Code injection

EyeSurfer BflyInstallerX.ocx v1.0.0.16 and earlier versions contain a vulnerability that could allow remote files to be download by setting the arguments to the vulnerable method. This can be leveraged for code execution. When the vulnerable method is called, they fail to properly check the...

NETGEAR Prosafe WC9500, WC7600 and WC7520 Operating System Command Injection Vulnerability

NETGEAR Prosafe WC9500 and others are a wireless controller for managing AP access points from NETGEAR. A security vulnerability exists in the NETGEAR Prosafe WC9500 version 5.1.0.17, WC7600 version 5.1.0.17, and WC7520 version 2.5.0.35. A remote attacker can exploit the vulnerability to execute...

Buffalo TS5600D1206 Access Control Error Vulnerability (CNVD-2019-00678)

The Buffalo TS5600D1206 is a network storage device from the Buffalo Group of Japan. An access control error vulnerability exists in the nasapi in the Buffalo TS5600D1206 version 3.61-0.10, which can be exploited by an attacker to call a dangerous internal function with the 'method' parameter...

CVE-2018-13321

Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the "method" parameter...

CVE-2018-19186

The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the route.php paymentMethod parameter...

PAYFORT payfort-php-SDK cross-site scripting vulnerability (CNVD-2019-08574)

PayFort is an online payment gateway. payfort-php-SDK is the PayFort payment gateway SDK. A cross-site scripting vulnerability exists in Amazon PAYFORT payfort-php-SDK on 2018-04-26 and earlier versions, which can be exploited by an attacker via the route.php paymentMethod parameter to conduct a...

CVE-2018-15169

A reflected Cross-site scripting XSS vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter...

CVE-2018-12996

A reflected Cross-site scripting XSS vulnerability in Zoho ManageEngine Applications Manager before 13 Build 13800 allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do...

Active Record contains SQL Injection

SQL injection vulnerability in the Active Record component in Ruby on Rails before 2.3.15, 3.0.x before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in...

VirtueMart com_virtuemart component SQL injection vulnerability in Joomla!

Joomla! is the U.S. Open Source Matters team developed a set of open source content management system CMS, it provides RSS feeds , site search and other features . VirtueMart comvirtuemart is one of the e-commerce components . A SQL injection vulnerability exists in version 3.0.14 of the Joomla!...

CVE-2017-8303

An issue was discovered on Accellion FTA devices before FTA912180. seos/1000/find.api allows Remote Code Execution with shell metacharacters in the method parameter...

CakePHP Security Bypass Vulnerability

CakePHP is the United States Cake Software Foundation of a MVC-based architecture , open source Web development framework. The framework has a flexible view caching , automatic generation of CRUD code and other features . A security vulnerability exists in CakePHP version 2.x and version 3.x befo...

UBUNTU-CVE-2015-8379

CakePHP 2.x and 3.x before 3.1.5 might allow remote attackers to bypass the CSRF protection mechanism via the method parameter...

Gentoo Security Advisory GLSA 201401-22

Gentoo Linux Local Security Checks GLSA 201401-22 SPDX-FileCopyrightText: 2015 Eero Volotinen Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later ifdescription...

Spree controller Parameter Arbitrary Ruby Object Instantiation Command Execution

Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated administrators to instantiate arbitrary Ruby objects and executd arbitrary commands via the 1 paymentmethod parameter to core/app/controllers/spree/admin/ paymentmethodscontroller.rb; and the 2 promotionaction parameter to...

phpwind 7.5 api/class_base.php Include Vulnerabilities

PHPWind 论坛系统 是一套采用 php+mysql 数据库 方式运行并可生成 html 页面的全新且完善的强大系统。因具有非凡的访问速度和卓越的负载能力而深受国内外朋友的喜爱。 api/classbase.php文件里callback函数里$mode变量没有过滤导致任意包含本地文件,从而可以执行任意PHP命令. api/classbase.php文件里: function callback$mode, $method, $params if !isset$this-classdb$mode if !fileexistsRP.'api/class' . $mode . '.php'...