16896 matches found
Kramer VIAware - Remote Code Execution
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames. id: CVE-2021-36356 info: name: Kramer VIAware - Remote Code Execution author: gy741 severity: critical description: KRAMER...
Aquatronica Controller System <= 5.1.6 - Information Disclosure
Aquatronica Controller System firmware 5.1.6 and earlier and web interface 2.0 and earlier contain an information disclosure vulnerability caused by unauthenticated access to tcp.php endpoint, letting remote attackers retrieve sensitive configuration data including plaintext credentials, exploit...
Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload
Thrive “Legacy” Rise by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Squared by...
Powertek Firmware <3.30.30 - Authorization Bypass
Powertek firmware multiple brands before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface /cgi/getparam.cgi with the tmpToken cookie set to an...
Gryphon Tower - Cross-Site Scripting
Gryphon Tower router web interface contains a reflected cross-site scripting vulnerability in the url parameter of the /cgi-bin/luci/siteaccess/ page. An attacker can exploit this issue by tricking a user into following a specially crafted link, granting the attacker JavaScript execution in the...
Kramer VIAware - Privilege Escalation and Remote Code Execution
Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interface is accessible, due to vulnerabilities in the handling of privileged operations through...
D-Link Routers - Local File Inclusion
D-Link routers DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02,DWR-512 through 2.02,DWR-712 through 2.02,DWR-912 through 2.02, DWR-921 through 2.02, DWR-111 through 1.01, and probably others with the same type of firmware allows remote attackers to read arbitrary files via a /...
Socomec DIRIS A-40 Devices Password Disclosure
Socomec DIRIS A-40 devices before 48250501 are susceptible to a password disclosure vulnerability in the web interface that could allow remote attackers to get full access to a device via the /password.jsn URI. id: CVE-2019-15859 info: name: Socomec DIRIS A-40 Devices Password Disclosure author:...
Cisco RV132W/RV134W Router - Information Disclosure
Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an unauthenticated, remote attacker to view configuration parameters for an affected device via the web interface, which could lead to the disclosure of confidential information. id: CVE-2018-012...
Cisco RV110W RV130W RV215W Router - Information leakage
A vulnerability in the web-based management interface of Cisco RV110W, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to access the syslog file on an affected device. The vulnerability is due to improper authorization of an HTTP request. An attacker could exploit this...
Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting
PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute...
Ganglia Web Interface (v3.7.3 - v3.7.5) - Cross-Site Scripting
A cross-site scripting XSS vulnerability in the component /graphallperiods.php of Ganglia-web v3.73 to v3.75 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "g" parameter. id: CVE-2024-52763 info: name: Ganglia Web Interface v3.7.3 - v3.7.5 -...
Fortinet FortiOS - Open Redirect/Cross-Site Scripting
FortiOS Web User Interface in 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting attacks via the "redirect" parameter to "login." id: CVE-2016-3978 info: name: Fortin...
OpenVPN Access Server 2.1.4 - CRLF Injection
CRLF injection vulnerability in the web interface in OpenVPN Access Server 2.1.4 allows remote attackers to inject arbitrary HTTP headers and consequently conduct session fixation attacks and possibly HTTP response splitting attacks via "%0A" characters in the PATHINFO to sessionstart/. id:...
TP-Link Archer A20 v3 Router - Cross-site Scripting
The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting XSS due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL...
Ganglia Web Interface (v3.7.3 - v3.7.6) - Cross-Site Scripting
A cross-site scripting XSS vulnerability in the component /master/header.php of Ganglia-web v3.73 to v3.76 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "tz" parameter. id: CVE-2024-52762 info: name: Ganglia Web Interface v3.7.3 - v3.7.6 -...
SEH utnserver Pro/ProMAX/INU-100 20.1.22 - Cross-Site Scripting
A vulnerability was found in utnserver Pro, utnserver ProMAX, and INU-100 version 20.1.22 and earlier, affecting the device description parameter in the web interface. This flaw allows stored cross-site scripting XSS, enabling attackers to inject JavaScript code. The attack can be executed remote...
EUVD-2026-42725
A security vulnerability has been detected in TOTOLINK A3000RU, A3100R, A950RG, AC1200T10, CP450, CS185RT10 and EX200 up to 20260906. Affected by this issue is some unknown functionality of the file /etc/boa/boa.conf of the component Web Interface. The manipulation leads to least privilege...
CVE-2026-51119
An issue in Invixium IXM WEB v.2.3.85.25 allows an attacker to escalate privileges via the /SystemUsers/CreateAppUser components...
CVE-2025-70796
An unauthenticated path traversal in the web management interface of WTI (Wireless Technology, Inc.), version 3.5.0.r 2024/05/24 00:00:00, allows crafted HTTP requests with traversal sequences to access files outside the web root, potentially disclosing sensitive system files and configuration da...