25105 matches found
Wavlink WL-WN530HG4 M30HG4.V5030.201217 - Information Disclosure
An access control issue in Wavlink WL-WN530HG4 M30HG4.V5030.201217 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials. id: CVE-2022-48166 info: name: Wavlink WL-WN530HG4 M30HG4.V5030.201217 - Information Disclosure author: ritikchaddha...
Riello Netman 204 - SQL Injection
The three endpoints /cgi-bin/dbdatalogw.cgi, /cgi-bin/dbeventlogw.cgi, and /cgi-bin/dbmultimetrw.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way. id: CVE-2024-8877 info: name: Riello Netman 204 - SQL...
All-in-One WP Migration < 7.87 - Unauthenticated Information Disclosure
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to unauthenticated information disclosure due to its error.log file being publicly accessible in versions before 7.87. id: CVE-2024-8852 info: name: All-in-One WP Migration 7.87 - Unauthenticated Information Disclosure...
LogDash Activity Log <= 1.1.3 - SQL Injection
The LogDash Activity Log plugin for WordPress is vulnerable to SQL Injection via the username parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
VMware vRealize Log Insight - Path Traversal
he vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution. id: CVE-2022-31706 info: name: VMware vRealize Log Insight - Path Traversal...
W3 Total Cache < 2.8.2 - Log File Exposure
The plugin is vulnerable to Information Exposure through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF...
pyload - Log Injection
A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload. id: CVE-2024-21645 info: name: pyload - Log Injection author: isacaya severity: medium description: | A log injection...
Hongdian H8922 3.0.5 Devices - Local File Inclusion
Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /logdownload.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ e.g., ../../etc/passwd This can be carried out wi...
Cobbler <3.3.0 - Remote Code Execution
Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method. id: CVE-2021-40323 info: name: Cobbler 3.3.0 - Remote Code Execution author: c-sh0 severity: critical description: Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via ...
VMware vRealize Log Insight < v8.10.2 - Information Disclosure
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication. id: CVE-2022-31711 info: name: VMware vRealize Log Insight v8.10.2 - Information Disclosure author: DhiyaneshD...
MagnusBilling Login Logs - Cross-Site Scripting
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is...
VMware vRealize Log Insight - Improper Access Control to RCE
The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution. id: CVE-2022-31704 info: name: VMware vRealize Log Insight - Improper Acces...
BIT-MONGODB-2026-9751 Sensitive data could be written to mongod.log
The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...
PT-2026-49076
A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A...
EUVD-2026-35403
TYPO3 CMS has Broken Access Control in its Media Module...
GHSA-6JQ6-X4CX-QVCM Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)
Summary The Twig template resources/views/list/ale.twig renders the piggy bank name from AuditLogEntry.after.piggy using the |raw filter, bypassing Twig's auto-escaping. A piggy bank created with an HTML payload in its name executes arbitrary JavaScript in any browser viewing that transaction's...
Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)
Summary The Twig template resources/views/list/ale.twig renders the piggy bank name from AuditLogEntry.after.piggy using the |raw filter, bypassing Twig's auto-escaping. A piggy bank created with an HTML payload in its name executes arbitrary JavaScript in any browser viewing that transaction's...
CVE-2026-50629
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgra...
CVE-2026-50629 Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgra...
CVE-2026-50629 Apache CXF: OAuth2: Log Injection via Unsanitized Client Identifier
The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgra...