VulnCheck KEV: CVE-2023-27008

A Cross-site scripting XSS vulnerability in the function encryptpassword in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter...

Linux Distros Unpatched Vulnerability : CVE-2018-8764

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 places a CSRF token in the sectoken parameter of a URI, which makes it easier for remote...

CVE-2025-41375

SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint...

FileBrowser has an unspecified vulnerability (CNVD-2025-22704)

FileBrowser is an open source web file browser . Provides a file management interface in a specified directory , can be used to upload , delete , preview , rename and edit your files . FileBrowser has a security vulnerability that originates from an access token passed as a GET parameter, which c...

PT-2025-3759 · WordPress · Dwt - Directory & Listing Wordpress Theme

Name of the Vulnerable Software and Affected Versions: DWT - Directory & Listing WordPress Theme versions up to, and including, 3.3.3 Description: The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping on the sort by and token parameters...

Cross-Site Scripting (XSS)

librenms/librenms is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of the "token" parameter, which allows authenticated users to inject arbitrary JavaScript when creating a new API token...

CVE-2024-49754

LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the "token" parameter when creating a new API token. This vulnerability can result i...

Cross-site Scripting (XSS)

Overview librenms/librenms is a fully featured network monitoring system that provides a wealth of features and device support. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the token parameter in token-item-create.inc.php. PoC Pass in a token parameter valu...

PT-2024-33665 · Librenms · Librenms

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 24.10.0 Description: A Stored Cross-Site Scripting XSS vulnerability in the API-Access page allows authenticated users to inject arbitrary JavaScript through the token parameter when creating a new API token. This c...

apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE

An improper input validation vulnerability was found in the p2c parameter in the Apache CXF JOSE. This flaw allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token...

Rocket.Chat: NoSQL injection leaks visitor token and livechat messages

The Rocket.Chat application was affected by two NoSQL injection vulnerabilities. The first vulnerability allowed leaking visitor tokens by exploiting the livechat:loginByToken method, while the second vulnerability enabled leaking livechat messages by exploiting the livechat:loadHistory method...

The vulnerability in the `index.php?c=api` script of the OneNav bookmark management interface, which allows a perpetrator to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the /index.php?c=api interface of the OneNav bookmark management program is related to deficiencies in the authentication process due to incorrect generation of tokens with the X-Token parameter. Exploiting this vulnerability allows a malicious actor to compromise the...

Authentication Bypass

SilverStripe is vulnerable to Authentication Bypass. The vulnerability is caused by providing an empty token parameter with secure token parameters like isDev or flush, allowing bypass of normal authentication mechanisms...

CVE-2022-43654

NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability. The specific flaw exists with...

apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE

An improper input validation vulnerability was found in the p2c parameter in the Apache CXF JOSE. This flaw allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token...

CVE-2023-32140

D-Link DAP-1360 webproc var:sysToken Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1360 routers. Authentication is not required to exploit this vulnerability. T...

PT-2024-18372 · Unknown · Sante Pacs Server

Name of the Vulnerable Software and Affected Versions: Sante PACS Server affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server. Authentication is not required to exploit this issue. The specific fla...

Sante PACS Server Token Endpoint SQL Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of HTTP requests on port 3000. When parsing the token parameter, the...

CVE-2022-34267

An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...

CVE-2022-34267

An issue was discovered in RWS WorldServer before 11.7.3. Adding a token parameter with the value of 02 bypasses all authentication requirements. Arbitrary Java code can be uploaded and executed via a .jar archive to the ws-api/v2/customizations/api endpoint...