for WordPress is prone to unauthenticated XSS via the views/dashboard/index.php p parameter because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to inject HTML or arbitrary JavaScript within the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based tokens or to launch other attacks.
Source: CVE-2019-19134
CVE-2019-3796
CVE-2019-3796
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Source: CVE-2019-3796
CVE-2020-9337
CVE-2020-9337
In GolfBuddy Course Manager 1.1, passwords are sent (with base64 encoding) via a GET request.
Source: CVE-2020-9337
CVE-2020-9407
CVE-2020-9407
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
Source: CVE-2020-9407
CVE-2020-9406
CVE-2020-9406
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
Source: CVE-2020-9406
CVE-2020-9405
CVE-2020-9405
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
Source: CVE-2020-9405
CVE-2020-9398
CVE-2020-9398
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
Source: CVE-2020-9398