‼ CVE-2021-33208 ‼
📖 Read
via "National Vulnerability Database".
The "Register an Ehcache Configuration File" admin feature in MashZone NextGen through 10.7 GA allows XXE attacks via a malicious XML configuration file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38362 ‼
📖 Read
via "National Vulnerability Database".
In RSA Archer 6.x through 6.9 SP3 (6.9.3.0), an authenticated attacker can make a GET request to a REST API endpoint that is vulnerable to an Insecure Direct Object Reference (IDOR) issue and retrieve sensitive data.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26644 ‼
📖 Read
via "National Vulnerability Database".
Online Banking System Protect v1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via parameters on user profile, system_info and accounts management.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25008 ‼
📖 Read
via "National Vulnerability Database".
totolink EX300_v2 V4.0.3c.140_B20210429 and EX1200T V4.1.2cu.5230_B20210706 does not contain an authentication mechanism.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45900 ‼
📖 Read
via "National Vulnerability Database".
Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOH_AUTH cookie is assigned so that they can be uniquely identified. Certain APIs can be successfully executed without proper authentication. This can let an attacker impersonate as victim and make state changing requests on their behalf.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33523 ‼
📖 Read
via "National Vulnerability Database".
MashZone NextGen through 10.7 GA allows a remote authenticated user, with access to the admin console, to upload a new JDBC driver that can execute arbitrary commands on the underlying host. This occurs in com.idsscheer.ppmmashup.business.jdbc.DriverUploadController.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33581 ‼
📖 Read
via "National Vulnerability Database".
MashZone NextGen through 10.7 GA has an SSRF vulnerability that allows an attacker to interact with arbitrary TCP services, by abusing the feature to check the availability of a PPM connection. This occurs in com.idsscheer.ppmmashup.web.webservice.impl.ZPrestoAdminWebService.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26645 ‼
📖 Read
via "National Vulnerability Database".
A remote code execution (RCE) vulnerability in Online Banking System Protect v1.0 allows attackers to execute arbitrary code via a crafted PHP file uploaded through the Upload Image function.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46007 ‼
📖 Read
via "National Vulnerability Database".
totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26646 ‼
📖 Read
via "National Vulnerability Database".
Online Banking System Protect v1.0 was discovered to contain a local file inclusion (LFI) vulnerability via the pages parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46009 ‼
📖 Read
via "National Vulnerability Database".
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24299 ‼
📖 Read
via "National Vulnerability Database".
Improper input validation vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command.📖 Read
via "National Vulnerability Database".
👏1
‼ CVE-2022-27496 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in Zero-channel BBS Plus v0.7.4 and earlier allows a remote attacker to inject an arbitrary script via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-23183 ‼
📖 Read
via "National Vulnerability Database".
Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-28128 ‼
📖 Read
via "National Vulnerability Database".
Untrusted search path vulnerability in AttacheCase ver.3.6.1.0 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-20729 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions 2.5.2 and earlier, and pfSense Plus software versions 21.05 and earlier) allows a remote attacker to inject an arbitrary script via a malicious URL.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-26019 ‼
📖 Read
via "National Vulnerability Database".
Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1191 ‼
📖 Read
via "National Vulnerability Database".
SSRF on index.php/cobrowse/proxycss/ in GitHub repository livehelperchat/livehelperchat prior to 3.96.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-22986 ‼
📖 Read
via "National Vulnerability Database".
Netcommunity OG410X and OG810X series (Netcommunity OG410Xa, OG410Xi, OG810Xa, and OG810Xi firmware Ver.2.28 and earlier) allow an attacker on the adjacent network to execute an arbitrary OS command via a specially crafted config file.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25348 ‼
📖 Read
via "National Vulnerability Database".
Untrusted search path vulnerability in AttacheCase ver.4.0.2.7 and earlier allows an attacker to gain privileges and execute arbitrary code via a Trojan horse DLL in an unspecified directory.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-25915 ‼
📖 Read
via "National Vulnerability Database".
Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-1900GST firmware v1.03 and prior, WRC-2533GST firmware v1.03 and prior, WRC-2533GSTA firmware v1.03 and prior, WRC-2533GST2 firmware v1.25 and prior, WRC-2533GST2SP firmware v1.25 and prior, WRC-2533GST2-G firmware v1.25 and prior, and EDWRC-2533GST2 firmware v1.25 and prior) allows a network-adjacent authenticated attacker to bypass access restriction and to access the management screen of the product via unspecified vectors.📖 Read
via "National Vulnerability Database".