Cross site scripting

SAP Manufacturing Execution System Rules, versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution System Rules tab does not sufficiently encode some parameters, resulting in Stored...

CVE-2021-27600

SAP Manufacturing Execution System Rules, versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution System Rules tab does not sufficiently encode some parameters, resulting in Stored...

CVE-2021-27600

SAP Manufacturing Execution (System Rules) versions 15.1–15.4 are affected by a Stored XSS vulnerability caused by insufficient encoding of certain HTTP parameters in the System Rules tab. An authorized attacker could embed malicious code into HTTP parameters and have it processed by the server, ...

CVE-2021-26752

NeDi 1.9C allows an authenticated user to execute operating system commands in the Nodes Traffic function on the endpoint /Nodes-Traffic.php via the md or ag HTTP GET parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data...

Status.im: HTTP Parameter Pollution with semicolons in iframe allows loading external Greenhouse forms

Summary: Status.im uses Greenhouse for job applications, specifically the older Greenhouse integration which relies on iframes. The ghjid URL parameter is used to load the correct form in the iframe. HTML characters are escaped, but using semicolons you can inject URL parameters into the iframe v...

Parth - Heuristic Vulnerable Parameter Scanner

Some HTTP parameter names are more commonly associated with one functionality than the others. For example, the parameter ?url= usually contains URLs as the value and hence often falls victim to file inclusion, open redirect and SSRF attacks. Parth can go through your burp history, a list of URLs...

Advantech iView DeviceTreeTable checkForChassisUpdates SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the checkForChassisUpdates method of the DeviceTreeTable clas...

Advantech iView LinksTable retrieveSearchLinks SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the retrieveSearchLinks method of the LinksTable class. When...

Advantech iView PSTable getPSInventoryExportData SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the getPSInventoryExportData method of the PSTable class. Whe...

Advantech iView TaskMgrTable getExportDataDetails SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the getExportDataDetails method of the TaskMgrTable class. Wh...

Advantech iView TrapTable retrieveActiveTrapCount SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the retrieveActiveTrapCount method of the TrapTable class. Wh...

Advantech iView TrapEventConfig retrieveDeviceTrapConfig SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech iView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of calls to the retrieveDeviceTrapConfig method of the TrapEventConfig...

ELOG Electronic Logbook Code Issue Vulnerability

ELOG is a web application written in C for creating personal and general purpose logs. A code issue vulnerability exists in the handling of HTTP parameters in ELOG Electronic Logbook version 3.1.4-283534d, which can be exploited by remote attackers to cause a denial of service via a specially...

CVE-2020-8859

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ELOG Electronic Logbook 3.1.4-283534d. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of HTTP parameters. A crafted request...

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Network Manager (CVE-2019-4271)

Summary IBM WebSphere Application Server is a required product for IBM Tivoli Network Manager version 4.2. Information about IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletinss listed in the Remediation/Fixes section...

Security Bulletin: HTTP Parameter Pollution and XSS vulnerability in WebSphere Application Server Admin Console which is shipped with Jazz for Service Management (CVE-2019-4271)

Summary There is a Client-side HTTP parameter pollution vulnerability and a Cross-site scripting vulnerability in WebSphere Application Server Admin Console. Vulnerability Details CVEID: CVE-2019-4271 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console is vulnerable...

CVE-2019-19986

An issue was discovered in Selesta Visual Access Manager VAM 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP POST or GET parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based this...

Sql injection

An issue was discovered in Selesta Visual Access Manager VAM 4.15.0 through 4.29. An attacker without authentication is able to execute arbitrary SQL SELECT statements by injecting the HTTP POST or GET parameter persoid into /tools/VamPersonPhoto.php. The SQL Injection type is Error-based this...

ELOG Electronic Logbook drop-count Null Pointer Dereference Denial-of-Service Vulnerability

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ELOG Electronic Logbook. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of HTTP parameters. A crafted request can trigger t...

Security Bulletin: A Security Vulnerability Has Been Identified In WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager (CVE-2019-4271)

Summary WebSphere Application Server is shipped with IBM Tivoli Federated Identity Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletinss listed in the...