0
CVE-2023-53900 - Spip 4.1.10 Admin Account Spoofing via Malicious SVG Upload
Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Attackers can trick administrators into clicking a crafted SVG logo that redirects to a potentially dangerous URL through improper file upload filtering.
8.7
CVE-2023-53896 - D-Link DAP-1325 Hardware A1 Unauthenticated Configuration Download
D-Link DAP-1325 firmware version 1.01 contains a broken access control vulnerability that allows unauthenticated attackers to download device configuration settings without authentication. Attackers can exploit the /cgi-bin/ExportSettings.sh endpoint to retrieve sensitive configuration information β¦
9.3
CVE-2023-53895 - PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, aβ¦
5.1
CVE-2023-53903 - WebsiteBaker 2.13.3 Stored Cross-Site Scripting via SVG File Upload
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attβ¦
7
CVE-2023-53902 - WebsiteBaker 2.13.3 Directory Traversal via Media Delete Endpoint
WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside theβ¦
7.1
CVE-2023-53901 - WBCE CMS 1.6.1 Cross-Site Scripting and Open Redirect Vulnerability
WBCE CMS 1.6.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML and CSS to capture user keystrokes. Attackers can upload a crafted HTML file with CSS-based keylogging techniques to intercept password characters through background image requests.
5.1
CVE-2023-53899 - PodcastGenerator 3.2.9 Blind Server-Side Request Forgery via XML Injection
PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Attackers can manipulate the 'shortdesc' parameter to trigger external HTTP requests to arbitrary endpoints during podcast episode creation.
0
CVE-2023-53898 - Rukovoditel 3.4.1 Multiple Stored Cross-Site Scripting via Configuration
Rukovoditel 3.4.1 contains a stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert iframe and script payloads in application copyright text to execute arbitrary JavaScript in victim browsers.
0
CVE-2023-53897 - Rukovoditel 3.4.1 Multiple Stored Cross-Site Scripting via Comments
Rukovoditel 3.4.1 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts. Attackers can insert XSS payloads in project task comments to execute arbitrary JavaScript in victim browsers.
9.3
CVE-2023-53894 - phpfm 1.7.9 Authentication Bypass via Type Juggling Vulnerability
phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.