Oxwall is a social networking software written in PHP. In version 1.8.0, it is vulnerable to multiple XSS attacks and a persistent open redirect. The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection.
Zenphoto is vulnerable to remote file inclusion. An admin account is required.
PivotX is vulnerable to reflected XSS.
PivotX is vulnerable to Directory Traversal, allowing authenticated users to read and delete files outside of the PivotX directory.
PivotX is vulnerable to code execution by authenticated users as it does not check the extension of files when renaming them.
BigTree 4.2.8 is vulnerable to object injection. The impact on the CMS itself is rather small, but installed plugins may increase the risk the vulnerability poses.
There are various HTML Injection vulnerabilities in opendocman 1.3.4, leading to XSS, Phishing, and Privilege Escalation.
Opendocman 1.3.4 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user.
There are various XSS vulnerabilities in Atutor 2.2.
There is an SQL injection in Bigace. A user account with the lowest privilege level is required.
