16821 matches found
CVE-2025-57433
The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint /cwi/ajaxrequest/getdata.php, an authenticated attacker even with a low-privileged account like guest can retrieve the hashed passwords for the...
CVE-2025-57431
The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution RCE via a malicious firmware update package. The update mechanism fails to validate the integrity of manual.sh, allowing an attacker to inject arbitrary commands by modifying this script and...
PT-2025-38729
Name of the Vulnerable Software and Affected Versions 2wcom IP-4c version 2.15.5 Description The web interface of the device contains a flaw that allows information disclosure. An authenticated attacker, even with limited privileges such as a guest account, can obtain hashed passwords for admin,...
CVE-2025-43953
In 2wcom IP-4c 2.16, the web interface allows admin and manager users to execute arbitrary code as root via a ping or traceroute field on the TCP/IP screen...
CVE-2025-43953
CVE-2025-43953 affects the 2wcom IP-4c device running version 2.16. The web interface is vulnerable: admin and manager users can execute arbitrary code as root via a ping or traceroute field on the TCP/IP screen. The vulnerability is exposed over the network (CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H...
LB-LINK BL-AC2100 安全漏洞
LB-LINK BL-AC2100 is a wireless Wi-Fi 6 router from China Bilink LB-LINK. A security vulnerability exists in LB-LINK BL-AC2100 1.0.3 and earlier versions, which originates from the improper handling of parameter Type in the delshrpath function of the /goform/setdelshrpathcfg file in the Web...
PT-2025-38748
Name of the Vulnerable Software and Affected Versions 2wcom IP-4c version 2.16 Description The web interface allows admin and manager users to execute arbitrary code as root via a ping or traceroute field on the TCP/IP screen. The affected functionality is accessible through the web interface. Th...
CVE-2025-57431
The Sound4 PULSE-ECO AES67 1.22 web-based management interface is vulnerable to Remote Code Execution (RCE) via a malicious firmware update package. The underlying issue is that the update mechanism does not validate the integrity of the manual.sh script, allowing an attacker to inject arbitrary ...
CVE-2025-43953
In 2wcom IP-4c 2.16, the web interface allows admin and manager users to execute arbitrary code as root via a ping or traceroute field on the TCP/IP screen...
PT-2025-38749
Name of the Vulnerable Software and Affected Versions Sound4 PULSE-ECO AES67 version 1.22 Description The web-based management interface is susceptible to Remote Code Execution RCE through a malicious firmware update package. The system does not properly validate the integrity of the manual.sh...
geminabox
It is an offensive tool for RubyGem hosting. The repository contains a simple RubyGem hosting system called Gem in a Box. It allows users to host their own RubyGems, and it includes features such as user authentication, gem versioning, and a web interface for browsing and downloading gems. The to...
CVE-2025-57296
Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the subADBC0 helper function concatenates these user-supplied values into...
CVE-2025-57296
Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. When handling the list and vlanId parameters, the subADBC0 helper function concatenates these user-supplied values into...
CVE-2025-57296
The CVE-2025-57296 entry concerns Tenda AC6 router firmware 15.03.05.19. The formSetIptv function handles /goform/SetIPTVCfg requests and, when processing list and vlanId, uses a sub_ADBC0 helper that concatenates user-supplied values into nvram set system commands via doSystemCmd without validat...
CVE-2025-37128
A vulnerability in the web API of HPE Aruba Networking EdgeConnect SD-WAN Gateways could allow an authenticated remote attacker to terminate arbitrary running processes. Successful exploitation could allow an attacker to disrupt system operations, potentially resulting in an unstable system state...
Vulnerabilities fixed in HPE Aruba Networking EdgeConnect SD-WAN Gateways
HPE has fixed vulnerabilities in HPE Aruba Networking EdgeConnect SD-WAN Gateways. The vulnerabilities are in the command-line interface and Web API of the HPE Aruba Networking EdgeConnect SD-WAN Gateways. These vulnerabilities allow authenticated attackers to execute arbitrary system commands wi...
UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation vulnerable to cross-site scripting
Overview UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains the following vulnerability. Cross-site scripting CWE-79 - CVE-2025-8153 RyotaK of GMO Flatt Security Inc. reported this vulnerability to NEC Corporation and coordinated. After the coordination was completed, NEC...
JVN#95938761: UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation vulnerable to cross-site scripting
UNIVERGE IX/IX-R/IX-V series routers provided by NEC Corporation contains the following vulnerability. Cross-site scripting CWE-79 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 5.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1 CVE-2025-8153 Impact If a...
CVE-2025-37122
CVE-2025-37122 is an unauthenticated reflected XSS vulnerability in the web-based management interface of network access control services (e.g., HPE Aruba ClearPass). The flaw allows an attacker to craft a link that, when visited by a victim, executes arbitrary JavaScript in the context of the af...
CVE-2025-37122 Unauthenticated Reflected Cross-Site Scripting
A vulnerability in the web-based management interface of network access control services could allow an unauthenticated remote attacker to conduct a Reflected Cross-Site Scripting XSS attack. Successful exploitation could allow an attacker to execute arbitrary JavaScript code in a victim's browse...