Design/Logic Flaw

When using Apache Knox SSO prior to 1.6.1, a request could be crafted to redirect a user to a malicious page due to improper URL parsing. A request that included a specially crafted request parameter could be used to redirect the user to a page controlled by an attacker. This URL would need to be...

Exploit for Expression Language Injection in Atlassian Confluence_Data_Center

CVE-2021-26084 - Confluence Server Webwork OGNL injection - A...

D-Link DIR-816 A2 安全漏洞

The D-Link DIR-816 A2 is a wireless router from Taiwan, China-based AUO D-Link. A security vulnerability exists in the D-Link DIR-816A2, which stems from an issue discovered via the HTTP request parameter in the handler function of the goform form2userconfig.cgi route, where a username string can...

MONITORAPP Application Insight Web Application Firewall 输入验证错误漏洞

MONITORAPP Application Insight Web Application Firewall AIWAF is an application firewall from MONITORAPP Corporation in South Korea. The MONITORAPP Application Insight Web Application Firewall suffers from an input validation error vulnerability that stems from a lack of input validation for one ...

CVE-2019-11236

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter...

QNAP NAS MusicStation Directory Traversal Arbitrary File Creation Vulnerability

This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of QNAP NAS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MusicStation application. When parsing the arttype request parameter, the process...

CVE-2020-7270

Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense ATD prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploy...

CVE-2020-7269

Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense ATD prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploy...

CVE-2020-7269 Sensitive Information Exposure in McAfee ATD

Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense ATD prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploy...

CVE-2021-27113

An issue was discovered in D-Link DIR-816 A2 1.10 B05 devices. An HTTP request parameter is used in command string construction within the handler function of the /goform/addRouting route. This could lead to Command Injection via Shell Metacharacters...

Denial Of Service (DoS)

cxf-rt-rs-security-oauth2 is vulnerable to denial of service DoS. The vulnerability exists as it does not properly validate the requesturi parameter, allowing a REST request to the parameter in the request to retrieve a token...

CVE-2021-26810

D-link DIR-816 A2 v1.10 is affected by a remote code injection vulnerability. An HTTP request parameter can be used in command string construction in the handler function of the /goform/dirsetWanWifi, which can lead to command injection via shell metacharacters in the statuscheckpppoeuser paramet...

Cross site scripting

An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefssmtppsw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. Th...

CVE-2021-23836

An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefssmtppsw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. Th...

PT-2021-11724 · Quest · Quest Policy Authority

Name of the Vulnerable Software and Affected Versions: Quest Policy Authority version 8.1.2.200 Description: The issue allows attackers to inject malicious code into the browser via a specially crafted link to the "cConn.jsp" file using the ur parameter. This affects products that are no longer...

CVE-2020-29596

MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service daemon crash via a long name for the first parameter in a POST request...

In the urllib3 library through 1.24.1 for Python CRLF injection is possible if the attacker controls the request parameter.

...

CVE-2020-15143

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter,...

Authentication Bypass

Apache Shiro-web is vulnerable to authentication bypass. Lack of proper handling of servletPath parameter in the request allows an attacker to inject malicious string via the request parameter and bypass authentication...

CVE-2020-7262 Improper Access Control vulnerability in ATD

Improper Access Control vulnerability in McAfee Advanced Threat Defense ATD prior to 4.10.0 allows local users to view sensitive files via a carefully crafted HTTP request parameter...