67 matches found
Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat
Description The Mobile Options settings does not sanitise and escape the $mboptions'fcmkey' parameter lead to stored XSS Proof of Concept Go to Mobile settings, fill XSS payload into FCM Key field kind of: somekey" Impact XSS can have huge implications for a web application and its users. User...
Cisco FXOS Software Firepower Chassis Manager XSRF (cisco-sa-fxosfcm-csrf-uhO4e5BZ)
According to its self-reported version, Cisco Firepower Extensible Operating System FXOS is affected by a cross-site request forgery vulnerability. The vulnerability is due to insufficient CSRF protections for the FCM interface. An unauthenticated, remote attacker can exploit this vulnerability b...
Smule: [com.smule.autorap.*] Cloud Messaging/Push Notification service takeover due to clear-text usage of Legacy FCM Server keys in the client app
Potential FCM issues across several apps investigated and remediated. Reference to Research: https://twitter.com/absshax/status/1295383047295008768?s=19...
Dynacolor FCM-MB40 Trust Management Issues Vulnerability
Dynacolor FCM-MB40 is an IP camera from Dynacolor, Taiwan, China. A trust management issue vulnerability exists in the Dynacolor FCM-MB40 v1.2.0.0. The vulnerability stems from the lack of an effective trust management mechanism in the network system or product. An attacker can exploit default...
Dynacolor FCM-MB40 Cross-Site Request Forgery Vulnerability
Dynacolor FCM-MB40 is an IP camera from Dynacolor, Taiwan, China. A cross-site request forgery vulnerability exists in scripts under cgi-bin/ in the Dynacolor FCM-MB40 v1.2.0.0, which arises from a network system or product that does not adequately verify the origin or authenticity of data, and c...
Dynacolor FCM-MB40 Command Injection Vulnerability
Dynacolor FCM-MB40 is an IP camera from Dynacolor, Taiwan, China. A security vulnerability exists in the Dynacolor FCM-MB40 v1.2.0.0. A remote attacker can exploit the vulnerability to execute arbitrary code with the help of specially crafted parameters...
CVE-2019-13401
Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/...
CVE-2019-13402
/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process. A backdoor can persist because neither system accounts nor the set of services is reset...
CVE-2019-13400
Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext. These credentials can be retrieved via cgi-bin/getuserinfo.cgi?mode=info...
CVE-2019-13402
/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process. A backdoor can persist because neither system accounts nor the set of services is reset...
CVE-2019-13401
Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/...
CVE-2019-13399
Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation...
CVE-2019-13399
Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation...
CVE-2019-13398
Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrlsaveprofile.cgi save parameter and cgi-bin/ddns.cgi...
CVE-2019-13398
Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrlsaveprofile.cgi save parameter and cgi-bin/ddns.cgi...
Hardcoded credentials
Dynacolor FCM-MB40 v1.2.0.0 devices have a hard-coded SSL/TLS key that is used during an administrator's SSL conversation...
Design/Logic Flaw
Dynacolor FCM-MB40 v1.2.0.0 use /etc/appWeb/appweb.pass to store administrative web-interface credentials in cleartext. These credentials can be retrieved via cgi-bin/getuserinfo.cgi?mode=info...
Sql injection
Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to execute arbitrary commands via a crafted parameter to a CGI script, as demonstrated by sed injection in cgi-bin/camctrlsaveprofile.cgi save parameter and cgi-bin/ddns.cgi...
Authorization
/usr/sbin/default.sh and /usr/apache/htdocs/cgi-bin/admin/hardfactorydefault.cgi on Dynacolor FCM-MB40 v1.2.0.0 devices implement an incomplete factory-reset process. A backdoor can persist because neither system accounts nor the set of services is reset...
Cross site request forgery (csrf)
Dynacolor FCM-MB40 v1.2.0.0 devices have CSRF in all scripts under cgi-bin/...