83 matches found
CVE-2026-34429
Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF8...
CVE-2026-34429 Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename
Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF8...
CVE-2026-34429
Vvveb prior to 1.0.8.1 contains a stored cross-site scripting vulnerability that allows authenticated users with media upload and rename permissions to execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. Attackers can prepend a GIF8...
SUSE CVE-2026-21483
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user Super Admin views or previews this content, the...
CVE-2022-31210
An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The binary file /usr/local/sbin/webproject/setparam.cgi contains hardcoded credentials to the web application. Because these accounts cannot be deactivated or have their passwords changed, they are considered to be backdoor accounts...
CVE-2026-21483
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user Super Admin views or previews this content, the...
Improper Authorization
Overview potsky/pimp-my-log is a Log viewer for your web server. Affected versions of this package are vulnerable to Improper Authorization via the Account Creation Endpoint. An attacker can gain unauthorized administrative access and execute arbitrary JavaScript by exploiting the unsanitized...
EUVD-2019-16107
Malware in sbrugna...
EUVD-2019-11012
Malware in sbrugna...
EUVD-2015-2973
Malware in sbrugna...
EUVD-2015-2970
Malware in sbrugna...
EUVD-2017-17180
Malware in sbrugna...
EUVD-2022-52794
Malicious code in bioql PyPI...
AS/400 Telnet 5250 terminal emulation clients, as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm, (4) Mochasoft, and possibly other emulations, allows malicious AS/400 servers to execute arbitrary commands via a STRPCO (Start PC Organizer) command followed by STRPCCMD (Start PC command), as demonstrated by creating a backdoor account using REXEC.
...
CVE-2019-20467
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. The device by default has a TELNET interface available which is not advertised or functionally used, but is nevertheless available. Two backdoor accounts root and default exist that can be used on this...
Korenix JetNet Use of Hard-coded Credentials (CVE-2020-12501)
Improper Authorization vulnerability of Korenix JetNet 5428G-20SFP, JetNet 5810G, JetNet 4706F, JetNet 4510, JetNet 5310, JetNet 4706, JetNet 5428G, JetNet 6095, JetNet 4706 use undocumented accounts. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot...
CVE-2022-32747
A CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause legitimate users to be locked out of devices or facilitate backdoor account creation by spoofing a device on the local network. Affected Products: EcoStruxure™ Cybersecurity Admin Expert CAE Versions prior to 2.2...
Cisco Talos shares insights related to recent cyber attack on Cisco
Update History Date | Description of Updates ---|--- Aug. 10th 2022| Adding clarifying details on activity involving active directory. Aug. 10th 2022| Update made to the Cisco Response and Recommendations section related to MFA. Executive summary On May 24, 2022, Cisco became aware of a potential...
CVE-2022-31210
An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The binary file /usr/local/sbin/webproject/setparam.cgi contains hardcoded credentials to the web application. Because these accounts cannot be deactivated or have their passwords changed, they are considered to be backdoor accounts...
CVE-2022-31210
An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The binary file /usr/local/sbin/webproject/setparam.cgi contains hardcoded credentials to the web application. Because these accounts cannot be deactivated or have their passwords changed, they are considered to be backdoor accounts...