CVE-2018-25321

The CVE-2018-25321 entry describes a CSRF vulnerability in all versions of the TP-Link TL-WR720N router. An attacker can induce an authenticated user to perform unauthorized actions by visiting attacker-controlled pages, specifically enabling modification of port forwarding rules via VirtualServe...

CVE-2025-70365

A stored cross-site scripting XSS vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected...

PT-2026-31638

A stored cross-site scripting XSS vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected...

CVE-2025-70365

Kiamo has a stored XSS vulnerability in versions before 8.4 due to improper output encoding of user input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript that executes in other users’ browsers. The CVE record notes a prior fix for the 8.3.1 branc...

GHSA-8FQ3-C5W3-PJ3Q CI4MS: Account Deactivation Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deactivation Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are...

CI4MS: Account Deletion Module Grants Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

Summary Vulnerability: Improper Session Invalidation on Account Deletion Broken Access Control / Logic Flaw - This vulnerability is caused by a backend logic flaw that maintains a false trust assumption that already-authenticated users remain trustworthy, even after their accounts are explicitly...

EUVD-2026-18076

CI4MS: Menu Management Pages Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS...

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Methods Management process. An attacker can execute arbitrary JavaScript code in the context of administrative interfaces and global...

CVE-2025-9804

The CVE-2025-9804 entry concerns multiple WSO2 products (e.g., API Manager family) with an improper access-control flaw due to insufficient permission enforcement in internal SOAP Admin Services and System REST APIs. The root cause is limited access-control checks on internal interfaces, allowing...

EUVD-2014-7170

Malware in sbrugna...

EUVD-2024-54338

Malicious code in bioql PyPI...

CVE-2024-12021

Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting XSS in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site...

CVE-2024-12021 Stored Cross-Site Scripting

Coverity versions prior to 2024.9.0 are vulnerable to stored cross-site scripting XSS in various administrative interfaces. The impact of exploitation may result in the compromise of local accounts managed by the Coverity platform as well as other standard impacts resulting from cross-site...

CVE-2024-27168

It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL...

CVE-2024-27168 Hardcoded keys used to generate authentication cookies

It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected products/models/versions, see the reference URL...

CVE-2024-27168

CVE-2024-27168 involves hardcoded keys used to generate authentication cookies for internal APIs on Toshiba e‑STUDIO/MFP devices. Connected sources describe that private keys may let an attacker bypass authentication and reach the administrative interfaces, enabling information disclosure or cont...

Juniper Junos OS Vulnerability (JSA11141)

The version of Junos OS installed on the remote host is affected by a vulnerability as referenced in the JSA11141 advisory. - This issue is not applicable to NFX NextGen Software. On NFX Series devices the use of Hard-coded Credentials in Juniper Networks Junos OS allows an attacker to take over...

PT-2023-25394 · Unknown · Metersphere

Name of the Vulnerable Software and Affected Versions: Metersphere versions prior to 2.10.2 LTS Description: Metersphere is an open source continuous testing platform. In the affected versions, some key APIs lack permission checks, allowing ordinary users to execute APIs that can only be executed...

CVE-2021-31384

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any...

Authorization

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an attacker who attempts to access J-Web administrative interfaces can successfully do so from any...