18 matches found
SUSE CVE-2025-70963
Gophish =0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user's long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...
EUVD-2019-9568
Malware in sbrugna...
EUVD-2020-30240
Malware in sbrugna...
CVE-2020-9419
Multiple stored cross-site scripting XSS vulnerabilities in Arcadyan Wifi routers VRV9506JAC23 allow remote attackers to inject arbitrary web script or HTML via the hostName and domainname parameters present in the LAN configuration section of the administrative dashboard...
CVE-2020-36698 Security & Malware scan by CleanTalk <= 2.50 - Missing Authorization
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized user interaction in versions up to, and including, 2.50. This is due to missing capability checks on several AJAX actions and nonce disclosure in the source page of the administrative dashboard. This makes...
CVE-2020-9419
Multiple stored cross-site scripting XSS vulnerabilities in Arcadyan Wifi routers VRV9506JAC23 allow remote attackers to inject arbitrary web script or HTML via the hostName and domainname parameters present in the LAN configuration section of the administrative dashboard...
Default credentials
The login password of the web administrative dashboard in Arcadyan Wifi routers VRV9506JAC23 is sent in cleartext, allowing an attacker to sniff and intercept traffic to learn the administrative credentials to the router...
Cross site scripting
Multiple stored cross-site scripting XSS vulnerabilities in Arcadyan Wifi routers VRV9506JAC23 allow remote attackers to inject arbitrary web script or HTML via the hostName and domainname parameters present in the LAN configuration section of the administrative dashboard...
CVE-2020-9419
Multiple stored cross-site scripting XSS vulnerabilities in Arcadyan Wifi routers VRV9506JAC23 allow remote attackers to inject arbitrary web script or HTML via the hostName and domainname parameters present in the LAN configuration section of the administrative dashboard...
CVE-2020-9419
CVE-2020-9419 affects Arcadyan Wifi routers VRV9506JAC23. The stored XSS flaws occur in the LAN configuration section of the administrative dashboard, exploitable via hostName and domain_name parameters in the LAN config. Impact: remote XSS with payloads injected into admin UI; exploitation requi...
Merchandise Online Store 安全漏洞
Merchandise Online Store is a Merchandise Online Store system by Carlo Montero Personal Developer. A security vulnerability exists in Merchandise Online Store version v.1.0, which stems from a vertical privilege escalation issue that allows an attacker to access the administrative dashboard...
Privilege escalation
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users Subscriber or greater access to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wpajax...
CVE-2019-19980
The WordPress plugin, Email Subscribers & Newsletters, before 4.2.3 had a privilege bypass flaw that allowed authenticated users Subscriber or greater access to send test emails from the administrative dashboard on behalf of an administrator. This occurs because the plugin registers a wpajax...
Ninja Forms <= 3.3.21 - XSS and SQLi
Reflected XSS vulnerability in the administrative dashboard. Blind SQL injection vulnerability in the search filter on the submissions page...
CVE-2018-10086
CMS Made Simple CMSMS through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses "eval'function testfunction'.rand" and it is possible to bypass certain restrictions on these "testfunction" functions...
X (Formerly Twitter): Blind XSS in Mobpub Marketplace Admin Production | Sentry via demand.mopub.com (User-Agent)
Summary: I've identified a Blind XSS vulnerability that fires in the Mobpub Marketplace Admin Production | Sentry dashboard and can be triggered by sending a HTTPS request to an endpoint from the domain demand.mopub.com. Description: I've sent the following HTTPS request to the following URL...
Uber: Stored XSS in drive.uber.com WordPress admin panel
There is another bug in the All In One Event Calendar plugin used on drive.uber.com. An attacker can inject arbitrary JavaScript in the administrative Dashboard of WordPress. The script would be evaluated under administrator privileges as only logged-in administrators can view the Dashboard. Such...
Cisco Secure Access Control Server Role-Based Access Control URL Lack of Protection Vulnerability
A vulnerability in the role-based access control RBAC implementation of the Cisco Secure Access Control Server ACS could allow an authenticated, remote attacker to impact the integrity of the system by modifying dashboard portlets that should be restricted. The vulnerability is due to improper...