CVE-2019-13409 A SQL injection vulnerability was discovered in TOPMeeting before version 8.8 (2019/08/19)

A SQL injection vulnerability was discovered in TOPMeeting before version 8.8 2019/08/19. An attacker can use a union based injection query string though a search meeting room feature to get databases schema and username/password...

Cross site request forgery (csrf)

Discourse 2.3.2 sends the CSRF token in the query string...

python: CRLF injection via the query part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the query string after a ? charact...

Cross-site Scripting (XSS)

grumpydictator/firefly-iii is vulnerable to cross-site scripting XSS attacks. The attack is due to lack of sanitization of query string provided by the user in the search query, allowing an attacker to inject a malicious script...

Stack overflow

TRENDnet TEW-827DRU with firmware up to and including 2.04B03 contains a stack-based buffer overflow in the ssi binary. The overflow allows an unauthenticated user to execute arbitrary code by providing a sufficiently long query string when POSTing to any valid cgi, txt, asp, or js file. The...

phpFK lite-version Cross Site Scripting

Information: Advisory by Netsparker Name: Multiple Cross-site Scripting Vulnerabilities in phpFK Affected Software: phpFK Affected Versions: lite-version Homepage: https://www.frank-karau.de/ Vulnerability: Reflected Cross-site Scripting Severity: 7.4 High Status: Not Fixed CVSS Score 3.0:...

CVE-2019-9085

Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service invoice-creation outage via the nfile parameter to visualizzacontratto.php with invalid arguments any non-numeric value, as demonstrated by the anno=2019&idtransazione=1&numerocontratto=1&nfile=a query string ...

CVE-2019-12935

Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI...

CVE-2017-9392

An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 devices. The device provides UPnP services that are available on port 3480 and can also be accessed via port 80 using the url "/port3480". It seems that the UPnP services provide "requestimage" as one of the service actions for ...

GHSA-HXCM-V35H-MG2X Prototype Pollution in querystringify

A vulnerability was found in querystringify before 2.0.0. It's possible to override built-in properties of the resulting query string object if a malicious string is inserted in the query string...

python: CRLF injection via the query part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the query string after a ? charact...

CVE-2018-5757

An issue was discovered on AudioCodes 450HD IP Phone devices with firmware 3.0.0.535.106. The traceroute and ping functionality, which uses a parameter in a request to command.cgi from the Monitoring page in the web UI, unsafely puts user-alterable data directly into an OS command, leading to...

CVE-2017-18364

phpFK lite has XSS via the faq.php, members.php, or search.php query string or the user.php user parameter...

CVE-2018-18940

servlet/SnoopServlet a servlet installed by default in Netscape Enterprise 3.63 has reflected XSS via an arbitrary parameter=XSS in the query string. A remote unauthenticated attacker could potentially exploit this vulnerability to supply malicious HTML or JavaScript code to a vulnerable web...

CubeCart Cross-Site Scripting Vulnerability

Devellion CubeCart is a free and open source e-commerce shopping cart software from Devellion UK. The software supports selling products in an online store, adding/editing products or images etc. A cross-site scripting vulnerability exists in Devellion CubeCart version 6.2.2. A remote attacker ca...

Cross site scripting

Cross-site scripting in eventscript.js in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript via a URL query string parameter...

Design/Logic Flaw

Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-6280...

CVE-2018-14481

Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-6280...

CVE-2018-14481

Osclass 3.7.4 has XSS via the query string to index.php, a different vulnerability than CVE-2014-6280...

CVE-2018-14481

OSClass 3.7.4 is affected by CVE-2018-14481: it has Cross-Site Scripting (XSS) via the query string to index.php (notably in the OSClass 3.7.4 release, separate from CVE-2014-6280). Other connected sources describe multiple XSS vulnerabilities in OSClass 3.7.4, including potential reflections and...