CVE Notify
19.2K subscribers
4 photos
195K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2022-26258
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.

πŸŽ–@cveNotify
🚨 CVE-2021-46006
In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication.

πŸŽ–@cveNotify
🚨 CVE-2021-46007
totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.

πŸŽ–@cveNotify
🚨 CVE-2021-46008
In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the telnet is function turned on.

πŸŽ–@cveNotify
🚨 CVE-2021-46009
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.

πŸŽ–@cveNotify
🚨 CVE-2021-46010
Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations.

πŸŽ–@cveNotify
🚨 CVE-2022-26643
An issue in EasyIO CPT Graphics v0.8 allows attackers to discover valid users in the application.

πŸŽ–@cveNotify
🚨 CVE-2021-44595
Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges.

πŸŽ–@cveNotify
🚨 CVE-2021-44596
Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges

πŸŽ–@cveNotify
🚨 CVE-2022-28568
Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel. An attacker can obtain remote command execution just by knowing the path where the images are stored.

πŸŽ–@cveNotify
🚨 CVE-2022-29347
An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file.

πŸŽ–@cveNotify
🚨 CVE-2021-43712
Stored XSS in Add New Employee Form in Sourcecodester Employee Daily Task Management System 1.0 Allows Remote Attacker to Inject/Store Arbitrary Code via the Name Field.

πŸŽ–@cveNotify
🚨 CVE-2022-28932
D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions.

πŸŽ–@cveNotify
🚨 CVE-2022-30014
Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account.

πŸŽ–@cveNotify
🚨 CVE-2022-28944
Certain EMCO Software products are affected by: CWE-494: Download of Code Without Integrity Check. This affects MSI Package Builder for Windows 9.1.4 and Remote Installer for Windows 6.0.13 and Ping Monitor for Windows 8.0.18 and Remote Shutdown for Windows 7.2.2 and WakeOnLan 2.0.8 and Network Inventory for Windows 5.8.22 and Network Software Scanner for Windows 2.0.8 and UnLock IT for Windows 6.1.1. The impact is: execute arbitrary code (remote). The component is: Updater. The attack vector is: To exploit this vulnerability, a user must trigger an update of an affected installation of EMCO Software. ΒΆΒΆ Multiple products from EMCO Software are affected by a remote code execution vulnerability during the update process.

πŸŽ–@cveNotify
🚨 CVE-2022-24238
ACEweb Online Portal 3.5.065 was discovered to contain a cross-site scripting (XSS) vulnerability via the txtNmName1 parameter in person.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24239
ACEweb Online Portal 3.5.065 was discovered to contain an unrestricted file upload vulnerability via attachments.awp.

πŸŽ–@cveNotify