CVE-2023-28318

A vulnerability has been discovered in Rocket.Chat, where messages can be hidden regardless of the MessageKeepHistory or MessageShowDeletedStatus server configuration. This allows users to bypass the intended message deletion behavior, hiding messages and deletion notices...

CVE-2023-21422

Improper authorization vulnerability in semAddPublicDnsAddr in WifiSevice prior to SMR Jan-2023 Release 1 allows attackers to set custom DNS server without permission via binding WifiService...

CVE-2022-36306

An authenticated attacker can enumerate and download sensitive files, including the eNodeB's web management UI's TLS private key, the web server binary, and the web server configuration file. These vulnerabilities were found in AirVelocity 1500 running software version 9.3.0.01249, were still...

CVE-2021-27450

SSH server configuration file does not implement some best practices. This could lead to a weakening of the SSH protocol strength, which could lead to additional misconfiguration or be leveraged as part of a larger attack on the MU320E all firmware versions prior to v04A00.1...

CVE-2021-41385

The third party intelligence connector in Securonix SNYPR 6.3.1 Build 1842950302 allows an authenticated user to obtain access to server configuration details via SSRF...

CVE-2020-28968

Draytek VigorAP 1000C contains a stored cross-site scripting XSS vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field...

CVE-2019-17112

An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user "Operator" access level to access the configuration file of the mail server except for the password...

CVE-2019-14525

In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration page or making an API call...

CVE-2024-56428

The local iLabClient database in itech iLabClient 3.7.1 allows local attackers to read cleartext credentials from the CONFIGS table for their servers configured in the client...

CVE-2025-41414

When HTTP/2 client and server profile is configured on a virtual server, undisclosed requests can cause TMM to terminate. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

Configure The ntpd Service Properly

In the cluster scenario, the time of servers must be accurate and consistent. For example, if the server time is inconsistent, the data generated by different servers may be sorted or compared inaccurately. Even if you run the date command to set the time of all servers to the same value, the tim...

CVE-2025-31497 TEIGarage XML External Entity (XXE) Injection in Document Conversion Service

TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity XXE Injection vulnerability in its document conversion functionality. The service processes XML...

CVE-2025-3346

A vulnerability was found in Tenda AC7 15.03.06.44. It has been rated as critical. Affected by this issue is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument pptpserverstartip/pptpserverendip leads to buffer overflow. The attack may be launched...

CVE-2025-3346

A vulnerability was found in Tenda AC7 15.03.06.44. It has been rated as critical. Affected by this issue is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument pptpserverstartip/pptpserverendip leads to buffer overflow. The attack may be launched...

CVE-2025-3346 Tenda AC7 SetPptpServerCfg formSetPPTPServer buffer overflow

A vulnerability was found in Tenda AC7 15.03.06.44. It has been rated as critical. Affected by this issue is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. The manipulation of the argument pptpserverstartip/pptpserverendip leads to buffer overflow. The attack may be launched...

CVE-2025-31125 Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query

Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. This vulnerability is fixed in 6.2.4, 6.1.3,...

PT-2025-13589 · Shopxo · Shopxo

Name of the Vulnerable Software and Affected Versions: ShopXO version 6.4.0 Description: The issue is related to Server-Side Request Forgery SSRF in the Email Settings. This means an attacker could potentially forge requests from the server, leading to unauthorized access to internal systems or...

Vite bypasses server.fs.deny when using ?raw??

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or...

CVE-2025-30208 Vite bypasses server.fs.deny when using `?raw??`

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...

CVE-2025-25526

Buffer overflow vulnerability in Mercury MIPC552W Camera v1.0 due to the lack of length verification, which is related to the configuration of the PPTP server. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands...