Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium

Abuse Of Functionality

This page lists 77 vulnerabilities in this category.

Critical: 1 High: 52 Medium: 20 Low: 3 Information: 1
Vulnerability Name
CVE
CWE
Severity
Ivanti CSA Path Traversal (CVE-2024-8963/CVE-2024-8190)
CVE-2024-8190
CWE-22
Critical
Cross-site Scripting via File Upload
-
CWE-79
High
VirtueMart access control bypass
-
CWE-287
High
WordPress plugin WPtouch insecure nonce generation
-
CWE-287
High
Deserialization of Untrusted Data (XStream)
CVE-2020-26217
CWE-502
High
WordPress MailPoet Newsletters (wysija-newsletters) unauthenticated file upload
-
CWE-434
High
XSLT injection
-
CWE-91
High
Unrestricted file upload vulnerability in ofc_upload_image.php
CVE-2009-4140
CWE-434
High
Deserialization of Untrusted Data (.NET BinaryFormatter Object Deserialization)
-
CWE-502
High
Client-Side Prototype Pollution
-
-
High
webadmin.php script
-
CWE-552
High
Unrestricted File Upload
-
CWE-434
High
Prototype pollution
-
-
High
Deserialization of Untrusted Data (Java JSON Deserialization) Jackson
CVE-2017-7525
CWE-502
High
Python pickle serialization
-
CWE-502
High
Deserialization of Untrusted Data (Java Object Deserialization)
-
CWE-502
High
Deserialization of Untrusted Data (Java JSON Deserialization) JsonIO
-
CWE-502
High
Unprotected phpMyAdmin interface
-
CWE-205
High
XML entity injection
-
CWE-611
High
XML external entity injection and XML injection
-
CWE-611
High
XML external entity injection
-
CWE-611
High
XML External Entity Injection via external file
-
CWE-611
High
XML external entity injection via File Upload
-
CWE-611
High
XML external entity injection (variant)
-
CWE-611
High
Deserialization of Untrusted Data (Java JSON Deserialization) Fastjson
-
CWE-502
High
Unrestricted access to Haproxy Data Plane API
-
CWE-200
High
Uncontrolled format string
-
CWE-134
High
Apache Tomcat JK connector security bypass
CVE-2007-1860
CWE-200
High
TCPDF arbitrary file read
-
CWE-98
High
WordPress plugin All in One SEO Pack privilege escalation vulnerabilities
-
CWE-269
High
AngularJS client-side template injection
-
CWE-79
High
File upload XSS (Java applet)
-
CWE-79
High
Web Cache Deception
-
-
High
WordPress plugin Custom Contact Forms critical vulnerability
-
CWE-287
High
DotNetNuke multiple vulnerabilities
CVE-2012-1030
CWE-79
High
Email Header Injection
-
CWE-20
High
Email injection
-
CWE-20
High
Database User Has Admin Privileges
-
CWE-267
High
node-serialize Insecure Deserialization
CVE-2017-5941
CWE-502
High
Unsafe use of Reflection
-
CWE-470
High
JIRA Security Advisory 2013-02-21
-
CWE-22
High
MongoDB $where operator JavaScript injection
-
CWE-943
High
JSP authentication bypass
-
CWE-287
High
Java Debug Wire Protocol remote code execution
-
CWE-94
High
MediaWiki chunked uploads security issue
CVE-2013-2114
CWE-434
High
MongoDB injection
-
CWE-943
High
Server-side JavaScript injection
-
CWE-20
High
Multiple vulnerabilities reported in Parallels Plesk Sitebuilder
-
CWE-94
High
Email Header Injection (Invicti IAST)
-
CWE-20
High
Rails mass assignment
-
CWE-915
High
Http redirect security bypass
-
CWE-20
High
Authentication bypass via MongoDB operator injection
-
CWE-943
High
Deserialization of Untrusted Data (Java JSON Deserialization) Genson
-
CWE-502
High
URL rewrite vulnerability
CVE-2018-14773
CWE-436
Medium
Insecure usage of Version 1 UUID/GUID
-
CWE-328
Medium
Oracle E-Business Suite Frame Injection (CVE-2017-3528)
CVE-2017-3528
CWE-601
Medium
PHP mail function ASCII control character header spoofing vulnerability
CVE-2002-0986
CWE-20
Medium
PHP unserialize() used on user input
-
CWE-20
Medium
PHP super-globals-overwrite
-
CWE-1108
Medium
File tampering
-
CWE-20
Medium
HTML form susceptible to spam
-
CWE-20
Medium
HTML Injection
-
CWE-80
Medium
Host header attack
-
CWE-20
Medium
JSF ViewState client side storage
-
CWE-693
Medium
Same origin method execution (SOME)
-
CWE-20
Medium
User controllable charset
-
CWE-20
Medium
WordPress XML-RPC authentication brute force
-
CWE-521
Medium
Java object deserialization of user-supplied data
-
CWE-20
Medium
PHP object deserialization of user-supplied data
-
CWE-20
Medium
User-controlled form action
-
CWE-20
Medium
PHP curl_exec() url is controlled by user
CVE-2009-0037
CWE-352
Medium
PHP preg_replace used on user input
-
CWE-20
Medium
Python object deserialization of user-supplied data
-
CWE-20
Medium
HTML Attribute Injection
-
CWE-80
Low
Ruby on Rails CookieStore session cookie persistence
-
CWE-284
Low