CMS Made Simple Cross-Site Scripting Vulnerability (CNVD-2018-06468)

CMS Made Simple CMSMS is an open source content management system CMS developed by the CMSMS team. The system supports role-based rights management system , wizard-based installation and update mechanism , intelligent caching mechanism and so on. A cross-site scripting vulnerability exists in the...

CVE-2018-1185

An issue was discovered in EMC RecoverPoint for Virtual Machines versions prior to 5.1.1, EMC RecoverPoint version 5.1.0.0, and EMC RecoverPoint versions prior to 5.0.1.3. Command injection vulnerability in Admin CLI may allow a malicious user with admin privileges to escape from the restricted...

The vulnerability of the multiuploadify.php script (located in the administrative web interface of the network storage software, Western Digital MyCloud PR4100), allows a malicious user to execute arbitrary code with root privileges.

The vulnerability of the multiuploadify.php script located in the administrative web interface of the network storage software, Western Digital MyCloud PR4100, relates to deficiencies in authentication procedures. Exploiting this vulnerability allows an attacker to download the PHP script onto a...

PT-2018-17528 · Sangoma · Freepbx

Name of the Vulnerable Software and Affected Versions: FreePBX versions 10.13.66-32bit and 14.0.1.24 SNG7-PBX-64bit-1712-2 Description: The issue allows post-authentication SQL injection via the order parameter. It is noted that the vendor disputes this issue, stating it is intentional for users ...

CVE-2018-5655

An issue was discovered in the weblizar-pinterest-feeds plugin 1.1.1 for WordPress. XSS exists via the wp-admin/admin-ajax.php security parameter...

CVE-2017-18014

An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log page Control Center - Log Viewer - in the filter option "Web Server Protection" in the webadmin...

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability (CNVD-2018-01388)

Cisco Unified Communications Manager CUCM, Unified CM, CallManager is a call-processing component of a unified communications system from Cisco. The component provides a scalable, distributable and highly available enterprise IP telephony call processing solution. A cross-site scripting...

CPP-Ethereum JSON-RPC miner_stop improper authorization Vulnerability

Summary An exploitable improper authorization vulnerability exists in minerstop API of cpp-ethereum’s JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigge...

CPP-Ethereum JSON-RPC miner_start improper authorization Vulnerability

Summary An exploitable improper authorization vulnerability exists in minerstart API of cpp-ethereum’s JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigg...

Razer US: SQL Injection on careers.razerzone.com within the Admin interface without any access credentials

The researcher discovered a SQL Injection vulnerability on our careers.razerzone.com host, which is used to list job openings for Razer worldwide and receive application submissions from potential hires. This vulnerability could have allowed the exfiltration of admin credentials as well as person...

CVE-2017-17758

TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/dhcps command to cgi-bin/luci, related to the zonegetifacebydev function in /usr/lib/lua/luci/controller/admin/dhcps.lua in uhttpd...

The vulnerability of the administrative web interface of the software dnaTools dnaLIMS allows a perpetrator to execute arbitrary commands.

The vulnerability of the administrative web interface of the software dnaTools dnaLIM is related to the lack of measures for cleaning incoming data. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands using specially crafted POST requests sent to the address...

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability (CNVD-2017-36401)

Cisco Unified Communications Manager CUCM, Unified CM, CallManager is a call-processing component of a unified communications system from Cisco. The component provides a scalable, distributable and highly available enterprise IP telephony call processing solution. A cross-site scripting...

CVE-2017-14189

An improper access control vulnerability in Fortinet FortiWebManager 5.8.0 allows anyone that can access the admin webUI to successfully log-in regardless the provided password...

Command Injection Vulnerability in Multiple TP-Link Products (CNVD-2017-37955)

TP-Link TL-WVR and others are wireless router products from China P&L TP-LINK. A command injection vulnerability exists in multiple TP-Link products. The vulnerability can be exploited to execute arbitrary commands by sending the admin/interface command with shell metacharacters in the tbindif...

Command injection

TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the tbindif field of an admin/interface command to cgi-bin/luci, related to the getdevicebyif function in /usr/lib/lua/luci/controller/admin/interface.lua in...

phpMyFAQ 2.9.9 Code Injection

Exploit Title: PHPMYFAQ 2.9.9 Code Injection Google Dork: NA Date: Nov 6 2017 Exploit Author: tomplixsee Author blog : cupuzone.wordpress.com Vendor Homepage: http://www.phpmyfaq.de Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip Version: 2.9.9 Tested on: Ubuntu Server 16.04, PHP...

Dynamic News Magazine&Blog CMS SQL Injection Vulnerability

Dynamic News Magazine&Blog CMS is a content management system mainly used for information websites. A SQL injection vulnerability exists in Dynamic News Magazine&Blog CMS version 1.0. A remote attacker can inject SQL commands by sending the 'id' parameter to the admin/adminprocess.php file...

CVE-2017-15885

Reflected XSS in the web administration portal on the Axis 2100 Network Camera 2.03 allows an attacker to execute arbitrary JavaScript via the confLayoutOwnTitle parameter to view/view.shtml. NOTE: this might overlap CVE-2007-5214...

CVE-2017-10055

Vulnerability in the Oracle iPlanet Web Server component of Oracle Fusion Middleware subcomponent: Admin Graphical User Interface. The supported version that is affected is 7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle...