GHSA-7526-J432-6PPP File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands

Summary The fix in commit b6a4fb1 "self-registered users don't get execute perms" stripped Execute permission and Commands from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are granted executi...

CVE-2026-35607 File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the fix in commit b6a4fb1 "self-registered users don't get execute perms" stripped Execute permission and Commands from users created via the...

CVE-2025-68644

Yealink RPS before 2025-06-27 allows unauthorized access to information, including AutoP URL addresses. This was fixed by deploying an enhanced authentication mechanism through a security update to all cloud instances...

Cisco NX-OS Software DHCP Options Command Injection (CVE-2015-0658)

The DHCP implementation in the PowerOn Auto Provisioning POAP feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589. This...

Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature

Cisco Nexus devices support an automatic provisioning or zero-touch deployment feature called PowerOn Auto Provisioning POAP. This feature assists in automating the initial deployment and configuration of Nexus switches. POAP is enabled by default and activates on devices that have no startup...

CVE-2016-1518

The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have...

CVE-2016-1518

The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have...

CVE-2016-1518

CVE-2016-1518 affects the Grandstream Wave app (Android, versions up to 1.0.1.26 and earlier) and Grandstream Video IP phones. The root cause is failure to use HTTPS when downloading provisioning/configuration data from http://fm.grandstream.com/gs/, enabling a man-in-the-middle to spoof provisio...

Cisco NX-OS Software DHCP Options Command Injection Vulnerability (Cisco-SA-20150327-CVE-2015-0658)

A vulnerability in DHCP code used with PowerOn Auto Provisioning POAP of Cisco NX-OS could allow an unauthenticated, adjacent attacker to inject arbitrary commands into the Cisco NX-OS device. Copyright C 2016 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced...

Cisco NX-OS DHCP POAP Command Injection Vulnerability

The remote Cisco device is running a version of NX-OS software that is affected by a command injection vulnerability due to the PowerOn Auto Provisioning POAP feature not properly validating the DHCP options returned by POAP. An attacker on an adjacent network, using crafted DHCP packets, can...

Cisco NX-OS PowerOn Auto Provisioning (POAP) Arbitrary Command Execution Vulnerability

Cisco NX-OS software is a data center-class operating system that embodies modular design, perpetuity, and maintainability. The Cisco NX-OS PowerOn Auto Provisioning POAP DHCP code fails to properly restrict the initialization process, allowing remote attackers to send specially crafted answer...