Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 73.6%.
Multiple directory traversal vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available.
Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity.
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. Public exploit code available.
The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Multiple integer overflows in GNU Grep before 2.11 might allow context-dependent attackers to execute arbitrary code via vectors involving a long input line that triggers a heap-based buffer overflow. Rated medium severity (CVSS 4.4). Public exploit code available.
ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 does not properly restrict access to settings.php, which allows remote attackers to edit app configurations of user_webdavauth and user_ldap by. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.
Cross-site scripting (XSS) vulnerability in the rsslink function in theme/__init__.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.
Directory traversal vulnerability in the _do_attachment_move function in the AttachFile action (action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
The http_negotiate_create_context function in protocol/http/http_negotiate.c in ELinks 0.12 before 0.12pre6, when using HTTP Negotiate or GSS-Negotiate authentication, delegates user credentials. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. No vendor patch available.
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Cross-site scripting (XSS) vulnerability in bookmarks/js/bookmarks.js in ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 allows remote attackers to inject arbitrary web script or HTML via the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
The Nodewords: D6 Meta Tags module before 6.x-1.14 for Drupal, when configured to automatically generate description meta tags from node text, does not properly filter node content when creating. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.