CVE-2024-20482

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center FMC Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to elevate privileges on an affected device. To exploit this vulnerability, an attacker must...

CVE-2024-20463

CVE-2024-20463 affects the Cisco ATA 190 Series Analog Telephone Adapter firmware. The vulnerability stems from the HTTP server permitting state changes via GET requests in the web-based management interface, allowing an unauthenticated, remote attacker to modify configuration and reboot the devi...

CVE-2024-20458

The CVE-2024-20458 entry concerns Cisco ATA 190 Series Analog Telephone Adapter firmware. Affected: Cisco ATA 190 Series devices with web-based management interface. Vulnerability: lack of authentication on specific HTTP endpoints enables an unauthenticated, remote attacker to view or delete the ...

DEBIAN-CVE-2024-22034

Attackers could put the special files in .osc into the actual package sources e.g. apiurl. This allows the attacker to change the configuration of osc for the victim...

CVE-2020-36834

The CVE-2020-36834 entry concerns the Discount Rules for WooCommerce plugin for WordPress. Affected: plugin versions up to and including 2.0.2. Description and connected sources confirm missing authorization due to insufficient capability checks on several AJAX actions, enabling subscriber‑level ...

CVE-2020-36834 Discount Rules for WooCommerce <= 2.0.2 - Missing Authorization

The Discount Rules for WooCommerce plugin for WordPress is vulnerable to missing authorization via several AJAX actions in versions up to, and including, 2.0.2 due to missing capability checks on various functions. This makes it possible for subscriber-level attackers to execute various actions a...

F5 Networks BIG-IP : BIG-IP monitors vulnerability (K000140061)

The version of F5 Networks BIG-IP installed on the remote host is prior to 15.1.10.5 / 16.1.5 / 17.1.1.4. It is, therefore, affected by a vulnerability as referenced in the K000140061 advisory. BIG-IP monitor functionality may allow an authenticated attacker with at least Manager role privileges ...

Cisco ATA 190 安全漏洞

The Cisco ATA 190 is an analog telephone adapter from Cisco USA. A security vulnerability exists in the Cisco ATA 190 that originates when the HTTP server allows state changes in GET requests. An unauthenticated, remote attacker could exploit this vulnerability to modify the configuration or rebo...

CVE-2024-8889

CVE-2024-8889 affects CIRCUTOR TCP2RS+ firmware v1.3b. The root cause is improper input validation that lets an attacker modify any configuration value via UDP port 2000 without authentication, even if user/password is enabled, deconfiguring the device and causing it to be unusable. The issue imp...

CIRCUTOR TCP2RS+ 安全漏洞

CIRCUTOR TCP2RS+ is an Ethernet converter from CIRCUTOR. A security vulnerability exists in CIRCUTOR TCP2RS+ version 1.3b, which originated from a vulnerability that allows an attacker to modify any configuration value without authentication, resulting in invalidating the device's configuration a...

CVE-2024-20381

A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator NSO and ConfD that is used by the web-based management interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to modify the...

CVE-2024-20381

CVE-2024-20381 involves a JSON-RPC API authorization bypass in Cisco Crosswork Network Services Orchestrator (NSO) and ConfD, used by web interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN routers. The root cause is improper authorization checks on the API, allowing an authenticate...

Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability

A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator NSO and ConfD that is used by the web-based management interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to modify the...

CVE-2024-23906

Improper Neutralization of Input During Web Page Generation CWE-79 in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator's session. This issue affects: Controller 6000 and Controller 7000 9.10 prior to...

CVE-2024-23906

CVE-2024-23906 affects Gallagher Controller 6000 and Controller 7000. The flaw is Improper Neutralization of Input During Web Page Generation (CWE-79) in the diagnostic webpage, allowing an attacker to modify controller configuration during an authenticated Operator’s session. The issue impacts m...

CVE-2024-23906

Improper Neutralization of Input During Web Page Generation CWE-79 in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator's session. This issue affects: Controller 6000 and Controller 7000 9.10 prior to...

CVE-2024-23906

Improper Neutralization of Input During Web Page Generation CWE-79 in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator's session. This issue affects: Controller 6000 and Controller 7000 9.10 prior to...

CVE-2024-37382

An issue discovered in import host feature in Ab Initio Metadata Hub and Authorization Gateway before 4.3.1.1 allows attackers to run arbitrary code via crafted modification of server configuration...

CVE-2024-37382

An issue discovered in import host feature in Ab Initio Metadata Hub and Authorization Gateway before 4.3.1.1 allows attackers to run arbitrary code via crafted modification of server configuration...

gotortc vulnerable to Cross-Site Request Forgery

gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The /api/config endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an...