eZ Platform Admin UI is vulnerable to Cross-site Scripting (XSS)

There is an XSS vulnerability in CKEditor, which is used by AlloyEditor, which is used in eZ Platform Admin UI. Scripts can be injected through specially crafted "protected" comments. We are not sure it is exploitable in eZ Platform, but recommend installing it to be on the safe side. It is fixed...

CVE-2023-52354

chasquid before 1.13 allows SMTP smuggling because LF-terminated lines are accepted...

GHSA-89P3-9J8C-FQH4 Duplicate Advisory: User account enumeration in eZ Publish Ibexa Kernel

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gmrf-99gw-vvwj. This link is maintained to preserve external references. Original Description This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open...

CVE-2022-21799

Cross-site scripting vulnerability in ELECOM LAN router WRC-300FEBK-R firmware v1.13 and earlier allows an attacker on the adjacent network to inject an arbitrary script via unspecified vectors...

CVE-2022-21799

Cross-site scripting vulnerability in ELECOM LAN router WRC-300FEBK-R firmware v1.13 and earlier allows an attacker on the adjacent network to inject an arbitrary script via unspecified vectors...

Command injection

An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attack...

Command injection

An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker ca...

Command injection

An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iwserverip parameter can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can...

CVE-2019-5141

CVE-2019-5141 affects Moxa AWK-3131A, firmware 1.13. An exploitable OS command injection in the iw_webs function via the iw_serverip parameter allows an authenticated, low-privilege user to trigger remote control over the device. The root cause involves user input being reflected in a subsequent ...

Moxa AWK-3131A iw_webs Account Settings Improper Access Control Vulnerability

Summary An exploitable improper access control vulnerability exists in the iwwebs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the...

Moxa AWK-3131A iw_webs hostname Authentication Bypass Vulnerability

Summary An exploitable authentication bypass vulnerability exists in the hostname processing of the Moxa AWK-3131A firmware version 1.13. A specially configured device hostname can cause the device to interpret select remote traffic as local traffic, resulting in a bypass of web authentication. A...

CVE-2019-11243

In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientConfig method returns a copy of the provided config, with credentials removed bearer token, username/password, and client certificate/key data. In the affected versions, rest.AnonymousClientConfig did not effectively clear service...

CVE-2018-12691

Time-of-check to time-of-use TOCTOU race condition in org.onosproject.acl aka the access control application in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection...

CVE-2018-12691

Time-of-check to time-of-use TOCTOU race condition in org.onosproject.acl aka the access control application in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection...

CVE-2018-12691

Time-of-check to time-of-use TOCTOU race condition in org.onosproject.acl aka the access control application in ONOS v1.13 and earlier allows attackers to bypass network access control via data plane packet injection...

D-Link revA v1.13 路由器后门

下载了D-link无线路由器型号：DIR-100 revA的固件程序 v1.13。使用工具Binwalk，很快的就从中发现并提取出一个只读SquashFS文件系统，没用多大功夫我就将这个固件程序的web server/bin/webs加载到了IDA中： 基于上面的字符信息可以看出，这个/bin/webs二进制程序是一个修改版的thttpd，提供路由器管理员界面操作功能。看起来是经过了台湾明泰科技D-Link的一个子公司的修改。他们甚至很有心计的将他们很多自定义的函数名都辅以“alpha”前缀： 这个 alphaauthcheck 函数看起来很有意思！...