Show filters
29 Total Results
Displaying 1-10 of 29
Sort by:
Attacker Value
Unknown
CVE-2024-51758
Disclosure Date: November 07, 2024 (last updated February 27, 2025)
Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the `default_filesystem_disk` config option. This allows the user to easily swap their storage driver to something production-ready like `s3` when deploying their app, without having to touch multiple configuration options and potentially forgetting about some. The default disk is set to `public` when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support. However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, [CWE-1188](https://cwe.mitre.org/data/definit…
0
Attacker Value
Unknown
CVE-2024-47186
Disclosure Date: September 27, 2024 (last updated February 26, 2025)
Filament is a collection of full-stack components for Laravel development. Versions of Filament from v3.0.0 through v3.2.114 are affected by a cross-site scripting (XSS) vulnerability. If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerable to XSS attack against a user who opens a page on which a color column or entry is rendered. Filament v3.2.115 fixes this issue.
0
Attacker Value
Unknown
CVE-2024-42485
Disclosure Date: August 12, 2024 (last updated February 26, 2025)
Filament Excel enables excel export for Filament admin resources. The export download route `/filament-excel/{path}` allowed downloading any file without login when the webserver allows `../` in the URL. Patched with Version v2.3.3.
0
Attacker Value
Unknown
CVE-2024-29098
Disclosure Date: March 19, 2024 (last updated February 26, 2025)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Calameo WP Calameo allows Stored XSS.This issue affects WP Calameo: from n/a through 2.1.7.
0
Attacker Value
Unknown
CVE-2023-26143
Disclosure Date: September 19, 2023 (last updated February 25, 2025)
Versions of the package blamer before 1.0.4 are vulnerable to Arbitrary Argument Injection via the blameByFile() API. The library does not sanitize for user input or validate the given file path conforms to a specific schema, nor does it properly pass command-line flags to the git binary using the double-dash POSIX characters (--) to communicate the end of options.
0
Attacker Value
Unknown
CVE-2015-10089
Disclosure Date: March 05, 2023 (last updated February 24, 2025)
A vulnerability classified as problematic has been found in flame.js. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named e6c49b5f6179e31a534b7c3264e1d36aa99728ac. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222291.
0
Attacker Value
Unknown
CVE-2020-28434
Disclosure Date: August 02, 2022 (last updated February 24, 2025)
This affects all versions of package gitblame. The injection point is located in line 15 in lib/gitblame.js.
0
Attacker Value
Unknown
CVE-2020-20796
Disclosure Date: September 30, 2021 (last updated February 23, 2025)
FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.
0
Attacker Value
Unknown
CVE-2020-20797
Disclosure Date: September 30, 2021 (last updated February 23, 2025)
FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.
0
Attacker Value
Unknown
CVE-2020-8137
Disclosure Date: March 20, 2020 (last updated February 21, 2025)
Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker.
0