PT-2024-1657 · Solarwinds · Solarwinds Orion Platform

Name of the Vulnerable Software and Affected Versions: SolarWinds Orion Platform affected versions not specified Description: A SQL Injection Remote Code Execution vulnerability was found in the SolarWinds Platform, which can be exploited using a create statement. This issue requires user...

Vulnerabilities fixed in QNAP QTS and QTS Hero

QNAP has fixed vulnerabilities in QTS and QTS Hero. A malicious party can exploit the vulnerabilities to bypass security measures, grant himself elevated privileges granted and execute code with administrator privileges and gain access to sensitive data on the vulnerable system. Successful misuse...

PT-2024-14825 · Axis Communications · Axis Os

Name of the Vulnerable Software and Affected Versions: AXIS OS versions affected versions not specified Description: The VAPIX API tcptest.cgi did not have sufficient input validation, allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an...

Vinchin Backup and Recovery Security Vulnerabilities

Vinchin Backup and Recovery is an easy-to-use, safe and reliable virtual machine data protection software from China Yunqi Technology Vinchin. It is used for backup and recovery. A security vulnerability exists in Vinchin Backup and Recovery v7.2. An attacker can exploit the vulnerability to...

CVE-2023-7069

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advancediframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Vulnerability fixed in Progress MOVEit Transfer

Progress has fixed a vulnerability in MOVEit Transfer. A malicious party could exploit the vulnerability to cause a denial-of-service attack. For successful abuse, the malicious party must have prior authentication. Progress has released updates to fix the vulnerability in MOVEit Transfer 2023.1....

CVE-2023-52324

An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations. Please note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any...

CVE-2023-49647

Improper access control in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows before version 5.16.10 may allow an authenticated user to conduct an escalation of privilege via local access...

GHSA-PXMR-Q2X3-9X9M Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)

Summary The Home Preference page exposes a small list of nginx settings such as Nginx Access Log Path and Nginx Error Log Path. However, the API also exposes testconfigcmd, reloadcmd and restartcmd. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sendi...

CVE-2024-0252

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability...

CVE-2024-0252

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability...

CVE-2024-0252 Remote code execution

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability...

D-Link DIR-X3260 prog.cgi SetWLanRadioSecurity Stack-Based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the prog.cgi binary, which handles HNAP requests made to the lighttpd...

D-Link DIR-X3260 prog.cgi SetSysEmailSettings Stack-Based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Authentication is required to exploit this vulnerability. The specific flaw exists within the prog.cgi binary, which handles HNAP requests made to the lighttpd...

PT-2024-4189 · NetGear +1 · Netgear Prosafe Network Management System +1

Name of the Vulnerable Software and Affected Versions: NETGEAR ProSAFE Network Management System affected versions not specified Description: The vulnerability is related to insufficient input validation in the Tomcat component of the NETGEAR ProSAFE Network Management System. This allows a remot...

ipa: Invalid CSRF protection

A Cross-site request forgery vulnerability exists in ipa/session/loginpassword in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During...

UBUNTU-CVE-2023-5455

A Cross-site request forgery vulnerability exists in ipa/session/loginpassword in all supported versions of IPA. This flaw allows an attacker to trick the user into submitting a request that could perform actions as the user, resulting in a loss of confidentiality and system integrity. During...

PT-2024-1510 · Cisco · Cisco Prime Infrastructure +1

Name of the Vulnerable Software and Affected Versions: Cisco Prime Infrastructure affected versions not specified Cisco Evolved Programmable Network Manager EPNM affected versions not specified Description: A vulnerability in the web-based management interface could allow an authenticated, remote...

Inductive Automation Ignition RunQuery Deserialization of Untrusted Data Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The specific flaw exists within the RunQuery class. The issue results from the lack of proper validation of...

VulnCheck KEV: CVE-2018-16752

LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases...