CVE-2021-32974 Moxa NPort IAW5000A-I/O Series Serial Device Server Improper Input Validation

Improper input validation in the built-in web server in Moxa NPort IAW5000A-I/O series firmware version 2.2 or earlier may allow a remote attacker to execute commands...

CVE-2022-23043

Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new 'File/MIME Types' using the '.phar' extension. Then an attacker can upload a malicious file, intercept the request and change the extension to '.phar' in order to run commands on the server...

CVE-2022-23650 Use of Hard-coded Cryptographic Key in Netmaker

Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and...

CVE-2021-42669

A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboardteacher.php, which allows changing the avatar through teacheravatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By...

Command Execution Vulnerability in Yisou Novel App

Yisou Novel APP is a professional mobile novel search and reading client. A command execution vulnerability exists in Yisou Novel APP. An attacker can exploit the vulnerability to execute commands on the server...

XStream远程代码执行漏洞（CVE-2021-29505）

CVE-2021-29505 Vulnerability CVE-2021-29505: XStream is vulnerable to a Remote Command Execution attack. Affected Versions All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's...

rConfig 3.9.6 Shell Upload

Exploit Title: rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution Authenticated Date: 2021-03-17 Exploit Author: Murat ŞEKER Vendor Homepage: https://www.rconfig.com Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip Version: rConfig v3.9.6 Install scripts :...

CVE-2020-25557

In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server...

Design/Logic Flaw

In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server...

CVE-2020-25557

In CMSuno 1.6.2, an attacker can inject malicious PHP code as a “username” while changing his/her username & password. After that, when attacker logs in to the application, attacker’s code will be run. As a result of this vulnerability, authenticated user can run command on the server. Recent...

CVE-2020-27995

SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do templateresid parameter...

Sql injection

SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do templateresid parameter...

CVE-2020-27995

SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do templateresid parameter...

CVE-2020-11817

In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting...

Code injection

In Rukovoditel V2.5.2, attackers can upload an arbitrary file to the server just changing the the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs with the Maintenance Mode setting...

CVE-2020-11815

In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting...

Code injection

In Rukovoditel 2.5.2, attackers can upload arbitrary file to the server by just changing the content-type value. As a result of that, an attacker can execute a command on the server. This specific attack only occurs without the Maintenance Mode setting...

Project Worlds Official Car Rental System Code Issue Vulnerability

Project Worlds Official Car Rental System is a PHP and MySQL based car rental system. A code issue exists in the upload section of the file manager page in Project Worlds Official Car Rental System version 1. The vulnerability can be exploited to run commands on the server via the addcars.php fil...

CVE-2020-11544

An issue was discovered in Project Worlds Official Car Rental System 1. It allows the admin user to run commands on the server with their account because the upload section on the file-manager page contains an arbitrary file upload vulnerability via addcars.php. There are no upload restrictions f...

Design/Logic Flaw

An issue was discovered in AContent through 1.4. It allows the user to run commands on the server with a low-privileged account. The upload section in the file manager page contains an arbitrary file upload vulnerability via upload.php. The extension .php7 bypasses file upload restrictions...