CVE-2025-66205 Frappe has the possibility of SQL Injection due to improper validations

Frappe is a full-stack web application framework. Prior to 15.86.0 and 14.99.2, a certain endpoint was vulnerable to error-based SQL injection due to lack of validation of parameters. Some information like version could be retrieved. This vulnerability is fixed in 15.86.0 and 14.99.2...

Cross-site Scripting (XSS)

Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /server-islands/name endpoint when handling the e, s and p parameters. An attacker can execute...

Liferay Portal和Liferay DXP 跨站请求伪造漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE-based portal solution. The solution uses technologies such as EJB as well as JMS, and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DX...

CVE-2024-37023 Vonets WiFi Bridges Command Injection

Multiple OS command injection vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enable an authenticated remote attacker to execute arbitrary OS commands via various endpoint parameters...

CVE-2024-37023 Vonets WiFi Bridges Command Injection

Multiple OS command injection vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge repeaters, software versions 3.3.23.6.9 and prior, enable an authenticated remote attacker to execute arbitrary OS commands via various endpoint parameters...

CVE-2024-4309

SQL injection vulnerability in HubBank affecting version 1.0.2. This vulnerability could allow an attacker to send a specially crafted SQL query to the database through different endpoints /user/transaction.php?id=1, /user/credit-debittransaction.php?id=1,/user/viewtransaction. php?id=1 and...

WithSecure products Cross-site Scripting Vulnerability

WithSecure products is a series of security software from the Finnish company WithSecure. A cross-site scripting vulnerability exists in WithSecure Policy Manager version 15, which stems from allowing XSS via unverified parameters in an endpoint...

Uptime Kuma 跨站脚本漏洞

Uptime Kuma is an easy-to-use self-hosted monitoring tool from Louis Lam Personal Developer. A cross-site scripting vulnerability exists in Uptime Kuma version v.1.19.6 and earlier. An attacker can exploit this vulnerability to execute arbitrary commands via the description, title, footer, and...

VulnCheck KEV: CVE-2022-27926

Synacor Zimbra Collaboration Suite ZCS contains a cross-site scripting vulnerability by allowing an endpoint URL to accept parameters without sanitizing...

Authorization Bypass

NopCommerce.Core is vulnerable to authorization bypass. The vulnerability is due to the AddressEdit function in CustomerController.cs not properly removing redundant address endpoint parameters, allowing a malicious user to modify the addresses of other users on the site...

CVE-2021-35045

Cross site scripting XSS vulnerability in Ice Hrm 29.0.0.OS, allows attackers to execute arbitrary code via the parameters to the /app/ endpoint...

Cisco HyperFlex HX 未授权命令注入漏洞（CVE-2021-1497 CVE-2021-1498）

CVE-2021-1497 and/or CVE-2021-1498 Command injection in the /storfs-asup endpoint’s token and mode parameters. Patch --- unpatched/web.xml 2021-05-17 19:06:17.000000000 -0500 +++ patched/web.xml 2021-05-17 19:06:23.000000000 -0500 @@ -69,17 +69,6 @@ - Springpath Storfs ASUP -...

CVE-2021-21248 Post-Auth Arbitrary Code execution via Groovy script injection

OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job paramete...

Western Digital My Cloud Command Injection

------------------------------------------------------------------------ Western Digital My Cloud vulnerable to multiple command injection vulnerabilities ------------------------------------------------------------------------ Remco Vermeulen, January 2017...