CVE-2023-4523

Real Time Automation 460 Series products with versions prior to v8.9.8 are vulnerable to cross-site scripting, which could allow an attacker to run any JavaScript reference from the URL string. If this were to occur, the gateway's HTTP interface would redirect to the main page, which is index.htm...

CVE-2023-4523 Real Time Automation 460 Series Cross-site Scripting

Real Time Automation 460 Series products with versions prior to v8.9.8 are vulnerable to cross-site scripting, which could allow an attacker to run any JavaScript reference from the URL string. If this were to occur, the gateway's HTTP interface would redirect to the main page, which is index.htm...

PT-2023-29465 · Real Time Automation · Real Time Automation 460 Series

Name of the Vulnerable Software and Affected Versions: Real Time Automation 460 Series products versions prior to 8.9.8 Description: The issue allows an attacker to run any JavaScript reference from the URL string, which could lead to a cross-site scripting attack. If this occurs, the gateway's...

MikroTik RouterOS < 6.49.8 Privilege Escalation Vulnerability

MikroTik RouterOS is prone to a privilege escalation vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2023-30799 MikroTik RouterOS Administrator Privilege Escalation

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary...

PT-2023-3875

Name of the Vulnerable Software and Affected Versions MikroTik RouterOS versions prior to 6.49.7 MikroTik RouterOS long-term versions prior to 6.48.7 Description The issue is related to a privilege escalation problem in the Winbox and HTTP interfaces of MikroTik RouterOS. A remote and authenticat...

SUSE CVE-2013-3565

Multiple cross-site scripting XSS vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the 1 command parameter to requests/vlmcmd.xml, 2 dir parameter to requests/browse.xml, or 3 URI in a request, which ...

This Week in Spring - January 31st, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm not going to spend too much time here in the preamble because a today's both my birthday and my late father's birthday and b I got the worst gift ever: COVID-19. Sigh. So, I'm going back to bed. Without further ado, let's...

XAPI open file limit DoS

ISSUE DESCRIPTION It is possible for an unauthenticated client on the network to cause XAPI to hit its file-descriptor limit. This causes XAPI to be unable to accept new requests for other trusted clients, and blocks XAPI from carrying out any tasks that require the opening of file descriptors...

PT-2022-5004 · Hitachi Energy · Hitachi Energy Msm

Name of the Vulnerable Software and Affected Versions: Hitachi Energy MSM versions V2.2 and prior Description: A vulnerability exists in the HTTP web interface where it does not validate data in an HTTP header, leading to a possible HTTP response splitting. This could allow an attacker to channel...

Exploit for OS Command Injection in Zyxel Usg_Flex_100W_Firmware

CVE-2022-30525 by 1vere$k Rapid7 discovered and reported a...

CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection

Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning ZTP, which includes the ATP series, VPN series, and the USG FLEX series including USG20-VPN and USG20W-VPN. The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and...

CVE-2022-26251

The HTTP interface of Synaman v5.1 and below was discovered to allow authenticated attackers to execute arbitrary code and escalate privileges...

Code injection

The HTTP interface of Synaman v5.1 and below was discovered to allow authenticated attackers to execute arbitrary code and escalate privileges...

CVE-2022-26251

The HTTP interface of Synaman v5.1 and below was discovered to allow authenticated attackers to execute arbitrary code and escalate privileges...

CVE-2022-26251

CVE-2022-26251 affects SynaMan v5.1 and earlier. The HTTP interface is vulnerable to authenticated code execution and privilege escalation. Root cause/details are not explicitly described in the provided sources; no remediation steps are listed here. If available, patch/version info should be con...

Synametrics Technologies SynaMan 安全漏洞

Synametrics Technologies SynaMan is a remote file manager from Synametrics Technologies. A security vulnerability exists in Synametrics Technologies SynaMan v5.1 and below, which can be exploited by an authenticated attacker to execute arbitrary code and elevate privileges via the HTTP interface...

pfSense Diag Routes Web Shell Upload

This module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface CVE-2021-41282. The vulnerability affects versions use exploit/unix/http/pfsensediagrouteswebshell msf exploitpfsensediagrouteswebshell show targets ...targets... msf exploitpfsensediagrouteswebshell set...

pfSense 2.5.2 Shell Upload Exploit

This Metasploit module exploits an arbitrary file creation vulnerability in the pfSense HTTP interface CVE-2021-41282. The vulnerability affects versions 2.5.2 and below and can be exploited by an authenticated user if they have the "WebCfg - Diagnostics: Routing tables" privilege. This module us...

CVE-2021-35227

The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available...