MajorDoMo - Cross-Site Scripting

MajorDoMo contains a reflected XSS caused by unsanitized $qry parameter in command.php, letting attackers inject arbitrary JavaScript via crafted URLs, exploit requires victim to visit malicious URL. id: CVE-2026-27176 info: name: MajorDoMo - Cross-Site Scripting author: DhiyaneshDk severity:...

CVE-2026-27176

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

CVE-2026-27176 MajorDoMo Reflected Cross-Site Scripting in command.php

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

CVE-2026-27176

MajorDoMo (Major Domestic Module) has a reflected XSS in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars(), both in an input field value attribute and in a paragraph element. An attacker can inject arbitrary JavaScript by crafting ...

PT-2026-20512

Name of the Vulnerable Software and Affected Versions MajorDoMo versions affected versions not specified Description MajorDoMo contains a reflected cross-site scripting XSS issue in the 'command.php' file. The $qry parameter is directly included in the HTML page without proper sanitization using...

EUVD-2013-7283

Malware in sbrugna...

The vulnerability in the command.php script of D-Link DIR-300 and DIR-600 router microprogramming software allows a hacker to gain unauthorized access to protected information and execute arbitrary commands.

The vulnerability of the command.php script in D-Link DIR-300 and DIR-600 router microprogramming systems is related to the lack of measures taken to neutralize special elements used in the operating system’s commands. Exploiting this vulnerability can allow an attacker, operating remotely, to ga...

CVE-2023-6901 codelyfe Stupid Simple CMS HTTP POST Request handle-command.php os command injection

A vulnerability, which was classified as critical, was found in codelyfe Stupid Simple CMS up to 1.2.3. This affects an unknown part of the file /terminal/handle-command.php of the component HTTP POST Request Handler. The manipulation of the argument command with the input whoami leads to os...

The vulnerability of the D-Link DIR-610 network device’s microprogramming software arises from the lack of measures taken to neutralize the special elements used in the operating system commands. This vulnerability allows a hacker to execute arbitrary commands.

The vulnerability of the D-Link DIR-610 network device exists due to the lack of measures taken to neutralize the special elements used in the operating system’s commands. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands through the cmd parameter in the...

D-Link DIR-610 Remote Code Execution Vulnerability

The D-Link DIR-610 is a wireless router from AUO D-Link of Taiwan, China. A remote code execution vulnerability exists in the D-Link DIR-610, which arises from a failure of a network system or product to properly filter specific elements of externally entered data during the construction of a cod...

CVE-2020-9377

D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

Command injection

D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

CVE-2020-9377

D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

OS Command Injection

mikehaertl/php-shellcommand is vulnerable to OS command injection. The addArg function in src/Command.php does not escape all arguments, allowing an attacker to inject arbitrary OS commands...

Zemra Botnet CnC Web Panel Remote Code Execution

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Zemra Botnet CnC Web Panel Remote Code Execution', 'Description' = %q This module exploits the CnC web panel of Zemra Botnet which...

D-Link DIR600 /command.php 命令执行漏洞

No description provided by source...

espcms最新版本CSRF直接getshell

简要描述： espcms 最新版本csrf 直接getshell 详细说明： 这里我们首先看看，存在的代码问题 management.php:lines:711-741: function onsetsave $dbtable = dbprefix . 'config'; $commandfile = adminROOT . 'datacache/command.php'; if !$this-fun-filemode$commandfile exit'false'; $oldishtml = $this-CON'ishtml'; $sql = 'SELECT FROM '...

SiteBar <= 3.3.8 command.php Modify User Action uid Parameter XSS

No description provided by source. source: http://www.securityfocus.com/bid/26126/info SiteBar is prone to multiple input-validation vulnerabilities because it fails to properly sanitize user-supplied input. These issues include: - A local file-include vulnerability - Multiple...

espcms Command Execution Vulnerability可getshell（鸡肋）

简要描述： RT 详细说明： 在后台getshell，略鸡肋 在/datacache/command.php文件 $CONFIG=Array //ICP备案 'icpbeian'='', //网站状态 'isclose'=0, //管理员Email 'adminemail'='[email protected]', //网站网址 'domain'='http://localhost/espcms/', //日志记录 'islog'=1, ………… 后台修改网站系统设置后可将代码写入command.php中 访问command.php并传参...

D-Link Devices Unauthenticated Remote Command Execution

This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3 'D-Link Devices Unauthenticated Remote...