Sergio

39 exploits Active since Sep 2023
CVE-2023-43878 NOMISEC MEDIUM WORKING POC
Rite CMS 3.0 - XSS
Rite CMS 3.0 has Multiple Cross-Site scripting (XSS) vulnerabilities that allow attackers to execute arbitrary code via a crafted payload into the Main Menu Items in the Administration Menu.
CVSS 5.4
CVE-2023-43879 NOMISEC MEDIUM WORKING POC
Rite CMS 3.0 - XSS
Rite CMS 3.0 has a Cross-Site scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload into the Global Content Blocks in the Administration Menu.
CVSS 4.8
CVE-2023-44758 NOMISEC MEDIUM WRITEUP
Gdidees Cms - XSS
GDidees CMS 3.0 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload to the Page Title.
CVSS 5.4
CVE-2023-44760 NOMISEC MEDIUM WORKING POC
Concretecms Concrete Cms - XSS
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly.
CVSS 4.8
CVE-2023-44761 NOMISEC MEDIUM WRITEUP
Concretecms Concrete Cms < 9.2.2 - XSS
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.
CVSS 5.4
CVE-2023-44762 NOMISEC MEDIUM WORKING POC
Concretecms Concrete Cms - XSS
A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags.
CVSS 5.4
CVE-2023-44763 NOMISEC MEDIUM WRITEUP
Concretecms Concrete Cms - Unrestricted File Upload
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.
CVSS 5.4
CVE-2023-44764 NOMISEC MEDIUM WRITEUP
Concretecms Concrete Cms - XSS
A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings).
CVSS 5.4
CVE-2023-44765 NOMISEC MEDIUM WRITEUP
Concretecms Concrete Cms < 9.2.2 - XSS
A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.
CVSS 5.4
CVE-2023-44766 NOMISEC MEDIUM WORKING POC
Concretecms Concrete Cms - XSS
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature.
CVSS 4.8
CVE-2023-44767 NOMISEC MEDIUM WORKING POC
Ritecms - XSS
A File upload vulnerability in RiteCMS 3.0 allows a local attacker to upload a SVG file with XSS content.
CVSS 4.8
CVE-2023-44769 NOMISEC MEDIUM WRITEUP
Tribalsystems Zenario - XSS
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias.
CVSS 5.4
CVE-2023-44770 NOMISEC MEDIUM WORKING POC
Tribalsystems Zenario - XSS
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows an attacker to execute arbitrary code via a crafted script to the Organizer - Spare alias.
CVSS 5.4
CVE-2023-44771 NOMISEC MEDIUM WORKING POC
Tribalsystems Zenario - XSS
A Cross-Site Scripting (XSS) vulnerability in Zenario CMS v.9.4.59197 allows a local attacker to execute arbitrary code via a crafted script to the Page Layout.
CVSS 5.4