EUVD-2020-25187

Malware in sbrugna...

EUVD-2016-5451

Malware in sbrugna...

EUVD-2023-0277

Malicious code in bioql PyPI...

CVE-2019-15810

Insufficient sanitization during device search in Netdisco 2.042010 allows for reflected XSS via manipulation of a URL parameter...

CVE-2025-3999 Seeyon Zhiyuan OA Web Application System URL Parameter date.jsp cross site scripting

A vulnerability, which was classified as problematic, has been found in Seeyon Zhiyuan OA Web Application System 8.1 SP2. This issue affects some unknown processing of the file seeyon\opt\Seeyon\A8\ApacheJetspeed\webapps\seeyon\common\js\addDate\date.jsp of the component URL Parameter Handler. Th...

CVE-2024-21879

Enphase IQ Gateway (Envoy) is affected by CVE-2024-21879, a Command Injection vulnerability exploitable via a URL parameter on an authenticated endpoint. Affected versions are 4.x through 8.x and any version before 8.2.4225. The root cause is improper neutralization of special elements in the URL...

CVE-2024-21879 URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway v4.x to v8.x and < v8.2.4225

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability through an url parameter of an authenticated enpoint in Enphase IQ Gateway formerly known as Envoy allows OS Command Injection.This issue affects Envoy: from 4.x to 8.x and 8.2.4225...

CVE-2024-21880 URL parameter manipulations allows an authenticated attacker to execute arbitrary OS commands in Enphase IQ Gateway version 4.x <= 7.x

Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability via the url parameter of an authenticated enpoint in Enphase IQ Gateway formerly known as Enphase allows OS Command Injection.This issue affects Envoy: 4.x = 7.x...

Cross site scripting

A vulnerability was found in GZ Scripts GZ E Learning Platform 1.8 and classified as problematic. This issue affects some unknown processing of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-233357 was...

Cross site request forgery (csrf)

The Online Examination System Project 1.0 version is vulnerable to Cross-Site Request Forgery CSRF attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin's consent. The email of the user to be deleted is...

Design/Logic Flaw

Kanboard is open source project management software that focuses on the Kanban methodology. Versions prior to 1.2.30 are subject to an Insecure direct object reference IDOR vulnerability present in the application's URL parameter. This vulnerability enables any user to read files uploaded by any...

CVE-2022-1561

The CVE-2022-1561 issue concerns Lura and KrakenD-CE before 2.0.2 and KrakenD-EE before 2.0.0 where URL parameters aren’t sanitized, enabling a crafted URL to alter the backend URL defined for a pipe. The vulnerability does not affect KrakenD itself, but the consumed backend may be vulnerable. Re...

CVE-2022-31208

An issue was discovered in Infiray IRAY-A8Z3 1.0.957. The webserver contains an endpoint that can execute arbitrary commands by manipulating the cmdstring URL parameter...

Dropcontact: Unauthorized Access and updation of EMAIL settings of other user at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter.

When changing email settings with firstpromoter, the email of the account was right in the url, so by changing this parameter, we could change setting of other users...

Code injection

An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the rd parameter can accept a URL, to which users will be redirected after a successful login. In conjunction with CVE-2019-12784, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site,...

CVE-2020-3922 ArmorX LisoMail - SQL Injection

LisoMail, by ArmorX, allows SQL Injections, attackers can access the database without authentication via a URL parameter manipulation...

CVE-2020-3922

CVE-2020-3922 affects LisoMail by ArmorX. The vulnerability is an SQL injection via a URL parameter manipulation that allows attackers to access the database without authentication. According to the supplied data, CVSS vectors indicate a NETWORK attack with HIGH/CRITICAL impact (CVSS v3.1: 9.8; c...

CVE-2019-15810

The CVE-2019-15810 entry concerns Netdisco 2.042010, where insufficient sanitization during the device search allows a reflected XSS via manipulation of a URL parameter. The root cause is inadequate input sanitization in the search path; the impact is a reflected cross-site scripting vulnerabilit...

CVE-2019-15810

Insufficient sanitization during device search in Netdisco 2.042010 allows for reflected XSS via manipulation of a URL parameter...

Remote code execution

By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz...