CVE Notify
19.2K subscribers
4 photos
195K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2022-24238
ACEweb Online Portal 3.5.065 was discovered to contain a cross-site scripting (XSS) vulnerability via the txtNmName1 parameter in person.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24239
ACEweb Online Portal 3.5.065 was discovered to contain an unrestricted file upload vulnerability via attachments.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24240
ACEweb Online Portal 3.5.065 was discovered to contain a SQL injection vulnerability via the criteria parameter in showschedule.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24241
ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter in attachments.awp.

πŸŽ–@cveNotify
🚨 CVE-2022-24581
ACEweb Online Portal 3.5.065 allows unauthenticated SMB hash capture via UNC. By specifying the UNC file path of an external SMB share when uploading a file, an attacker can induce the victim server to disclose the username and password hash of the user executing the ACEweb Online software.

πŸŽ–@cveNotify
🚨 CVE-2022-27438
Caphyon Ltd Advanced Installer 19.3 and earlier and many products that use the updater from Advanced Installer (Advanced Updater) are affected by a remote code execution vulnerability via the CustomDetection parameter in the update check function. To exploit this vulnerability, a user must start an affected installation to trigger the update check.

πŸŽ–@cveNotify
🚨 CVE-2021-42675
Kreado Kreasfero 1.5 does not properly sanitize uploaded files to the media directory. One can upload a malicious PHP file and obtain remote code execution.

πŸŽ–@cveNotify
🚨 CVE-2022-30023
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function.

πŸŽ–@cveNotify
🚨 CVE-2022-31382
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchdata parameter in search-dirctory.php.

πŸŽ–@cveNotify
🚨 CVE-2022-31383
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter in view-directory.php.

πŸŽ–@cveNotify
🚨 CVE-2022-31384
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname parameter in add-directory.php.

πŸŽ–@cveNotify
🚨 CVE-2022-24562
In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.

πŸŽ–@cveNotify
🚨 CVE-2021-45024
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).

πŸŽ–@cveNotify
🚨 CVE-2021-45025
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cleartext Storage of Sensitive Information in a Cookie.

πŸŽ–@cveNotify
🚨 CVE-2022-32384
Tenda AC23 v16.03.07.44 was discovered to contain a stack overflow via the security_5g parameter in the function formWifiBasicSet.

πŸŽ–@cveNotify
🚨 CVE-2022-33075
A stored cross-site scripting (XSS) vulnerability in the Add Classification function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via unspecified vectors.

πŸŽ–@cveNotify
🚨 CVE-2022-32385
Tenda AC23 v16.03.07.44 is vulnerable to Stack Overflow that will allow for the execution of arbitrary code (remote).

πŸŽ–@cveNotify