1115 matches found
CVE-2025-30208 Vite bypasses server.fs.deny when using `?raw??`
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...
SAP NetWeaver Directory Traversal Vulnerability
SAP NetWeaver Application Server AS Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. dot dot in the query string...
BlackVue App 安全漏洞
BlackVue App is a software from BlackVue with car recorder connectivity. It is used to read the video data from the recorder, view the vehicle's driving history, etc. A security vulnerability exists in BlackVue App version 3.65, which stems from a GET request method that uses a sensitive query...
PT-2025-16979 · NetGear · Netgear R61
Name of the Vulnerable Software and Affected Versions: Netgear R61 version 1.0.1.28 Description: A Buffer Overflow issue allows a remote attacker to execute arbitrary code via the QUERY STRING key value. Recommendations: For version 1.0.1.28, update to a newer version that contains a fix for this...
CVE-2025-1738 Multiple vulnerabilities in Trivision Camera NC227WF
A Password Transmitted over Query String vulnerability has been found in Trivision Camera NC227WF v5.8.0 from TrivisionSecurity, exposing this sensitive information to a third party...
Trivision NC227WF 安全漏洞
Trivision NC227WF is a webcam from Trivision. A security vulnerability exists in Trivision NC227WF version v5.8.0, which stems from a password being transmitted via a query string...
SUSE CVE-2023-28709
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted...
Veeam ONE Report Error "Invalid query string"
Challenge When previewing a report in Veeam ONE Web Client, the report fails to load with the error: Error Invalid query string Cause This error occurs when the URL used to access the Veeam ONE Web Client does not match the URL of the report preview. For example, if the URL used to access Veeam O...
CVE-2017-18364
phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter...
CVE-2019-12935
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI...
dot-querystring 安全漏洞
dot-querystring is a dot notation library for node query strings by the individual developer Naoya Tsutsumi. A security vulnerability exists in dot-querystring version v0.2.0, which stems from the lib.parse function containing a prototype contamination vulnerability...
The vulnerability in the `usr_account_set.cgi` script of the TP-Link TL-SG108E wireless router’s microprogramming software allows a hacker to disclose protected information.
The vulnerability in the usraccountset.cgi script of the TP-Link TL-SG108E wireless router’s microprogramming software relates to the disclosure of information through query strings. Exploiting this vulnerability allows a remote attacker to disclose sensitive information by sending a specially...
PT-2025-53805
Name of the Vulnerable Software and Affected Versions qs versions prior to 6.14.1 Description A flaw exists in the qs parse modules library where the arrayLimit option does not properly enforce limits when using bracket notation in query strings, leading to a potential HTTP Denial of Service DoS...
Local File Inclusion (LFI)
symfony/runtime is vulnerable to Local File Inclusion LFI. The vulnerability is due to improper handling of the argv values in non-SAPI PHP runtimes, where the registerargvargc directive is set to on, allowing attackers to craft query strings that modify the environment or debug settings used by...
CVE-2024-45791 Apache HertzBeat: Exposure sensitive token via http GET method with query string
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache HertzBeat. This issue affects Apache HertzBeat: before 1.6.1. Users are recommended to upgrade to version 1.6.1, which fixes the issue...
GHSA-GV7V-RGG6-548H Laravel environment manipulation via query string
Description When the registerargcargv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. Resolution The framework now ignores argv values for environment detection on...
Laravel environment manipulation via query string
Description When the registerargcargv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. Resolution The framework now ignores argv values for environment detection on...
DEBIAN-CVE-2024-52301
Laravel is a web application framework. When the registerargcargv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28,...
CVE-2024-52301
Laravel is a web application framework. When the registerargcargv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28,...
CVE-2024-52301 Laravel allows environment manipulation via query string
Laravel is a web application framework. When the registerargcargv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28,...