515 matches found
CVE-2020-37146
ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera's configuration backup by sending a GET request to the /configbackup.bin endpoint, exposing credentia...
CVE-2026-25803 3DP-MANAGER Uses Hard-coded Credentials
3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials admin/admin upon the first initialization. Attackers with network access to the application's login interface can gain full...
PT-2026-6622
Name of the Vulnerable Software and Affected Versions Tanium Patch affected versions not specified Description Tanium Patch has an issue with incorrect default permissions. This could potentially allow unauthorized access or modification of system settings. There is no information available...
CVE-2021-0338
In SystemSettingsValidators, there is a possible permanent denial of service due to missing bounds checks on UI settings. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10...
CVE-2019-16531
LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php...
CVE-2019-25238
V-SOL GPON/EPON OLT Platform 2.03 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to create admin users, enable SSH, or modify system settings by tricking authenticated...
CVE-2019-25257 LogicalDOC Enterprise 7.7.4 Authenticated Command Execution via Binary Path Manipulation
LogicalDOC Enterprise 7.7.4 contains multiple authenticated OS command execution vulnerabilities that allow attackers to manipulate binary paths when changing system settings. Attackers can exploit these vulnerabilities by modifying configuration parameters like antivirus.command,...
CVE-2019-25238
The provided connected documents confirm CVE-2019-25238 concerns V-SOL GPON/EPON OLT Platform 2.03 and describe a cross-site request forgery (CSRF) vulnerability. Exploitation involves convincing authenticated administrators to load a malicious page, enabling attackers to perform actions such as ...
CVE-2018-25149 Microhard Systems IPn4G 1.1.0 Cross-Site Request Forgery via Web Interface
Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated...
CVE-2018-25149 Microhard Systems IPn4G 1.1.0 Cross-Site Request Forgery via Web Interface
Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated...
CVE-2018-25149
CVE-2018-25149 affects Microhard Systems IPn4G 1.1.0. The vulnerability is a cross-site request forgery (CSRF) in the device’s web interface that allows an attacker to induce administrative actions without user consent by tricking an authenticated user into loading a malicious page. Documented im...
PT-2025-53343
Name of the Vulnerable Software and Affected Versions LogicalDOC Enterprise version 7.7.4 Description The software contains multiple authenticated operating system command execution flaws. These flaws permit attackers to manipulate binary paths when altering system settings. Exploitation involves...
PT-2025-53369
Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated...
PT-2025-50516
EIBIZ i-Media Server Digital Signage 3.8.0 contains an unauthenticated configuration disclosure vulnerability that allows remote attackers to access sensitive configuration files via direct object reference. Attackers can retrieve the SiteConfig.properties file through an HTTP GET request, exposi...
CVE-2021-47702
OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings...
CVE-2021-47702 OpenBMCS Cross Site Request Forgery (CSRF) via sendFeedback.php
OpenBMCS 2.4 contains a CSRF vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. Attackers can submit malicious requests to trigger unintended actions, such as sending emails or modifying system settings...
CVE-2021-47702
OpenBMCS 2.4 is affected by a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to perform actions with administrative privileges by exploiting the sendFeedback.php endpoint. This can enable malicious requests to trigger tasks such as sending emails or altering system settings...
CVE-2024-58277
CVE-2024-58277 affects the R Radio Network FM Transmitter v1.07, where an unauthenticated actor can access the admin password via the system.cgi endpoint, enabling authentication bypass and FM station setup access. Public sources (Zero Science Lab) describe an improper access control allowing dis...
PT-2025-47499
Name of the Vulnerable Software and Affected Versions ELCA Star Transmitter Remote Control firmware version 1.25 Description The ELCA Star Transmitter Remote Control firmware version 1.25 has an issue that allows unauthenticated attackers to retrieve admin credentials and system settings. This is...
CVE-2025-63223
The Axel Technology StreamerMAX MK II devices firmware versions 0.8.5 to 1.0.3 are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and...