CVE Notify
19.2K subscribers
4 photos
195K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2021-46010
Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations.

πŸŽ–@cveNotify
🚨 CVE-2022-26643
An issue in EasyIO CPT Graphics v0.8 allows attackers to discover valid users in the application.

πŸŽ–@cveNotify
🚨 CVE-2021-44595
Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges.

πŸŽ–@cveNotify
🚨 CVE-2021-44596
Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges

πŸŽ–@cveNotify
🚨 CVE-2022-28568
Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel. An attacker can obtain remote command execution just by knowing the path where the images are stored.

πŸŽ–@cveNotify
🚨 CVE-2022-29347
An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file.

πŸŽ–@cveNotify
🚨 CVE-2021-43712
Stored XSS in Add New Employee Form in Sourcecodester Employee Daily Task Management System 1.0 Allows Remote Attacker to Inject/Store Arbitrary Code via the Name Field.

πŸŽ–@cveNotify
🚨 CVE-2022-28932
D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions.

πŸŽ–@cveNotify
🚨 CVE-2022-30014
Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account.

πŸŽ–@cveNotify
🚨 CVE-2022-28944
Certain EMCO Software products are affected by: CWE-494: Download of Code Without Integrity Check. This affects MSI Package Builder for Windows 9.1.4 and Remote Installer for Windows 6.0.13 and Ping Monitor for Windows 8.0.18 and Remote Shutdown for Windows 7.2.2 and WakeOnLan 2.0.8 and Network Inventory for Windows 5.8.22 and Network Software Scanner for Windows 2.0.8 and UnLock IT for Windows 6.1.1. The impact is: execute arbitrary code (remote). The component is: Updater. The attack vector is: To exploit this vulnerability, a user must trigger an update of an affected installation of EMCO Software. ΒΆΒΆ Multiple products from EMCO Software are affected by a remote code execution vulnerability during the update process.

πŸŽ–@cveNotify
🚨 CVE-2022-24238
ACEweb Online Portal 3.5.065 was discovered to contain a cross-site scripting (XSS) vulnerability via the txtNmName1 parameter in person.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24239
ACEweb Online Portal 3.5.065 was discovered to contain an unrestricted file upload vulnerability via attachments.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24240
ACEweb Online Portal 3.5.065 was discovered to contain a SQL injection vulnerability via the criteria parameter in showschedule.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24241
ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter in attachments.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24581
ACEweb Online Portal 3.5.065 allows unauthenticated SMB hash capture via UNC. By specifying the UNC file path of an external SMB share when uploading a file, an attacker can induce the victim server to disclose the username and password hash of the user executing the ACEweb Online software.

πŸŽ–@cveNotify
🚨 CVE-2022-27438
Caphyon Ltd Advanced Installer 19.3 and earlier and many products that use the updater from Advanced Installer (Advanced Updater) are affected by a remote code execution vulnerability via the CustomDetection parameter in the update check function. To exploit this vulnerability, a user must start an affected installation to trigger the update check.

πŸŽ–@cveNotify