CVE-2021-25811

MERCUSYS Mercury X18G 1.0.5 devices allow Denial of service via a crafted value to the POST listenhttplan parameter. Upon subsequent device restarts after this vulnerability is exploted the device will not be able to access the webserver unless the listenhttplan parameter to uhttpd.json is manual...

CVE-2021-25811

MERCUSYS Mercury X18G 1.0.5 devices allow Denial of service via a crafted value to the POST listenhttplan parameter. Upon subsequent device restarts after this vulnerability is exploted the device will not be able to access the webserver unless the listenhttplan parameter to uhttpd.json is manual...

Code injection

MERCUSYS Mercury X18G 1.0.5 devices allow Denial of service via a crafted value to the POST listenhttplan parameter. Upon subsequent device restarts after this vulnerability is exploted the device will not be able to access the webserver unless the listenhttplan parameter to uhttpd.json is manual...

OpenPLC 3 - Remote Code Execution (Authenticated) Exploit

Exploit Title: OpenPLC 3 - Remote Code Execution Authenticated Exploit Author: Fellipe Oliveira Vendor Homepage: https://www.openplcproject.com/ Software Link: https://github.com/thiagoralves/OpenPLCv3 Version: OpenPLC v3 Tested on: Ubuntu 16.04,Debian 9,Debian 10 Buster /usr/bin/python3 import...

CVE-2021-25668

A vulnerability has been identified in SCALANCE X200-4P IRT All versions 5.5.1, SCALANCE X201-3P IRT All versions 5.5.1, SCALANCE X201-3P IRT PRO All versions 5.5.1, SCALANCE X202-2 IRT All versions 5.5.1, SCALANCE X202-2P IRT incl. SIPLUS NET variant All versions 5.5.1, SCALANCE X202-2P IRT PRO...

CVE-2021-25668

A vulnerability has been identified in SCALANCE X200-4P IRT All versions 5.5.1, SCALANCE X201-3P IRT All versions 5.5.1, SCALANCE X201-3P IRT PRO All versions 5.5.1, SCALANCE X202-2 IRT All versions 5.5.1, SCALANCE X202-2P IRT incl. SIPLUS NET variant All versions 5.5.1, SCALANCE X202-2P IRT PRO...

Incorrect Session Validation in Apache Airflow

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have...

GHSA-7MX5-X372-XH87 Incorrect Session Validation in Apache Airflow

Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Airflow Webserver on Site B through the session from Site A. This does not affect users who have...

[SECURITY] Fedora 34 Update: python-aiohttp-3.7.4-1.fc34

Python HTTP client/server for asyncio which supports both the client and the server side of the HTTP protocol, client and server websocket, and webserve rs with middlewares and pluggable routing...

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Unauthenticated Log Disclosure

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Unauthenticated Log Disclosure Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258...

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Unauthenticated Log Disclosure

Summary JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi & VoIP CPE product specially designed to enable quick and easy LTE fixed data service deployment for residential and SOHO customers. It provides high speed LAN, Wi-Fi and VoIP integrated services to end users who need both bandwidth...

OPENSUSE-SU-2021:0415-1 Security update for froxlor

This update for froxlor fixes the following issues: - Upstream upgrade to version 0.10.23 boo846355 - Upstream upgrade to version 0.10.22 boo846355 - BuildRequire cron as this contains now the cron directories - Use %license for COPYING file instead of %doc boo1082318 Upstream upgrade to version...

Authorization

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.0. The webserver could allow unauthorized actions via special urls for unpriviledged users. The settings of the UMC authorization server could be changed to add a rogue server by an attacker authenticating with...

CVE-2020-25239

CVE-2020-25239 affects SINEMA Remote Connect Server (all versions prior to v3.0). The vulnerability is an Incorrect Authorization (CWE-863) where a webserver could allow unauthorized actions via special URLs for unprivileged users, enabling an attacker authenticated with limited rights to modify ...

CVE-2020-29238

An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request...

CVE-2020-29238

An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request...

CVE-2020-29238

An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request...

PYSEC-2021-2

Improper Access Control on Configurations Endpoint for the Stable API of Apache Airflow allows users with Viewer or User role to get Airflow Configurations including sensitive information even when webserver exposeconfig is set to False in airflow.cfg. This allowed a privilege escalation attack...

Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2)

Exploit Title: Openlitespeed WebServer 1.7.8 - Command Injection Authenticated 2 Date: 26/1/2021 Exploit Author: Metin Yunus Kandemir Discovered by: cmOs - SunCSR Vendor Homepage: https://openlitespeed.org/ Software Link: https://openlitespeed.org/kb/install-from-binary/ Version: 1.7.8 import...

CVE-2020-11920

An issue was discovered in Svakom Siime Eye 14.1.00000001.3.330.0.0.3.14. A command injection vulnerability resides in the HOST/IP section of the NFS settings menu in the webserver running on the device. By injecting Bash commands via shell metacharacters here, the device executes arbitrary code...