Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the api/install endpoint during the initial setup process. An attacker can gain unauthorized administrative access by sending a crafted installation request before the legitimate operator...

Malicious code in interwebz (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 02fa95914b7edc63771b97f48f4e05119f87309224b5e9b5aa990ab6dda8acc2 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CVE-2026-20764 Copeland XWEB and XWEB Pro OS Command Injection

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system setup, resulting in remote...

CVE-2024-49731

In apk-versions.txt, there is a possible corruption of telemetry opt-in settings on other watches when setting up a new Pixel Watch due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

SAMSUNG Camera 安全漏洞

SAMSUNG Camera is a Samsung camera application from Samsung South Korea. A security vulnerability exists in SAMSUNG Camera that stems from a lack of authorization and could allow a physical attacker to install packages through the Galaxy Store before the setup wizard completes...

CVE-2021-21276

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a reque...

CVE-2024-7391

ChargePoint Home Flex Bluetooth Low Energy Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging devices. User interaction is required to exploit this vulnerability...

CVE-2023-45208

A command injection in the parsingxmlstasurvey function inside libcgifunc.so of the D-Link DAP-X1860 repeater 1.00 through 1.01b05-01 allows attackers within range of the repeater to run shell commands as root during the setup process of the repeater, via a crafted SSID. Also, network names...

CVE-2023-45208

The CVE-2023-45208 issue affects D-Link DAP-X1860 repeaters (versions 1.00–1.01b05-01) where the parsing_xml_stasurvey function in libcgifunc.so is vulnerable to command injection. An attacker within wireless range can craft the SSID to execute shell commands as root during setup; network names c...

CVE-2023-45208

A command injection in the parsingxmlstasurvey function inside libcgifunc.so of the D-Link DAP-X1860 repeater 1.00 through 1.01b05-01 allows attackers within range of the repeater to run shell commands as root during the setup process of the repeater, via a crafted SSID. Also, network names...

PT-2023-5916 · D Link · D-Link Dap-X1860

Name of the Vulnerable Software and Affected Versions: D-Link DAP-X1860 versions 1.00 through 1.01b05-01 Description: A command injection issue in the parsing xml stasurvey function allows attackers within range of the repeater to run shell commands as root during the setup process via a crafted...

CVE-2021-21276

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a reque...

CVE-2021-21276

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a reque...

Code injection

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a reque...

CVE-2021-21276 Privilege escalation in Polr

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a reque...

PT-2021-14382 · Polr · Polr

Name of the Vulnerable Software and Affected Versions: Polr versions prior to 2.3.0 Description: Polr is an open source URL shortener. A vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability...

Kali Linux 2020.3 Release - Penetration Testing and Ethical Hacking Linux Distribution

Time for another Kali Linux release! Quarter 3 – Kali Linux 20202.3. This release has various impressive updates. A quick overview of what’s new since the last release in May 2020: New Shell – Starting the process to switch from “Bash” to “ZSH “ The release of “Win-Kex ” – Get readyWSL2 Automatin...

TP-Link TL-WA855RE login.json Improper Authentication Privilege Escalation Vulnerability

This vulnerability allows network-adjacent attackers to escalate privileges on affected installations of TP-Link TL-WA855RE Wi-Fi extenders. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within th...

10Web Map Builder for Google Maps < 1.0.64 - Unauthenticated Stored XSS via Plugin Settings Change

The vulnerability in 10Web Map Builder exists in the plugin’s setup process. The plugin’s setup functions are called during admininit which, like Flexible Checkout Fields, is accessible to unauthenticated users. If an attacker injects malicious JavaScript into certain settings values, that code...

Bitdefender BOX 2 bootstrap download_image command injection vulnerability

Summary An exploitable command injection vulnerability exists in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/downloadimage unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands...