afine-com

14 exploits Active since Mar 2022
CVE-2024-24816 NOMISEC MEDIUM WRITEUP
CKEditor4 < 4.24.0-lts - Cross-Site Scripting via Preview Feature
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
2 stars
CVSS 6.1
CVE-2023-35840 NOMISEC MEDIUM WRITEUP
elFinder < 2.1.62 - Path Traversal via LocalVolumeDriver Connector
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
2 stars
CVSS 6.5
CVE-2018-25031 NOMISEC MEDIUM WORKING POC
Swagger UI < 4.1.3 - Server-Side Request Forgery via OpenAPI Definition URL
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
2 stars
CVSS 4.3
CVE-2022-36433 NOMISEC MEDIUM WRITEUP
Amasty Blog Pro < 2.10.5 - Stored Cross-Site Scripting via Short Content and Full Content Fields
The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the short_content and full_content fields, leading to XSS attacks against admin panel users via posts/preview or posts/save.
1 stars
CVSS 6.1
CVE-2022-36432 NOMISEC MEDIUM WRITEUP
Amasty Blog Pro < 2.10.5 - Cross-Site Scripting via Preview Functionality
The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response.
1 stars
CVSS 5.4
CVE-2022-35500 NOMISEC MEDIUM WRITEUP
Amasty Blog 2.10.3 - Cross-Site Scripting via Leave Comment Functionality
Amasty Blog 2.10.3 is vulnerable to Cross Site Scripting (XSS) via leave comment functionality.
1 stars
CVSS 5.4
CVE-2022-35501 NOMISEC MEDIUM WRITEUP
Amasty Blog Pro 2.10.3-2.10.4 - Stored Cross-Site Scripting via Duplicate Post Function
Stored Cross-site Scripting (XSS) exists in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 because of the duplicate post function.
1 stars
CVSS 5.4
CVE-2024-5737 NOMISEC MEDIUM WRITEUP
AdmirorFrames < 5.0 - Cross-Site Scripting via afGdStream.php Image Data
Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before 5.0.
CVSS 6.1
CVE-2024-5735 NOMISEC HIGH WRITEUP
AdmirorFrames <5.0 - Info Disclosure
Full Path Disclosure vulnerability in AdmirorFrames Joomla! extension in afHelper.php script allows an unauthorised attacker to retrieve location of web root folder. This issue affects AdmirorFrames: before 5.0.
CVSS 7.5
CVE-2024-5736 NOMISEC HIGH WRITEUP
AdmirorFrames < 5.0 - Server-Side Request Forgery via afGdStream.php
Server Side Request Forgery (SSRF) vulnerability in AdmirorFrames Joomla! extension in afGdStream.php script allows to access local files or server pages available only from localhost. This issue affects AdmirorFrames: before 5.0.
CVSS 7.5
CVE-2023-45182 NOMISEC HIGH WORKING POC
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 - Information Disclosure
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265.
CVSS 7.4
CVE-2023-39062 NOMISEC MEDIUM WRITEUP
html2pdf < 5.2.8 - Cross-Site Scripting via forms.php
Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8 allows a remote attacker to execute arbitrary code via a crafted script to the forms.php.
CVSS 6.1
CVE-2023-45184 NOMISEC MEDIUM WORKING POC
IBM i Access Client Solutions <1.1.2, 1.1.4.3-1.1.9.3 - Info Disclo...
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270.
CVSS 6.2
CVE-2023-45185 NOMISEC HIGH WRITEUP
IBM i Access Client Solutions 1.1.2-1.1.4 and 1.1.4.3-1.1.9.3 - Remote Code Execution via Improper Authority Checks
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority. IBM X-Force ID: 268273.
CVSS 7.4