Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.php and en/achat/caddie_affichage.php, as demonstrated by an XSS payload in the couleurId[0] parameter to the latter.
Source: NIST
CVE-2018-20848
June 2019
CVE-2019-13086
core/MY_Security.php in CSZ CMS 1.2.2 before 2019-06-20 has member/login/check SQL injection by sending a crafted HTTP User-Agent header and omitting the csrf_csz parameter.
Source: NIST
CVE-2019-13086
CVE-2019-13084
XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000026b739.
Source: NIST
CVE-2019-13084
CVE-2019-13082
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir.
Source: NIST
CVE-2019-13082
CVE-2019-13085
XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x000000000030ecfa.
Source: NIST
CVE-2019-13085
CVE-2019-13083
XnView Classic 2.48 has a User Mode Write AV starting at xnview+0x0000000000384e2a.
Source: NIST
CVE-2019-13083
CVE-2019-11822
Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.
Source: NIST
CVE-2019-11822
CVE-2019-11825
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
Source: NIST
CVE-2019-11825
CVE-2019-11826
Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter.
Source: NIST
CVE-2019-11826
CVE-2019-11827
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
Source: NIST
CVE-2019-11827