CVE-2022-26947

Archer 6.x through 6.9 SP3 6.9.3.0 contains a reflected XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the...

CVE-2022-1084

A vulnerability classified as critical was found in SourceCodester One Church Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /onechurch/userregister.php. The manipulation leads to authentication bypass. The attack can be launched remotely...

Command injection

NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands such as telnetd via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi...

CVE-2022-27947

CVE-2022-27947 affects NETGEAR R8500 devices (version 1.0.2.158) where remote authenticated attackers can inject shell metacharacters in ipv6_fix.cgi parameters (ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, ipv6_lan_length) to execute arbitrary commands (e.g., telnetd). The vulnerability ar...

CVE-2022-27945

CVE-2022-27945 affects NETGEAR R8500 devices (firmware 1.0.2.158) where remote authenticated users can execute arbitrary commands via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi. Root cause is improper handling of shell metacharacters in password.cgi, ...

CVE-2022-22688

Improper neutralization of special elements used in a command 'Command Injection' vulnerability in File service functionality in Synology DiskStation Manager DSM before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors...

Microsoft Kerberos Key Distribution Center (KDC) Privilege Escalation Vulnerability

The Kerberos Key Distribution Center KDC in Microsoft allows remote authenticated domain users to obtain domain administrator privileges...

CVE-2021-44088

An SQL Injection vulnerability exists in Sourcecodester Attendance and Payroll System v1.0 which allows a remote attacker to bypass authentication via unsanitized login parameters...

CVE-2022-26500

CVE-2022-26500 affects Veeam Backup & Replication and relates to an improper limitation of path names in internal API functions, enabling a remote, authenticated user to upload and execute arbitrary code. Affected product range includes 9.5U3/U4, 10.x, and 11.x. The root cause is exposure of inte...

CVE-2021-44261

A vulnerability is in the 'BRStop.html' page of the Netgear W104, version WAC104-V1.0.4.13, which can allow a remote attacker to access this page without any authentication. When processed, it exposes firmware version information for the device...

CVE-2021-45791

Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/membertype.php, /admin/modules/system/usergroup.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated librarian users...

CVE-2021-45791

Slims8 Akasia 8.3.1 is affected by SQL injection in /admin/modules/bibliography/index.php, /admin/modules/membership/membertype.php, /admin/modules/system/usergroup.php, and /admin/modules/membership/index.php through the dir parameter. It can be used by remotely authenticated librarian users...

Microsoft Windows Security Account Manager 权限许可和访问控制问题漏洞

Microsoft Windows Security Account Manager is a Windows security account manager from Microsoft USA for storing user passwords. It can be used to authenticate local and remote users. Microsoft Windows Security Account Manager is vulnerable to privilege permission and access control issues. No...

Path traversal

Multiple authenticated remote path traversal vulnerabilities were discovered in the AOS-CX command line interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch...

Design/Logic Flaw

The Dynamic Data Mapping module in Liferay Portal 7.0.0 through 7.3.6, and Liferay DXP 7.0 before fix pack 101, 7.1 before fix pack 21, 7.2 before fix pack 10 and 7.3 before fix pack 2 incorrectly sets default permissions for site members, which allows remote authenticated users with the site...

CVE-2020-27958

The Job Composer app in Ohio Supercomputer Center Open OnDemand before 1.7.19 and 1.8.x before 1.8.18 allows remote authenticated users to provide crafted input in a job template...

CVE-2022-22679

Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in support service management in Synology DiskStation Manager DSM before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors...

Design/Logic Flaw

Improper neutralization of special elements in output used by a downstream component 'Injection' vulnerability in work flow management in Synology DiskStation Manager DSM before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors...

CVE-2021-43928

CVE-2021-43928 describes an OS command injection in Synology Mail Station’s mail sending/receiving component. The issue arises from improper neutralization of special elements, enabling remote authenticated users to execute arbitrary commands via unspecified vectors. Affected are Synology Mail St...

CVE-2021-29394

Account Hijacking in /northstar/Admin/changePassword.jsp in Northstar Technologies Inc NorthStar Club Management 6.3 allows remote authenticated users to change the password of any targeted user accounts via lack of proper authorization in the user-controlled "userID" parameter of the HTTP POST...