CVE-2022-23555 authentik vulnerable to Improper Authentication via invitation URL token reuse

authentik is an open-source Identity Provider focused on flexibility and versatility. Versions prior to 2022.11.4 and 2022.10.4 are vulnerable to Improper Authentication. Token reuse in invitation URLs leads to access control bypass via the use of a different enrollment flow than in the one...

Stored XSS in the module named "Website settings"

Description Our engineer found security problems when testing our website. And I have tested the demo website you provided. I found that there is indeed an xss vulnerability. I hope you can check and provide a fix as soon as possible.Thanks. \\ The reason for the vulnerability is that you have...

CVE-2022-47926

AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fstdel.inc.php...

CVE-2022-36222

Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5st7o This account can be used locally to access the web admin interface...

Hardcoded credentials

Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5st7o This account can be used locally to access the web admin interface...

PT-2022-23264 · Nokia · Nokia Fastmile

Name of the Vulnerable Software and Affected Versions: Nokia Fastmile 3tg00118abad52 devices affected versions not specified Description: The issue concerns a default hardcoded admin account with the credentials admin:Nq+L5st7o. This account can be used locally to access the web admin interface...

CVE-2022-36222

CVE-2022-36222 affects Nokia Fastmile 3tg00118abad52 devices shipped by Optus. It uses a default hardcoded admin credentials (admin:Nq+L5st7o) that can be used locally to access the web admin interface. The CVSS v3.1 base score is 8.4 (HIGH); attack vector LOCAL, no privileges required, no user i...

WP Custom Admin Interface < 7.29 - Admin+ PHP Object Injection

The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. PoC action=importsettings=O%3a4%3a%22Evil%22%3a0%3a%7b%7d%3b=6960d7bb50...

WP Custom Admin Interface < 7.29 - Admin+ PHP Object Injection

The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. action=importsettings&settings=O%3a4%3a%22Evil%22%3a0%3a%7b%7d%3b&security=6960d7bb50...

CVE-2022-44393

Sanitization Management System v1.0 is vulnerable to SQL Injection via /php-sms/admin/?page=services/viewservice&id=...

CVE-2022-46333

The admin user interface in Proofpoint Enterprise Protection PPS/PoD contains a command injection vulnerability that enables an admin to execute commands beyond their allowed scope. This affects all versions 8.19.0 and below...

CVE-2022-46333

The admin user interface in Proofpoint Enterprise Protection PPS/PoD contains a command injection vulnerability that enables an admin to execute commands beyond their allowed scope. This affects all versions 8.19.0 and below...

Command injection

The admin user interface in Proofpoint Enterprise Protection PPS/PoD contains a command injection vulnerability that enables an admin to execute commands beyond their allowed scope. This affects all versions 8.19.0 and below...

CVE-2022-46333

CVE-2022-46333 affects Proofpoint Enterprise Protection (PPS/PoD) where the admin UI contains a command injection vulnerability allowing an admin to execute commands beyond their scope. Affected versions are 8.19.0 and earlier. The underlying issue is a command execution path in the admin interfa...

PT-2022-27825 · Proofpoint · Proofpoint Enterprise Protection

Name of the Vulnerable Software and Affected Versions: Proofpoint Enterprise Protection PPS/PoD versions 8.19.0 and below Description: The admin user interface in Proofpoint Enterprise Protection contains a command injection issue that allows an admin to execute commands beyond their allowed scop...

ImageInject <= 1.17 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. POST...

CVE-2020-23583

OPTILINK OP-XT71000N V2.2 is vulnerable to Remote Code Execution. The issue occurs when the attacker sends an arbitrary code on "/diagpingadmin.asp" to "PingTest" interface that leads to COMMAND EXECUTION. An attacker can successfully trigger the COMMAND and can compromise full system...

PT-2022-27290 · Unknown · Chameleon Plugin

Name of the Vulnerable Software and Affected Versions: Chameleon plugin versions 1.4.3 and earlier Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability. This vulnerability requires authentication with admin or higher privileges. The estimated number of potentially...

HMS-PHP 安全漏洞

HMS-PHP is a CSE309 IUB final web application project by the individual developer Pingkon Augustine Rozario. A security vulnerability exists in Pingkon HMS-PHP, which stems from an unknown function in the file /admin/admin.php being affected, where manipulation of the parameter uname/pass can lea...

AyaCMS 代码问题漏洞

AyaCMS is an extremely simple and free open source PHP website builder. v3.1.2 of AyaCMS contains a security vulnerability that originates from an arbitrary file upload vulnerability found via the component /admin/fstupload.inc.php. An attacker could use this vulnerability to execute arbitrary co...