X-scripts Security Vulnerabilities
X-Scripts X-Poll (xpoll) 2.30 allows remote attackers to execute arbitrary PHP code by using admin/images/add.php to upload a PHP file, then access it.
7.7AI Score
0.034EPSS
SQL injection vulnerability in x-statistics.php in X-Scripts X-Statistics 1.20 allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header.
8.8AI Score
0.012EPSS
SQL injection vulnerability in protect.php in X-Scripts X-Protection 1.10, with magic_quotes_gpc disabled, allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameter.
8.9AI Score
0.008EPSS
SQL injection vulnerability in top.php in X-Scripts X-Poll, probably 2.30, allows remote attackers to execute arbitrary SQL commands via the poll parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
8.4AI Score
0.003EPSS
In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed.
7.3CVSS
7.1AI Score
0.001EPSS
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
5.3CVSS
5.2AI Score
0.001EPSS
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
4.3CVSS
4.9AI Score
0.001EPSS
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
5.3CVSS
5.2AI Score
0.001EPSS
5.3CVSS
5.6AI Score
0.001EPSS
9.8CVSS
9.7AI Score
0.005EPSS
In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link.
6.3CVSS
6AI Score
0.001EPSS
In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing.
5.3CVSS
5.6AI Score
0.001EPSS
In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting.
4.3CVSS
5.1AI Score
0.001EPSS