Teamwork Management System versions up to 2.28.0. is affected by server-side request forgery (ssrf) (CVSS 6.3).
Unrestricted file upload in Teamwork Management System (TMS) versions up to 2.28.0 allows authenticated attackers to upload malicious files by manipulating the filename parameter in the FileController. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for organizations using affected versions.
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. [CVSS 3.5 LOW]
Secure Access versions up to 14.20 is affected by insertion of sensitive information into log file (CVSS 3.4).
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. [CVSS 2.2 LOW]
Kodbox versions up to 1.61.10 contain a command injection vulnerability in the compression handler component that allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Bastillion up to version 4.0.1 contains a command injection vulnerability in the System Management Module that allows remote attackers with high privileges to execute arbitrary commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. The impact is limited to low-level confidentiality, integrity, and availability compromise.
Command injection in Bastillion's public key management system (versions up to 4.0.1) allows remote attackers with high privileges to execute arbitrary commands through the AuthKeysKtrl.java component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The attack requires network access and high-level authentication but carries minimal complexity once access is obtained.