daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Auto Generated cves.json [Sat Mar 4 08:06:08 UTC 2023] 🤖

patch-1
GitHub Action 2023-03-04 08:06:08 +00:00
parent 6b8296747c
commit 4e9802beab
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cves.json
View File

@ -1136,7 +1136,7 @@
{"ID":"CVE-2021-32789","Info":{"Name":"WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection","Severity":"high","Description":"woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.\n","Classification":{"CVSSScore":"7.5"}},"file_path":"cves/2021/CVE-2021-32789.yaml"}
{"ID":"CVE-2021-32819","Info":{"Name":"Nodejs Squirrelly - Remote Code Execution","Severity":"high","Description":"Nodejs Squirrelly is susceptible to remote code execution. Squirrelly is a template engine implemented in JavaScript that works out of the box with ExpressJS. Squirrelly mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options remote code execution may be triggered in downstream applications. There is currently no fix for these issues as of the publication of this CVE. The latest version of squirrelly is currently 8.0.8. For complete details refer to the referenced GHSL-2021-023.\n","Classification":{"CVSSScore":"8.8"}},"file_path":"cves/2021/CVE-2021-32819.yaml"}
{"ID":"CVE-2021-32820","Info":{"Name":"Express-handlebars - Local File Inclusion","Severity":"high","Description":"Express-handlebars is susceptible to local file inclusion because it mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extensions (i.e., file.extension) can be included. Files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.","Classification":{"CVSSScore":"8.6"}},"file_path":"cves/2021/CVE-2021-32820.yaml"}
{"ID":"CVE-2021-32853","Info":{"Name":"Erxes \u003c0.23.0 - Cross-Site Scripting","Severity":"medium","Description":"Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag.","Classification":{"CVSSScore":"N/A"}},"file_path":"cves/2021/CVE-2021-32853.yaml"}
{"ID":"CVE-2021-32853","Info":{"Name":"Erxes \u003c0.23.0 - Cross-Site Scripting","Severity":"critical","Description":"Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag.","Classification":{"CVSSScore":"9.6"}},"file_path":"cves/2021/CVE-2021-32853.yaml"}
{"ID":"CVE-2021-3293","Info":{"Name":"emlog 5.3.1 Path Disclosure","Severity":"high","Description":"emlog v5.3.1 is susceptible to full path disclosure via t/index.php, which allows an attacker to see the path to the webroot/file.","Classification":{"CVSSScore":"7.5"}},"file_path":"cves/2021/CVE-2021-3293.yaml"}
{"ID":"CVE-2021-3297","Info":{"Name":"Zyxel NBG2105 V1.00(AAGU.2)C0 - Authentication Bypass","Severity":"high","Description":"Zyxel NBG2105 V1.00(AAGU.2)C0 devices are susceptible to authentication bypass vulnerabilities because setting the login cookie to 1 provides administrator access.","Classification":{"CVSSScore":"7.8"}},"file_path":"cves/2021/CVE-2021-3297.yaml"}
{"ID":"CVE-2021-33044","Info":{"Name":"Dahua IPC/VTH/VTO - Authentication Bypass","Severity":"critical","Description":"Some Dahua products contain an authentication bypass during the login process. Attackers can bypass device identity authentication by constructing malicious data packets.","Classification":{"CVSSScore":"9.8"}},"file_path":"cves/2021/CVE-2021-33044.yaml"}