CVE-2025-6519 Consistent predictable generation of the password for the default admin user "ONEDAY" to the application services

E3 Site Supervisor firmware version 2.31F01 has a default admin user "ONEDAY" with a daily generated password. An attacker can predictably generate the password for ONEDAY. The oneday user cannot be deleted or modified by any user...

CVE-2025-53105

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change th...

CVE-2025-53105 GLPI permits unauthorized rules execution order

GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change th...

K000153161: Ansible Tower vulnerability CVE-2019-19340

Security Advisory Description A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmqenablemanager=true' exposes the RabbitMQ management interface publicly, as expected. If the default admin user is sti...

CVE-2025-44002

CVE-2025-44002 affects TeamViewer Full Client and TeamViewer Host before version 15.69 on Windows. The root cause is a race condition in the directory validation logic, allowing a local non-admin user to exploit symbolic-link manipulation to create arbitrary files with SYSTEM privileges, potentia...

CVE-2025-9433 mtons mblog Admin Panel list cross site scripting

A vulnerability was found in mtons mblog up to 3.5.0. The impacted element is an unknown function of the file /admin/user/list of the component Admin Panel. Performing manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit has been mad...

CVE-2025-9433

CVE-2025-9433 affects mtons mblog up to version 3.5.0. The vulnerability is an XSS in the Admin Panel, specifically in the /admin/user/list function where manipulating the Name parameter can trigger cross-site scripting. Exploitation can be performed remotely, and public PoCs exist. Several conne...

mblog 安全漏洞

mblog is a blog system by langhsu individual developer. A security vulnerability exists in mblog 3.5.0 and earlier versions, which originates from a cross-site scripting attack due to a misuse of the parameter Name in the file /admin/user/list...

PT-2025-34725 · Unknown · Mtons Mblog

Name of the Vulnerable Software and Affected Versions: mtons mblog versions up to 3.5.0 Description: A vulnerability exists in mtons mblog up to version 3.5.0. The issue is located in an unknown function within the /admin/user/list file of the Admin Panel component. Manipulation of the Name...

CVE-2025-57760

Langflow contains a privilege-escalation vulnerability in its container runtime: an authenticated user with RCE can invoke the CLI binary at /app/.venv/bin/langflow (langflow superuser) to create a new administrative user, granting full superuser access and compromising the instance. Affected beh...

Linux Distros Unpatched Vulnerability : CVE-2017-5368

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF Cross Site Request Forgery which allows a remote attack to make...

GHSA-V22V-XWH7-2VRM UnoPim vulnerable to remote code execution through Arbitrary File upload

Summary: Affected Functionality: Image upload at User creation Endpoint: /admin/settings/users/create Details The image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy lik...

PT-2025-33823 · Hcl · Hcl Digital Experience

Name of the Vulnerable Software and Affected Versions: HCL Digital Experience affected versions not specified Description: HCL Digital Experience is susceptible to cross-site scripting XSS within an administrative user interface that has restricted access. Recommendations: At the moment, there is...

CVE-2025-7808

The CVE-2025-7808 issue affects the WP Shopify WordPress plugin prior to version 1.5.4, where an input parameter is not sanitized/escaped before being reflected on the page, enabling a Reflected XSS against high-privilege users (e.g., admins). Multiple sources (Red Hat, patchstack, NVD/NVD-enrich...

CVE-2025-2180 Checkov by Prisma Cloud: Unsafe Deserialization of Terraform Files Allows Code Execution

An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious terraform file when using Checkov in Prisma® Cloud. This issue impacts Checkov 3.0 versions earlier th...

CVE-2025-8807

A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed...

tianti 安全漏洞

tianti tianti is a JAVA lightweight CMS solution by jeffry personal developer. A security vulnerability exists in tianti 2.3 and earlier versions, which originates from the function exportOrder in the file /tianti-module-admin/user/ajax/save resulting in a CSV injection that could lead to a remot...

pybbs 代码注入漏洞

pybbs is a community platform for Java development by iuiu individual developers. A code injection vulnerability exists in pybbs 6.0.0 and earlier versions, which stems from improper handling of the parameter Username in the file /admin/user/list, which could lead to a cross-site scripting attack...

📄 AK-Nord USB-Server-LXL Privilege Escalation

AK-Nord USB-Server-LXL with firmware versions up to 0.0.16 Build 2023-03-13 suffer from a local privilege escalation vulnerability that achieves root. ================== Overview ================== TL;DR: Using the low-privilege "admin" user account via SSH on the IoT device "USB-Server-LXL" 1, i...

Online Ordering System user.php File SQL Injection Vulnerability

Online Ordering System is an online ordering system. Online Ordering System has a SQL injection vulnerability that originates from an unfiltered parameter un in the /admin/user.php file that allows manipulation of database queries. No details of the vulnerability are available at this time...