CVE-2020-13117

Wavlink WN575A4, WN579X3, and WN530G3A devices through 2020-05-15 allow unauthenticated remote users to inject commands via the key parameter in a login request...

CVE-2019-3987

Blink XT2 Sync Module firmware prior to 2.13.11 allows remote attackers to execute arbitrary commands on the device due to improperly sanitized input when configuring the devices wifi configuration via the key parameter...

CVE-2019-18205

Multiple Reflected Cross-site Scripting XSS vulnerabilities exist in Zucchetti InfoBusiness before and including 4.4.1. The browsing component did not properly sanitize user input encoded in base64. This also applies to the search functionality for the searchKey parameter...

CVE-2017-11559

An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack...

CVE-2019-10014

In DedeCMS 5.7SP2, member/resetpassword.php allows remote authenticated users to reset the passwords of arbitrary users via a modified id parameter, because the key parameter is not properly validated...

CVE-2019-8410

Maccms 8.0 allows XSS via the inc/config/cache.php tkey parameter because template/paody/html/vodtype.html mishandles the keywords parameter, and a/tpl/module/db.php only filters the tname parameter not tkey...

EARCLINK ESPCMS SQL Injection Vulnerability

EARCLINK ESPCMS is a set of enterprise building system of China Honghu Erchuang Netlink Information Technology Co. A SQL injection vulnerability exists in the installpack/espcmspublic/espcmsdb.php file in the P8 version of EARCLINK ESPCMS, which can be exploited to execute arbitrary SQL commands ...

CVE-2018-1000628

Battelle V2I Hub 2.5.1 could allow a remote attacker to bypass security restrictions, caused by the direct checking of the API key against a user-supplied value in PHP's GET global variable array using PHP's strcmp function. By adding "" to the end of "key" in the URL when accessing API functions...

ASUSTOR ADM OS Command Injection Vulnerability (CNVD-2018-26932)

ASUSTOR ADM is an operating system from ASUSTOR dedicated to ASUSTOR NAS storage devices. An operating system command injection vulnerability exists in the user.cgi file in ASUSTOR ADM version 3.1.1, which can be exploited to execute system commands with root privileges using the 'secretkey' URL...

CVE-2018-12308

Encryption key disclosure in share.cgi in ASUSTOR ADM version 3.1.1 allows attackers to obtain the encryption key via the "encryptkey" URL parameter...

SEMCMS Cross-Site Scripting Vulnerability (CNVD-2019-01725)

SEMCMS is a foreign trade web content management system CMS that supports multiple languages. SEMCMS3.4 version of a cross-site scripting vulnerability, remote attackers can admin/SEMCMSCategories.php?pid=1&lgid=1 URI's 'categorykey ' parameter to take advantage of the vulnerability to inject...

CVE-2018-13818

Twig before 2.4.4 allows Server-Side Template Injection SSTI via the search searchkey parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it...

CVE-2018-13818

Twig before 2.4.4 allows Server-Side Template Injection SSTI via the search searchkey parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it...

PT-2018-12201 · Symfony · Twig

Name of the Vulnerable Software and Affected Versions: Twig versions prior to 2.4.4 Description: The issue allows Server-Side Template Injection SSTI via the search key parameter. It is noted that Twig itself is not a web application, and the responsibility of properly wrapping input to it lies...

Impinj Speedway Connect R420 RFID Reader Cross-Site Scripting Vulnerability

Impinj Speedway Connect R420 RFID Reader is an identifier used to identify and track objects from Impinj USA. A cross-site scripting vulnerability exists in the 'license key' parameter of the web application in Impinj Speedway Connect R420 RFID Reader versions prior to 2.2.2. A remote attacker...

Atlassian Confluence Server Cross-Site Scripting Vulnerability (CNVD-2018-03443)

Atlassian Confluence Server is a suite of professional enterprise knowledge management and collaboration software from Atlassian Australia, which can also be used to build an enterprise WiKi. the software enables collaboration and knowledge sharing amongst team members. A cross-site scripting...

SugarCRM 3.5.1 Cross Site Scripting

Exploit Title: sugarCRM 3.5.1 XSS refeclted Date: 16/01/2017 Exploit Author: Guilherme Assmann Vendor Homepage: https://www.sugarcrm.com/ Version: 3.5.1 Tested on: kali linux, windows 7, 8.1, 10, ubuntu - Firefox Download...

SugarCRM 3.5.1 - Cross-Site Scripting Vulnerability

Exploit for php platform in category web applications Exploit Title: sugarCRM 3.5.1 XSS refeclted Date: 16/01/2017 Exploit Author: Guilherme Assmann Vendor Homepage: https://www.sugarcrm.com/ Version: 3.5.1 Tested on: kali linux, windows 7, 8.1, 10, ubuntu - Firefox Download...

Trustwave Secure Web Gateway Elevation of Privilege Vulnerability

Trustwave Secure Web Gateway SWG is a web security gateway product from Trustwave, Inc. A security vulnerability exists in Trustwave SWG version 11.8.0.27 and earlier. A remote attacker can exploit the vulnerability by sending the 'publicKey' parameter to the /sendKey URI to add an arbitrary publ...

CVE-2017-17598

Affiliate MLM Script 1.0 has SQL Injection via the product-category.php key parameter...