Gitee Exploits

415 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-40540 GITEE CRITICAL java
my-springsecurity-plus <2024.07.03 - SQL Injection
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept.
by witmy
826 stars
CVSS 9.8
CVE-2024-40541 GITEE CRITICAL java
my-springsecurity-plus <2024.07.03 - SQL Injection
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/dept/build.
by witmy
826 stars
CVSS 9.8
CVE-2024-40542 GITEE CRITICAL java
my-springsecurity-plus <2024.07.03 - SQL Injection
my-springsecurity-plus before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter at /api/role?offset.
by witmy
826 stars
CVSS 9.8
CVE-2024-28417 GITEE MEDIUM
Webedition CMS 9.2.2.0 - Stored Cross-Site Scripting via we_cmd.php
Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php.
by shavchen214
CVSS 6.3
CVE-2024-28418 GITEE MEDIUM
Webedition CMS 9.2.2.0 - Unrestricted File Upload via we_cmd.php
Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php
by shavchen214
CVSS 6.5
CVE-2024-3311 GITEE MEDIUM php
Dreamer CMS <4.1.3.0 - Path Traversal
A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been declared as critical. Affected by this vulnerability is the function ZipUtils.unZipFiles of the file controller/admin/ThemesController.java. The manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.3.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-259369 was assigned to this vulnerability.
by y1336247431
CVSS 6.3
CVE-2024-33371 GITEE MEDIUM
dedecms 5.7.113 - Cross-Site Scripting via typeid Parameter in makehtml_list_action.php
Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remote attacker to execute arbitrary code via the typeid parameter in the makehtml_list_action.php component.
by zchuanwen
CVSS 6.1
CVE-2024-33401 GITEE MEDIUM
dedecms 5.7.113 - Cross-Site Scripting via mnum Parameter
Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remote attacker to run arbitrary code via the mnum parameter.
by zchuanwen
CVSS 4.4
CVE-2024-34959 GITEE MEDIUM
dedecms V5.7.113 - Cross-Site Scripting via sys_data_replace.php
DedeCMS V5.7.113 is vulnerable to Cross Site Scripting (XSS) via sys_data_replace.php.
by upgogo
CVSS 5.5
CVE-2024-37732 GITEE MEDIUM
Anchor CMS 0.12.7 - Cross-Site Scripting via Crafted PDF File
Cross Site Scripting vulnerability in Anchor CMS v.0.12.7 allows a remote attacker to execute arbitrary code via a crafted .pdf file.
by Aa272899
CVSS 6.1
CVE-2024-57521 GITEE CRITICAL java
RuoYi < 4.7.9 - SQL Injection via SqlUtil.java createTable Function
SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java.
by y_project
47,892 stars
CVSS 10.0
CVE-2024-6511 GITEE LOW java
RuoYi < 4.7.9 - Cross-Site Scripting via Content-Type Handler
A vulnerability classified as problematic was found in y_project RuoYi up to 4.7.9. Affected by this vulnerability is the function isJsonRequest of the component Content-Type Handler. The manipulation of the argument HttpHeaders.CONTENT_TYPE leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-270343.
by y_project
47,892 stars
CVSS 3.5
CVE-2024-9048 GITEE LOW java
RuoYi < 4.7.9 - Cross-Site Scripting in Backend User Import via loginName
A vulnerability was found in y_project RuoYi up to 4.7.9. It has been declared as problematic. Affected by this vulnerability is the function SysUserServiceImpl of the file ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java of the component Backend User Import. The manipulation of the argument loginName leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The patch is named 9b68013b2af87b9c809c4637299abd929bc73510. It is recommended to apply a patch to fix this issue.
by y_project
47,892 stars
CVSS 3.1
CVE-2024-9048 GITEE LOW java
RuoYi < 4.7.9 - Cross-Site Scripting in Backend User Import via loginName
A vulnerability was found in y_project RuoYi up to 4.7.9. It has been declared as problematic. Affected by this vulnerability is the function SysUserServiceImpl of the file ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java of the component Backend User Import. The manipulation of the argument loginName leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The patch is named 9b68013b2af87b9c809c4637299abd929bc73510. It is recommended to apply a patch to fix this issue.
by y_project
47,892 stars
CVSS 3.1
CVE-2024-42991 GITEE HIGH java
MCMS v5.4.1 - Unauthenticated Remote Code Execution via File Upload
MCMS v5.4.1 has front-end file upload vulnerability which can lead to remote command execution.
by mingSoft
32,018 stars
CVSS 8.1
CVE-2024-8112 GITEE MEDIUM java
JeeSite 5.3 - Cross-Site Scripting via SkinName Parameter in Cookie Handler
A vulnerability was found in thinkgem JeeSite 5.3. It has been rated as problematic. This issue affects some unknown processing of the file /js/a/login of the component Cookie Handler. The manipulation of the argument skinName leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
by thinkgem
30,995 stars
CVSS 4.3
CVE-2024-7552 GITEE MEDIUM java
DataGear <5.0.0 - Improper Neutralization
A vulnerability was found in DataGear up to 5.0.0. It has been declared as critical. Affected by this vulnerability is the function evaluateVariableExpression of the file ConversionSqlParamValueMapper.java of the component Data Schema Page. The manipulation leads to improper neutralization of special elements used in an expression language statement. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273697 was assigned to this vulnerability.
by datagearadmin
6,828 stars
CVSS 6.3
CVE-2024-5829 GITEE LOW javascript
smallweigit Avue <= 3.4.4 - Cross-Site Scripting in avueUeditor
A vulnerability classified as problematic was found in smallweigit Avue up to 3.4.4. Affected by this vulnerability is an unknown functionality of the component avueUeditor. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-267895. NOTE: The code maintainer explains, that "rich text is no longer maintained".
by smallweigit
5,381 stars
CVSS 3.5
CVE-2024-54954 GITEE HIGH java
OneBlog < 2.3.6 - Template Injection via Template Management
OneBlog v2.3.6 was discovered to contain a template injection vulnerability via the template management department.
by yadong.zhang
5,303 stars
CVSS 8.0
CVE-2024-5766 GITEE LOW php
Likeshop 2.5.0-2.5.7 - Cross-Site Scripting in Merchandise Handler
A vulnerability was found in Likeshop up to 2.5.7 and classified as problematic. This issue affects some unknown processing of the file /admin of the component Merchandise Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-267449 was assigned to this vulnerability.
by likeshop_1
4,387 stars
CVSS 2.4
CVE-2024-57407 GITEE HIGH java
Timo 2.0.3 - Arbitrary File Upload and Remote Code Execution via User Picture Component
An arbitrary file upload vulnerability in the component /userPicture of Timo v2.0.3 allows attackers to execute arbitrary code via uploading a crafted file.
by aun
3,332 stars
CVSS 7.3
CVE-2024-5279 GITEE LOW java
Qiwen Netdisk <= 1.4.0 - Cross-Site Scripting via File Rename Handler
A vulnerability was found in Qiwen Netdisk up to 1.4.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component File Rename Handler. The manipulation with the input <img src="" onerror="alert(document.cookie)"> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-266083.
by mac520
2,973 stars
CVSS 3.5
CVE-2024-40546 GITEE HIGH java
PublicCMS < 4.0.202302.e - Arbitrary File Upload via /admin/cmsWebFile/save
An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
by sanluan
2,673 stars
CVSS 8.8
CVE-2024-40547 GITEE MEDIUM java
PublicCMS <4.0.202302.e - Code Injection
PublicCMS v4.0.202302.e was discovered to contain an arbitrary file content replacement vulnerability via the component /admin/cmsTemplate/replace.
by sanluan
2,673 stars
CVSS 6.5
CVE-2024-40548 GITEE HIGH java
PublicCMS < 4.0.202302.e - Arbitrary File Upload via /admin/cmsTemplate/save
An arbitrary file upload vulnerability in the component /admin/cmsTemplate/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.
by sanluan
2,673 stars
CVSS 8.8
By Source
All 415 Writeup 61,941 Exploitdb 50,073 Nomisec 22,294 Github 3,475 Metasploit 3,294 Vulncheck_xdb 926 Inthewild 514 Gitlab 470 Gitee 415 Patchapalooza 312
By Language
text 31,383 python 6,491 ruby 5,984 c 3,619 perl 2,849 html 2,071 php 1,331 bash 462 java 370 c++ 255 javascript 227 shell 126 go 72 postscript 25 typescript 25