afine-com

14 exploits Active since Mar 2022
CVE-2024-24816 NOMISEC MEDIUM WRITEUP
CKEditor4 <4.24.0-lts - XSS
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the `preview` feature. All integrators that use these samples in the production code can be affected. The vulnerability allows an attacker to execute JavaScript code by abusing the misconfigured preview feature. It affects all users using the CKEditor 4 at version < 4.24.0-lts with affected samples used in a production environment. A fix is available in version 4.24.0-lts.
2 stars
CVSS 6.1
CVE-2023-35840 NOMISEC MEDIUM WRITEUP
Std42 Elfinder < 2.1.62 - Path Traversal
_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.
2 stars
CVSS 6.5
CVE-2018-25031 NOMISEC MEDIUM WORKING POC
Swagger UI <4.1.2 - CSRF
Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
2 stars
CVSS 4.3
CVE-2022-36433 NOMISEC MEDIUM WRITEUP
Amasty Blog Pro 2.10.3 - XSS
The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the short_content and full_content fields, leading to XSS attacks against admin panel users via posts/preview or posts/save.
1 stars
CVSS 6.1
CVE-2022-36432 NOMISEC MEDIUM WRITEUP
Amasty Blog Pro 2.10.3 - XSS
The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response.
1 stars
CVSS 5.4
CVE-2022-35500 NOMISEC MEDIUM WRITEUP
Amasty Blog Pro - XSS
Amasty Blog 2.10.3 is vulnerable to Cross Site Scripting (XSS) via leave comment functionality.
1 stars
CVSS 5.4
CVE-2022-35501 NOMISEC MEDIUM WRITEUP
Amasty Blog Pro - XSS
Stored Cross-site Scripting (XSS) exists in the Amasty Blog Pro 2.10.3 and 2.10.4 plugin for Magento 2 because of the duplicate post function.
1 stars
CVSS 5.4
CVE-2024-5737 NOMISEC MEDIUM WRITEUP
Admiror-design-studio Admirorframes < 5.0 - XSS
Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before 5.0.
CVSS 6.1
CVE-2024-5735 NOMISEC HIGH WRITEUP
AdmirorFrames <5.0 - Info Disclosure
Full Path Disclosure vulnerability in AdmirorFrames Joomla! extension in afHelper.php script allows an unauthorised attacker to retrieve location of web root folder. This issue affects AdmirorFrames: before 5.0.
CVSS 7.5
CVE-2024-5736 NOMISEC HIGH WRITEUP
Admiror-design-studio Admirorframes < 5.0 - SSRF
Server Side Request Forgery (SSRF) vulnerability in AdmirorFrames Joomla! extension in afGdStream.php script allows to access local files or server pages available only from localhost. This issue affects AdmirorFrames: before 5.0.
CVSS 7.5
CVE-2023-45182 NOMISEC HIGH WORKING POC
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 - Information Disclosure
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265.
CVSS 7.4
CVE-2023-39062 NOMISEC MEDIUM WRITEUP
Spipu HTML2PDF <5.2.8 - XSS
Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8 allows a remote attacker to execute arbitrary code via a crafted script to the forms.php.
CVSS 6.1
CVE-2023-45184 NOMISEC MEDIUM WORKING POC
IBM i Access Client Solutions <1.1.2, 1.1.4.3-1.1.9.3 - Info Disclo...
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270.
CVSS 6.2
CVE-2023-45185 NOMISEC HIGH WRITEUP
IBM I Access Client Solutions < 1.1.4 - Incorrect Authorization
IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user's authority. IBM X-Force ID: 268273.
CVSS 7.4