GHSA-HW5F-6WVV-XCRH SFTPGo has insufficient access control for password reset

Impact SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions e.g. expired can reset their password and log in. Patches Fixed in v2.6.1...

CVE-2023-49101

WebAdmin in Axigen 10.3.x before 10.3.3.61, 10.4.x before 10.4.24, and 10.5.x before 10.5.10 allows XSS attacks against admins because of mishandling of viewing the usage of SSL certificates...

CVE-2023-49101

WebAdmin in Axigen 10.3.x before 10.3.3.61, 10.4.x before 10.4.24, and 10.5.x before 10.5.10 allows XSS attacks against admins because of mishandling of viewing the usage of SSL certificates...

CVE-2023-49101

WebAdmin in Axigen 10.3.x before 10.3.3.61, 10.4.x before 10.4.24, and 10.5.x before 10.5.10 allows XSS attacks against admins because of mishandling of viewing the usage of SSL certificates...

CVE-2023-49101

WebAdmin in Axigen 10.3.x before 10.3.3.61, 10.4.x before 10.4.24, and 10.5.x before 10.5.10 allows XSS attacks against admins because of mishandling of viewing the usage of SSL certificates...

CVE-2023-49101

Axigen WebAdmin vulnerability CVE-2023-49101 is a cross-site scripting issue in the WebAdmin interface tied to mishandling the viewing of SSL certificate usage. Affected series include Axigen 10.3.x before 10.3.3.61, 10.4.x before 10.4.24, and 10.5.x before 10.5.10. The root cause, as described a...

CVE-2023-49255

The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated...

Default credentials

The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated...

CVE-2023-49255 Router console accessible without authentication

The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated...

Thai Auto Web 1.2 Missing Authentication

==================================================================================================================================== | Title : Thai Auto Web 1.2 Unauthorized administrative access Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla...

The hardware-software component of WebAdmin is vulnerable to cyber threats from Sophos SG UTM (Unified Thread Management), allowing attackers to execute arbitrary commands.

The vulnerability of the WebAdmin component in the hardware-software security system for handling network threats, Sophos SG UTM Unified Thread Management, is related to the failure to take measures to neutralize specific elements used in operating system processes. Exploiting this vulnerability...

SUSE CVE-2014-9403

The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service NULL pointer dereference and crash by adding a channel with the same name as an existing channel but without the leading character, related to a...

Sophos SG UTM < 9.511 / 9.6 < 9.607 / 9.7 < 9.705 RCE (CVE-2020-25223)

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before 9.511 MR11, 9.6 before 9.607 MR7, and 9.7 before 9.705 MR5. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands on the remote host as the root user. Note...

CVE-2022-3709

A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA...

CVE-2022-3696

A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA...

CVE-2022-3696

A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA...

CVE-2022-3709

A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA...

Cross site scripting

A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA...

Code injection

A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA...

CVE-2022-3709

A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA...