Dolphin 7.4.2 Blind SQL Injection Vulnerability

Exploit Title: Blind SQL Injection - dolphinv7.4.2. Date: 8/2024 Exploit Author: Andrey Stoykov Version: 7.4.2 Tested on: Ubuntu 22.04 Blog: https://msecureltd.blogspot.com/2024/07/friday-fun-pentest-series-8-dolphinv742.html SQL Injection: Steps to Reproduce: 1. Navigate to "Builders" menu 2. Th...

CVE-2024-20369

A vulnerability in the web-based management interface of Cisco Crosswork Network Services Orchestrator NSO could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of a parameter in an HTTP request. An...

Cisco Crosswork Network Services Orchestrator 安全漏洞

Cisco Crosswork Network Services Orchestrator is a network services orchestrator from Cisco USA. A security vulnerability exists in Cisco Crosswork Network Services Orchestrator that originates from improper validation of parameter inputs in HTTP requests, allowing an unauthenticated, remote...

HTTP Parameter Tampering

github.com/navidrome/navidrome is vulnerable to HTTP Parameter Tampering. The vulnerability is due to improper parameter validation within HTTP requests. An attacker can impersonate other users and perform unauthorized actions such as creating playlists, adding songs, posting comments, and changi...

Daily Expense Manager 1.0 - 'term' SQLi

Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi Date: February 25th, 2024 Exploit Author: Stefan Hesselman Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/ Software Link:...

Daily Expense Manager 1.0 SQL Injection

Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi Date: February 25th, 2024 Exploit Author: Stefan Hesselman Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/ Software Link:...

Daily Expense Manager 1.0 - (term) SQL injection Vulnerability

Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi Exploit Author: Stefan Hesselman Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/ Software Link: https://download-media.code-projects.org/2020/01/DAILYEXPENSEMANAGERINPHPWITHSOURCECODE.zip Version: 1.0...

CVE-2024-0396 Missing Server-Side Input Validation in HTTP Parameter

In Progress MOVEit Transfer versions released before 2022.0.10 14.0.10, 2022.1.11 14.1.11, 2023.0.8 15.0.8, 2023.1.3 15.1.3, an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational...

CVE-2024-0396 Missing Server-Side Input Validation in HTTP Parameter

In Progress MOVEit Transfer versions released before 2022.0.10 14.0.10, 2022.1.11 14.1.11, 2023.0.8 15.0.8, 2023.1.3 15.1.3, an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational...

CVE-2022-39822

In NOKIA NFM-T R19.9, a SQL Injection vulnerability occurs in /cgi-bin/R19.9/easy1350.pl of the VM Manager WebUI via the id or host HTTP GET parameter. An authenticated attacker is required for exploitation...

SRC-2023-0004 : Apache Struts Security Feature Bypass Remote Code Execution Vulnerability

Vulnerability Details: This vulnerability may allow remote attackers to execute arbitrary code on applications utilizing affected installations of Apache Struts. Depending on the context, authentication may not be required to exploit this vulnerability. The specific flaw exists within the...

CVE-2023-36950

TOTOLINK X5000R V9.1.0u.6118B20201102 and TOTOLINK A7000R V9.1.0u.6115B20201022 was discovered to contain a stack overflow via the httphost parameter in the function loginAuth...

Newsletter Lite < 4.9.3 - Admin+ Command Injection

Description The plugin does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server. 1 Navigate to "Newsletters Configuration History & Emails Configuration"...

CVE-2023-43128

D-LINK DIR-806 1200M11AC wireless router DIR806A1FW100CNb11 is vulnerable to command injection due to lax filtering of HTTPST parameters...

CVE-2023-43128

D-LINK DIR-806 1200M11AC wireless router DIR806A1FW100CNb11 is vulnerable to command injection due to lax filtering of HTTPST parameters...

D-LINK DIR-806 Command Injection Vulnerability

The D-Link DIR-806 is a wireless router from China-based AUO D-Link. A security vulnerability exists in DIR806A1FW100CNb11 in the D-LINK DIR-806 1200M11AC, which stems from a poor filtering of the HTTPST parameter, making it susceptible to command injection attacks...

CVE-2023-38925

Netgear DC112A 1.0.0.64, EX6200 1.0.3.94 and R6300v2 1.0.4.8 were discovered to contain a buffer overflow via the httppasswd parameter in password.cgi...

Chevereto CMS 3.7.0 HTTP Parameter Pollution

==================================================================================================================================== | Title : Chevereto CMS V3.7.0 HPP Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 66.0.264-bit | | Vendo...

Mars: CRLF Inection at `██████████`

A CRLF injection vulnerability was discovered in the website ██████████. The vulnerability was caused by the application's failure to properly sanitize or encode user-supplied data containing carriage return and line feed CRLF sequences...

Osprey Pump Controller 1.0.1 - (pseudonym) Semi-blind Command Injection

Exploit Title: Osprey Pump Controller 1.0.1 - pseudonym Semi-blind Command Injection Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/202...