EUVD-2022-48412

Malicious code in bioql PyPI...

CVE-2023-44040

In VeridiumID before 3.5.0, the identity provider page is susceptible to a cross-site scripting XSS vulnerability that can be exploited by an internal unauthenticated attacker for JavaScript execution in the context of the user trying to authenticate...

CVE-2023-44039

In VeridiumID before 3.5.0, the WebAuthn API allows an internal unauthenticated attacker who can pass enrollment verifications and is allowed to enroll a FIDO key to register their FIDO authenticator to a victim’s account and consequently take over the account...

CVE-2022-45546

Information Disclosure in Authentication Component of ScreenCheck BadgeMaker 2.6.2.0 application allows internal attacker to obtain credentials for authentication via network sniffing...

CVE-2023-44040

In VeridiumID before 3.5.0, the identity provider page is susceptible to a cross-site scripting XSS vulnerability that can be exploited by an internal unauthenticated attacker for JavaScript execution in the context of the user trying to authenticate...

PT-2024-59: OS Command Injection in Yealink Meeting Server (YMS)

The vulnerability was identified in Yealink Meeting Server YMS , versions V26.0.0.66. The discovered vulnerability can be exploited by an internal attacker to execute commands with superuser privileges, which can lead to privilege escalation on the vulnerable host. Vulnerability status: Confirmed...

CVE-2023-31460

A vulnerability in the Connect Mobility Router component of MiVoice Connect versions 9.6.2208.101 and earlier could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters...

VulnCheck KEV: CVE-2022-40765

The Mitel Edge Gateway component of MiVoice Connect allows an authenticated attacker with internal network access to execute commands within the context of the system...

CVE-2022-45546

Information Disclosure in Authentication Component of ScreenCheck BadgeMaker 2.6.2.0 application allows internal attacker to obtain credentials for authentication via network sniffing...

CVE-2022-45546

Information Disclosure in Authentication Component of ScreenCheck BadgeMaker 2.6.2.0 application allows internal attacker to obtain credentials for authentication via network sniffing...

PT-2022-25525 · Mitel · Mitel Mivoice Connect

Name of the Vulnerable Software and Affected Versions: Mitel MiVoice Connect versions through 19.3 22.22.6100.0 Description: A vulnerability in the Edge Gateway component could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient...

PT-2022-6442 · Nokia · Netact

Name of the Vulnerable Software and Affected Versions: Nokia NetAct versions prior to 22 FP2211 Description: The issue is related to the lack of input validation when creating a working set in the NetAct system, allowing an attacker to inject a client-side template payload. This can lead to the...

CVE-2022-35405

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. This also affects ManageEngine Access Manager Plus before 4303 with authentication. Recent assessments: gwillcox-r7 at October 25, 2022 5:15pm UTC reported: This was...

CVE-2016-3173

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file e.g. an image which gets displayed at the portal application. Using script code at the file name leads t...

SAP HANA metadata.xsjs - SQL injection

Application: SAP HANA Versions Affected: 1.00.60.379371 Vendor URL: http://www.sap.com Bugs: SQL injection Exploits: YES Reported: 09.04.2014 Vendor response: 10.04.2014 Date of Public Advisory: 17.10.2014 Reference: SAP Security Note 2067972 Author: Dmitry Chastukhin ERPScan Description SQL...

NGS00140 Technical Advisory: Websense Triton 7.6 - unauthenticated remote command execution as SYSTEM

======= Summary ======= Name: Websense Triton 7.6 Unauthenticated remote command execution as SYSTEM Release Date: 30 April 2012 Reference: NGS00140 Discoverer: Ben Williams [email protected] Vendor: Websense Vendor Reference: Systems Affected: Risk: Critical Status: Published ========...

[email protected]

The following is the updated version of a post sent to FD http://seclists.org/lists/fulldisclosure/2006/Jul/0137.html ... Title: Unauthenticated access to BT Voyager config file and PPP credentials embedded in HTML form Successfully tested against: - BT Voyager 2091 Wireless ADSL - Firmware...