Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution (CVE-2025-13465, CVE-2025-61140) and denial of service (CVE-2025-15284)

Summary Node.js modules lodash, qs and jsonpath are used by IBM App Connect Enterprise Certified Container. All IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution CVE-2025-13465, CVE-2025-61140 and denial of service CVE-2025-15284. This bulletin...

CVE-2024-41592

DrayTek Vigor3910 devices through 4.3.2.6 have a stack-based overflow when processing query string parameters because GetCGI mishandles extraneous ampersand characters and long key-value pairs...

Important: Red Hat Security Advisory: httpd:2.4 security update

An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Red Hat Product Security has rated thi...

CVE-2025-62254

The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files i...

EUVD-2006-1297

Malware in sbrugna...

EUVD-2005-2454

Malware in sbrugna...

EUVD-2018-21446

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2022-24999

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto...

CVE-2025-28017

TOTOLINK A800R V4.1.2cu.5032B20200408 is vulnerable to Command Injection in downloadFile.cgi via the QUERYSTRING parameter...

UBUNTU-CVE-2022-24999

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an proto key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string ...

Command injection

TOTOLink A3600R V4.1.2cu.5182B20201102 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERYSTRING parameter...

CVE-2018-14822

Entes EMG12 versions 2.57 and prior an information exposure through query strings vulnerability in the web interface has been identified, which may allow an attacker to impersonate a legitimate user and execute arbitrary code...

CVE-2014-10012

Cross-site scripting XSS vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI...

IPCop Cross-Site Scripting Vulnerability

IPCop is a Linux-based firewall suite developed by IPCop team, which is mainly for home and SOHO users, providing firewall functions and allowing monitoring and management of various information through some TCP/IP business rules. A cross-site scripting vulnerability exists in versions prior to...

Cross site scripting

Cross-site scripting XSS vulnerability in Fritz Berger yet another php photo album - next generation yappa-ng allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI...

CVE-2003-1531

Cross-site scripting XSS vulnerability in testcgi.exe in Lilikoi Software Ceilidh 2.70 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string...

CVE-2007-5112

CVE-2007-5112 is an XSS vulnerability in Google Urchin 5 (versions up to 5.7.03 and earlier) affecting the session.cgi (login page). The weakness allows remote attackers to inject arbitrary script/HTML via the query string, as described in the NVD entry. The impact noted includes potential creden...

CVE-2006-4794

CVE-2006-4794 describes multiple XSS vulnerabilities in e107 0.7.5 via the PATH_INFO query string in numerous PHP pages (contact.php, download.php, admin.php, etc.). Connected records indicate a broader XSS family affecting e107 0.7.16 and earlier (admin/ and related files such as submitnews.php,...

CVE-2006-4794

Multiple cross-site scripting XSS vulnerabilities in e107 0.7.5 allow remote attackers to inject arbitrary web script or HTML via the query string PATHINFO in 1 contact.php, 2 download.php, 3 admin.php, 4 fpw.php, 5 news.php, 6 search.php, 7 signup.php, 8 submitnews.php, and 9 user.php. NOTE: the...

Cross site scripting

Cross-site scripting XSS vulnerability in 1 index.php and 2 bmc/admin.php in BoastMachine bMachine 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly filtered when it is accessed using the $SERVER"PHPSELF" variable...