CVE-2023-37786

Multiple cross-site scripting XSS vulnerabilities in Geeklog v2.2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Mail Settingsbackend, Mail Settingshost, Mail Settingsport and Mail Settingsauth parameters of the /admin/configuration.php...

Cross site scripting

A stored cross site scripting XSS vulnerability in index.php?menu=billingrates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Name or Prefix fields under the Create New Rate module...

Cross site scripting

A stored cross-site scripting XSS vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Virtual Fax Name and Caller ID Name parameters under the New Virtual Fax feature...

CVE-2023-37134

A stored cross-site scripting XSS vulnerability in the Basic Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

Command injection

Two OS command injection vulnerabilities exist in the urvpnclient cmdnameaction functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This OS command injectio...

CVE-2020-21861

File upload vulnerability in DuxCMS 2.1 allows attackers to execute arbitrary php code via duxcms/AdminUpload/upload...

PT-2023-19690 · Milesight · Milesight Ur32L

Name of the Vulnerable Software and Affected Versions: Milesight UR32L version 32.3.0.5 Description: The issue is related to OS command injection vulnerabilities in the urvpn client cmd name action functionality. A specially crafted network request can lead to arbitrary command execution. An...

PT-2023-19691 · Milesight · Milesight Ur32L

Name of the Vulnerable Software and Affected Versions: Milesight UR32L version 32.3.0.5 Description: The issue is related to OS command injection vulnerabilities in the urvpn client cmd name action functionality. A specially crafted network request can lead to arbitrary command execution. An...

CVE-2020-23452

A cross-site scripting XSS vulnerability in Selenium Grid v3.141.59 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the hub parameter under the /grid/console page...

RG-BCR860 OS Command Injection Vulnerability in Beijing StarNet Ruijie Network Technology Co.

The RG-BCR860 is a commercial cloud router from Ruijie Networks China. Ltd. The RG-BCR860 version 2.5.13 suffers from an operating system command injection vulnerability that originates from the failure of the component Network Diagnostic Page to correctly filter constructed command special...

CVE-2021-30203

A reflected cross-site scripting XSS vulnerability in the zero parameter of dzzoffice 2.02.1SCUTF8 allows attackers to execute arbitrary web scripts or HTML...

CVE-2021-30203

A reflected cross-site scripting XSS vulnerability in the zero parameter of dzzoffice 2.02.1SCUTF8 allows attackers to execute arbitrary web scripts or HTML...

Code injection

A compromised child process could have injected XBL Bindings into privileged CSS rules, resulting in arbitrary code execution and a sandbox escape. This vulnerability affects Firefox 70...

CVE-2023-32753

OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary system commands or disrupt service...

CVE-2023-32753

This CVE appears in OMICARD EDM where the file upload function does not restrict uploading of dangerous file types. The root cause is a lack of validation for uploaded content, allowing an unauthenticated attacker to upload and execute arbitrary executables, potentially enabling system commands o...

CVE-2023-33443

Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints...

CVE-2023-30400

An issue was discovered in Anyka Microelectronics AK3918EV300 MCU v18. A command injection vulnerability in the network configuration script within the MCU's operating system allows attackers to perform arbitrary command execution via a crafted wifi SSID or password...

Ubuntu: Security Advisory (USN-6125-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2023-33962

JStachio is a type-safe Java Mustache templating engine. Prior to version 1.0.1, JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of other users...

Cross site scripting

A stored cross-site scripting XSS vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php...