CVE-2022-23128

Incomplete List of Disallowed Inputs vulnerability in Mitsubishi Electric MC Works64 versions 4.00A 10.95.201.23 to 4.04E 10.95.210.01, ICONICS GENESIS64 versions 10.95.3 to 10.97, ICONICS Hyper Historian versions 10.95.3 to 10.97, ICONICS AnalytiX versions 10.95.3 to 10.97 and ICONICS MobileHMI...

GHSA-F3CW-HG6R-CHFV Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI

Summary Missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. Post-authentication, ALLOWADMINCHANGES=true Details Note: This is a sequel to CVE-2023-40035 In src/helpers/FileHelper.phpL106-L137, the function absolutePath...

SolarWinds Orion Platform BlacklistedFilesChecker Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the BlacklistedFilesChecker class. The issue results from an incomplete list of...

CVE-2023-3374

Incomplete List of Disallowed Inputs vulnerability in Unisign Bookreen allows Privilege Escalation. This issue affects Bookreen: before 3.0.0...

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric HMI SCADA (Update B)

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: ICONICS and Mitsubishi Electric Equipment: ICONICS Product Suite, Mitsubishi Electric MC Works64 Vulnerabilities: Cross-site Scripting, Incomplete List of Disallowed Inputs, Plaintext Storage of a...

CVE-2021-31370

CVE-2021-31370 concerns Juniper Networks Junos OS on QFX5000 Series and EX4600 Series, where an Incomplete List of Disallowed Inputs vulnerability in the Packet Forwarding Engine (PFE) can be exploited by an adjacent unauthenticated attacker sending a high rate of specific multicast traffic. This...

Design/Logic Flaw

Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges...

private_address_check contains Incomplete List of Disallowed Inputs

The privateaddresscheck ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery...

GHSA-5VX5-9Q73-WGP4 Safemode Gem Has Incomplete List of Disallowed Inputs

rubygem-safemode, as used in Foreman, versions 1.3.1 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation...

Safemode Gem Has Incomplete List of Disallowed Inputs

rubygem-safemode, as used in Foreman, versions 1.3.1 and earlier are vulnerable to bypassing safe mode limitations via special Ruby syntax. This can lead to deletion of objects for which the user does not have delete permissions or possibly to privilege escalation...