CVE-2024-45885

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the action parameter in cgi-bin/mainfunction.cgi is set to autodiscoveryclear...

CVE-2024-45893

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the action parameter in cgi-bin/mainfunction.cgi is set to setSWMOption...

CVE-2024-45891

DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the action parameter in cgi-bin/mainfunction.cgi is set to deletewlanprofile...

CVE-2023-22918

A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50W firmware versions 4.16 through 5.35, USG20W-VPN firmware versions 4.16 through 5.35, VPN series...

CVE-2023-22919

The post-authentication command injection vulnerability in the Zyxel NBG6604 firmware version V1.01ABIR.0C0 could allow an authenticated attacker to execute some OS commands remotely by sending a crafted HTTP request...

CVE-2023-22913

A post-authentication command injection vulnerability in the “accountoperator.cgi” CGI program of Zyxel USG FLEX series firmware versions 4.50 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow a remote authenticated attacker to modify device configuration data,...

CVE-2023-46683

A post authentication command injection vulnerability exists when configuring the wireguard VPN functionality of Tp-Link ER7206 Omada Gigabit VPN Router 1.3.0 build 20230322 Rel.70591. A specially crafted HTTP request can lead to arbitrary command injection . An attacker can make an authenticated...

CVE-2023-2817

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions = 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively...

CVE-2022-44258

TOTOLINK LR350 V9.3.5u.6369B20220309 contains a post-authentication buffer overflow via parameter command in the setTracerouteCfg function...

CVE-2022-44253

TOTOLINK LR350 V9.3.5u.6369B20220309 contains a post-authentication buffer overflow via parameter ip in the setDiagnosisCfg function...

CVE-2022-44257

TOTOLINK LR350 V9.3.5u.6369B20220309 contains a post-authentication buffer overflow via parameter pppoeUser in the setOpModeCfg function...

CVE-2022-44256

TOTOLINK LR350 V9.3.5u.6369B20220309 contains a post-authentication buffer overflow via parameter lang in the setLanguageCfg function...

CVE-2021-21247

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener AbstractPostAjaxBehavior in all pages other than the login page. This listener decodes and deserializes the data query parameter. We can access this listener by...

CVE-2021-32829

ZStack is open source IaaSinfrastructure as a service software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. Affected versions of ZStack REST API are vulnerable to post-authentication Remote Code Execution RCE via bypass of the Groovy shell...

CVE-2021-20130

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface...

CVE-2021-20018

A post-authenticated vulnerability in SonicWall SMA100 allows an attacker to export the configuration file to the specified email address. This vulnerability impacts SMA100 version 10.2.0.5 and earlier...

CVE-2020-25185

The affected product is vulnerable to five post-authentication buffer overflows, which may allow a logged in user to remotely execute arbitrary code on the IP150 firmware versions 5.02.09...

CVE-2020-15308

Support Incident Tracker aka SiT! or SiTracker 3.67 p2 allows post-authentication SQL injection via the siteedit.php typeid or site parameter, the searchincidentsadvanced.php searchtitle parameter, or the reportqbe.php criteriafield parameter...

CVE-2019-14338

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface...

CVE-2019-19461

Post-authentication Stored XSS in Team Password Manager through 7.93.204 allows attackers to steal other users' credentials by creating a shared password with HTML code as the title...