‼ CVE-2021-46008 ‼
📖 Read
via "National Vulnerability Database".
In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46010 ‼
📖 Read
via "National Vulnerability Database".
Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43664 ‼
📖 Read
via "National Vulnerability Database".
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46006 ‼
📖 Read
via "National Vulnerability Database".
In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43142 ‼
📖 Read
via "National Vulnerability Database".
An XML External Entity (XXE) vulnerability exists in wuta jox 1.16 in the readObject method in JOXSAXBeanInput.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33208 ‼
📖 Read
via "National Vulnerability Database".
The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38362 ‼
📖 Read
via "National Vulnerability Database".
In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26644 ‼
📖 Read
via "National Vulnerability Database".
Online Banking System Protect v1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via parameters on user profile, system_info and accounts management.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25008 ‼
📖 Read
via "National Vulnerability Database".
totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45900 ‼
📖 Read
via "National Vulnerability Database".
Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOH_AUTH cookie is assigned so that they can be uniquely identified. Certain APIs can be successfully executed without proper authentication. This can let an attacker impersonate as victim and make state changing requests on their behalf.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33523 ‼
📖 Read
via "National Vulnerability Database".
MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33581 ‼
📖 Read
via "National Vulnerability Database".
MashZone NextGen through 10.7 GA has an SSRF vulnerability that allows an attacker to interact with arbitrary TCP services, by abusing the feature to check the availability of a PPM connection. This occurs in com.idsscheer.ppmmashup.web.webservice.impl.ZPrestoAdminWebService.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26645 ‼
📖 Read
via "National Vulnerability Database".
A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46007 ‼
📖 Read
via "National Vulnerability Database".
totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26646 ‼
📖 Read
via "National Vulnerability Database".
Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the pages parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46009 ‼
📖 Read
via "National Vulnerability Database".
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24299 ‼
📖 Read
via "National Vulnerability Database".
Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.📖 Read
via "National Vulnerability Database".
👏1
‼ CVE-2022-27496 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in Zero-channel BBS Plus v0.7.4 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23183 ‼
📖 Read
via "National Vulnerability Database".
Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28128 ‼
📖 Read
via "National Vulnerability Database".
Untrusted search path vulnerability in AttacheCase ver.3.6.1.0 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20729 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.📖 Read
via "National Vulnerability Database".