16820 matches found
File Browser Unauthenticated Access
File Browser is an open-source web-based file manager that allows users to manage files on a server through a web interface. If the File Browser instance is accessible without authentication, it can lead to unauthorized access to sensitive files and directories on the server. No source data...
CVE-2025-10959 Wavlink NU516U1 firewall.cgi sub_401778 command injection
A vulnerability has been found in Wavlink NU516U1 M16U1V240425. The affected element is the function sub401778 of the file /cgi-bin/firewall.cgi. Such manipulation of the argument dmzflag leads to command injection. The attack can be executed remotely. The exploit has been disclosed to the public...
CVE-2025-9495
The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attack...
IBM Watson Studio 跨站脚本漏洞
IBM Watson Studio is a data science and machine learning platform from IBM, integrated into Cloud Pak for Data, for building, training and deploying AI models. A cross-site scripting vulnerability exists in IBM Watson Studio versions 4.0 through 5.2.0 that stems from not adequately filtering user...
CVE-2025-20327
A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service DoS condition on an affected device. This vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a...
CVE-2025-20240
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack XSS on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could...
CVE-2025-20240
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack XSS on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could...
CVE-2025-20240
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack XSS on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could...
CVE-2025-20240
Cisco IOS XE Software Web UI/Web Authentication vulnerability (CVE-2025-20240) is a reflected XSS due to improper sanitization of user input. An unauthenticated, remote attacker can bait a user to click a malicious link, potentially executing a reflected XSS and stealing cookies on the affected d...
CVE-2025-20327
A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service DoS condition on an affected device. This vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a...
CVE-2025-20327
A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service DoS condition on an affected device. This vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a...
Cisco IOS XE Software Web Authentication Reflected Cross-Site Scripting Vulnerability
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack XSS on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could...
CVE-2025-57433
The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint /cwi/ajaxrequest/getdata.php, an authenticated attacker even with a low-privileged account like guest can retrieve the hashed passwords for the...
Security Bulletin: TS4500 Tape Library/Diamondback Tape Library addresses security vulnerability CVE-2025-36088
Summary The web GUI did not sufficiently sanitize user input in certain dialogs, allowing HTML or JavaScript to be stored and later displayed to other users. Malicious code would only execute if a user opened the affected event entry. The issue has been resolved by adding proper input sanitizatio...
CVE-2025-9495
The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attack...
CVE-2025-9495 Viessmann Vitogate 300 Authentication Bypass
The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attack...
CVE-2025-9495 Viessmann Vitogate 300 Authentication Bypass
The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attack...
CVE-2025-9495
CVE-2025-9495 - Vitogate 300 Authentication Bypass : The Vitogate 300 web interface relies on frontend-based authentication controls and does not enforce proper server-side authentication. An attacker can modify HTML elements via browser developer tools to bypass login restrictions and reveal the...
CVE-2025-57433
The CVE-2025-57433 entry concerns the 2wcom IP-4c device (version 2.15.5). A vulnerability in the web interface allows information disclosure via a crafted POST to /cwi/ajax_request/get_data.php. An authenticated user, even with low privileges (e.g., guest), can retrieve hashed passwords for admi...
CVE-2025-57433
The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint /cwi/ajaxrequest/getdata.php, an authenticated attacker even with a low-privileged account like guest can retrieve the hashed passwords for the...