9791 matches found
CVE-2022-0910
A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware...
CVE-2022-0734
A cross-site scripting vulnerability was identified in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.35 through 4.70, USG FLEX series firmware versions 4.50 through 5.20, ATP series firmware versions 4.35 through 5.20, and VPN series firmware versions 4.35 through 5.20, that coul...
CVE-2022-0734
CVE-2022-0734 describes a cross-site scripting vulnerability in Zyxel USG/ZyWALL CGI programs across multiple firmware lines (USG/ZyWALL 4.35–4.70, USG FLEX 4.50–5.20, ATP 4.35–5.20, VPN 4.35–5.20). The issue allows a malicious script to access information stored in a user’s browser, such as cook...
Zyxel USG/ZyWALL 跨站脚本漏洞
Zyxel USG/ZyWALL is a firewall from China's Heqin Technology Zyxel. A cross-site scripting vulnerability exists in the CGI program in Zyxel USG/ZyWALL versions 4.35-4.70, USG FLEX 4.50-5.20, ATP 4.35-5.20, and VPN 4.35-5.20, which stems from the presence of an input validation error, and can be...
CVE-2020-24916
CGI implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to OS command injection...
CVE-2020-29600
In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute pathname, even though it was intended to only read a file in the /etc/awstats/awstats.conf format. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000501...
CVE-2019-20800
In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokeehandlercgiaddenvpair in handlercgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers...
CVE-2022-29644
TOTOLINK A3100R V4.1.2cu.5050B20200504 and V4.1.2cu.5247B20211129 were discovered to contain a hard coded password for the telnet service stored in the component /webcste/cgi-bin/product.ini...
CVE-2022-29644
CVE-2022-29644 affects TOTOLINK A3100R devices (firmware versions V4.1.2cu.5050_B20200504 and V4.1.2cu.5247_B20211129). The issue is a hard-coded password for the Telnet service stored in the component /web_cste/cgi-bin/product.ini, creating an unauthenticated control risk over the device. The NV...
new packages: perl-CGI
An update is available for perl-CGI. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list For detailed information on changes in this release, see the Rocky Enterpris...
Roundup Cross-site scripting (XSS) vulnerability
Cross-site Scripting XSS vulnerability in cgi/client.py in Roundup before 1.4.20 allows remote attackers to inject arbitrary web script or HTML via the @action parameter to support/issue1...
SDT-CW3B1 1.1.0 Command Injection
Exploit Title: SDT-CW3B1 1.1.0 - OS command injection Date: 2022-05-12 Exploit Author: Ahmed Alroky Author Company : AIactive Version: 1.0.0 Vendor home page : http://telesquare.co.kr/ Authentication Required: No CVE : CVE-2021-46422 Tested on: Windows HTTP Request GET...
WAVLINK WN535 G3 Cross-Site Scripting Vulnerability
WAVLINK WN535 G3 is a wireless router from WAVLINK China. WAVLINK WN535 G3 suffers from a cross-site scripting vulnerability, which stems from a lack of filtering and escaping of the hostname parameter in /cgi-bin/login.cgi, and can be exploited by attackers to conduct cross-site scripting attack...
The vulnerability of the USERDBDomains.Domainname function in the cgi-bin/platform.cgi file of the NETGEAR ProSafe SSL VPN network interface card’s software allows a hacker to execute arbitrary SQL queries.
The vulnerability of the USERDBDomains.Domainname function in the cgi-bin/platform.cgi file of the NETGEAR ProSafe SSL VPN network interface card’s software is related to the possibility of executing commands. Exploiting this vulnerability could allow a malicious actor to execute arbitrary SQL...
Zyxel Firewall ZTP Unauthenticated Command Injection
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Zyxel Firewall ZTP Unauthenticated Command Injection', 'Description' = %q This module exploits CVE-2022-30525, an unauthenticated remote command...
Zyxel Multiple Firewalls OS Command Injection Vulnerability
A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device...
Inconsistent documentation in Apache Tomcat
As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a...
CVE-2022-29383
NETGEAR ProSafe SSL VPN firmware FVS336Gv2 and FVS336Gv3 was discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi...
CVE-2022-29383
NETGEAR ProSafe SSL VPN firmware FVS336Gv2 and FVS336Gv3 was discovered to contain a SQL injection vulnerability via USERDBDomains.Domainname at cgi-bin/platform.cgi...
Zyxel Releases Patch for Critical Firewall OS Command Injection Vulnerability
Zyxel has moved to address a critical security vulnerability affecting Zyxel firewall devices that enables unauthenticated and remote attackers to gain arbitrary code execution. "A command injection vulnerability in the CGI program of some firewall versions could allow an attacker to modify...