An issue was discovered in Elementor 2.7.4. Arbitrary file upload is possible in the Elementor Import Templates function, allowing an attacker to execute code via a crafted ZIP archive.

The default configuration in the Dynamic Content Elements (dce) extension before 0.11.5 for TYPO3 allows remote attackers to obtain sensitive installation environment information by reading the update check request.

c-lightning before 0.7.1 allows attackers to trigger loss of funds because of Incorrect Access Control. NOTE: README.md states "It can be used for testing, but it should not be used for real funds."

The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user.

The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new template.

The elementor-edit-template class in wp-admin/customize.php in the Elementor Pro plugin before 2.0.10 for WordPress has XSS.

The elementor plugin before 1.8.0 for WordPress has incorrect access control for internal functions.

Cognitoys Dino devices allow profiles_add.html CSRF.

Cognitoys Dino devices allow XSS via the SSID.

Child Care Script 1.0 has SQL Injection via the /list city parameter.