Cross site scripting

In firmware version MS2.6.9900 of Columbia Weather MicroServer, a networkdiags.php reflected Cross-site scripting XSS vulnerability allows remote authenticated users to inject arbitrary web script...

CVE-2019-5347

A remote authentication bypass vulnerability was identified in HPE Intelligent Management Center IMC PLAT earlier than version 7.3 E0506P09...

CVE-2019-5347

A remote authentication bypass vulnerability was identified in HPE Intelligent Management Center IMC PLAT earlier than version 7.3 E0506P09...

Authentication flaw

A remote authentication bypass vulnerability was identified in HPE Intelligent Management Center IMC PLAT earlier than version 7.3 E0506P09...

Authentication flaw

An authentication bypass was found in an unknown area of the SiteOmat source code. All SiteOmat BOS versions are affected, prior to the submission of this exploit. Also, the SiteOmat does not force administrators to switch passwords, leaving SSH and HTTP remote authentication open to public...

CVE-2017-14728

An authentication bypass was found in an unknown area of the SiteOmat source code. All SiteOmat BOS versions are affected, prior to the submission of this exploit. Also, the SiteOmat does not force administrators to switch passwords, leaving SSH and HTTP remote authentication open to public...

CVE-2017-14728

An authentication bypass was found in an unknown area of the SiteOmat source code. All SiteOmat BOS versions are affected, prior to the submission of this exploit. Also, the SiteOmat does not force administrators to switch passwords, leaving SSH and HTTP remote authentication open to public...

CVE-2019-12452

CVE-2019-12452 affects Containous Traefik 1.7.x (1.7.11 and earlier). When --api is enabled and publicly reachable with insufficient access control, remote authenticated users can read the JSON response of /api to discover password hashes from Basic/Digest HTTP Authentication and can read a Clien...

CVE-2019-11816

CVE-2019-11816 affects the WebUI of OPNsense prior to 19.1.8 and pfSense prior to 2.4.4-p3. The root cause is incorrect access control, allowing remote authenticated users to escalate privileges to administrator via a specially crafted request. Affected products: OPNsense (WebUI) and pfSense (Web...

CVE-2019-5937

Cross-site scripting vulnerability in Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to inject arbitrary web script or HTML via the user information...

CVE-2019-5935

Cybozu Garoon 4.0.0 to 4.10.1 allows remote authenticated attackers to bypass access restriction to change user information without access privileges via the Item function of User Information...

CVE-2019-5933

Cybozu Garoon 4.0.0 to 4.10.0 allows remote authenticated attackers to bypass access restriction to view the Bulletin Board without view privileges via the application 'Bulletin'...

Stack overflow

The D-Link DCS series of Wi-Fi cameras contains a stack-based buffer overflow in alphapd, the camera's web server. The overflow allows a remotely authenticated attacker to execute arbitrary code by providing a long string in the WEPEncryption parameter when requesting wireless.htm. Vulnerable...

Denial Of Service (DoS)

Oracle MySQL is vulnerable to denial of service attacks. A remote authenticated attacker can exploit the flaw in the Optimizer component to cause denial of service conditions...

Xxe

An XML external entity XXE vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration .ZIP file within the Kofax/KFS/Admin/PackageService/package/uploa...

CVE-2018-17289

An XML external entity XXE vulnerability in Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 allows remote authenticated users to read arbitrary files via crafted XML inside an imported package configuration .ZIP file within the Kofax/KFS/Admin/PackageService/package/uploa...

CVE-2018-13287

CVE-2018-13287 refers to an issue in Synology Router Manager (SRM) before 1.1.7-6941-1 where synouser.conf has incorrect default permissions, allowing remote authenticated users to obtain sensitive information via the world-readable configuration. Affected: SRM running before 1.1.7-6941-1; vulner...

CVE-2019-10662

Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI...

CVE-2019-10660

Grandstream GXV3611IRHD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field...

CVE-2019-10658

The CVE-2019-10658 issue affects Grandstream GWN7610 devices with firmware prior to 1.0.8.18. Affected component is the /ubus/controller.icc.update_nds_webroot_from_tmp API call, where an authenticated user can inject shell metacharacters via the filename parameter to execute arbitrary code on th...