PT-2024-27488 · Unknown · Absolute Secure Access

Name of the Vulnerable Software and Affected Versions: Absolute Secure Access versions prior to 13.06 Description: There is a cross-site scripting issue in the Secure Access administrative UI. Attackers can pass a limited-length script to the administrative UI, which is then stored where an...

CVE-2024-27145

CVE-2024-27145 affects Toshiba multi-function printers. The vulnerability stems from the admin web interface file upload, enabling remote compromise and the overwriting of insecure files. Connected sources reference multiple CVEs in Toshiba MFPs and describe a post-authenticated/post-attack surfa...

CVE-2024-28965

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal enable REST API if enabled by Admin user from UI. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain Internal...

CVE-2024-36787

An issue in Netgear WNR614 JNR1010V2 N300-V1.1.0.541.0.1 allows attackers to bypass authentication and access the administrative interface via unspecified vectors...

PT-2024-4146 · NetGear · Netgear Wnr614

Name of the Vulnerable Software and Affected Versions: Netgear WNR614 version 1.1.0.54 1.0.1 Description: The issue is related to weaknesses in the authentication procedure of the Netgear WNR614 N300 Wi-Fi router. This allows attackers to bypass authentication and access the administrative...

CVE-2024-36674

LyLmespage v1.9.5 is vulnerable to Cross Site Scripting XSS via admin/link.php...

Cross-site Scripting

Overview Affected versions of this package are vulnerable to Cross-site Scripting through the dynamic setting of form legends in administrative interfaces. An attacker can execute arbitrary scripts in the context of the administrator's session by injecting malicious content into form fields that...

cjkcms-seo (=2.4.0), wagtail-liveedit (>=0.0.9 <=0.0.10) +8 more potentially affected by CVE-2024-35228 via wagtail (>=6.0.0 <=6.0.2)

wagtail PYPI version =6.0.0, =0.0.9, =0.14.0, =0.6.0, =0.1.0, =0.1.0, =0.1.0, =0.2.0 Source cves: CVE-2024-35228 Source advisory: OSV:GHSA-XXFM-VMCF-G33F...

Shield Security – Smart Bot Blocking & Intrusion Prevention Security < 19.1.11 - Cross-Site Request Forgery

Description The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.1.13. This is due to missing or incorrect nonce validation on the exec function. This makes it possible fo...

CB (legacy) <= 0.9.4.18 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to...

CVE-2023-46297

An issue was discovered on Mercusys MW325R EU V3 MW325REUV31.11.0 221019 devices. A WAN attacker can make the admin interface unreachable/invisible via an unauthenticated HTTP request. Verification of the data sent by the user does not occur. The web server does not crash, but the admin interface...

CVE-2023-46297

An issue was discovered on Mercusys MW325R EU V3 MW325REUV31.11.0 221019 devices. A WAN attacker can make the admin interface unreachable/invisible via an unauthenticated HTTP request. Verification of the data sent by the user does not occur. The web server does not crash, but the admin interface...

CVE-2023-46297

An issue was discovered on Mercusys MW325R EU V3 MW325REUV31.11.0 221019 devices. A WAN attacker can make the admin interface unreachable/invisible via an unauthenticated HTTP request. Verification of the data sent by the user does not occur. The web server does not crash, but the admin interface...

CVE-2023-46297

CVE-2023-46297 affects Mercusys MW325R EU V3 (firmware 1.11.0 221019). An unauthenticated HTTP request can render the admin interface unreachable/invisible; data verification is not performed, and affected UI files become unavailable. The web server remains up, but the admin UI is hidden, typical...

SimpleSAMLphp Information Disclosure vulnerability

Background SimpleSAMLphp 1.17 includes a preview of the new user interface to be included in the future version 2.0. This new user interface can be enabled by setting the usenewui configuration option to true, and it includes a new admin interface in a module called admin, which can be disabled...

GHSA-PPM4-R2VC-PG74 SimpleSAMLphp Information Disclosure vulnerability

Background SimpleSAMLphp 1.17 includes a preview of the new user interface to be included in the future version 2.0. This new user interface can be enabled by setting the usenewui configuration option to true, and it includes a new admin interface in a module called admin, which can be disabled...

CVE-2024-35511

phpgurukul Men Salon Management System v2.0 is vulnerable to SQL Injection via the "username" parameter of /msms/admin/index.php...

CVE-2024-35559

idccms v1.35 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/infoMovedeal.php?mudi=rev&nohrefStr=close...

CVE-2024-34241

A cross-site scripting XSS vulnerability in Rocketsoft Rocket LMS 1.9 allows an administrator to store a JavaScript payload using the admin web interface when creating new courses and new course notifications...

PT-2024-25762 · Rocketsoft · Rocket Lms

Name of the Vulnerable Software and Affected Versions: Rocketsoft Rocket LMS version 1.9 Description: A cross-site scripting XSS issue allows an administrator to store a JavaScript payload using the admin web interface when creating new courses and new course notifications, potentially compromisi...