16831 matches found
CVE-2024-20471
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not validat...
CVE-2024-20534
A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting XSS attacks against users. This vulnerabilit...
CVE-2024-28144
An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user...
CVE-2024-28138
An unauthenticated attacker with network access to the affected device's web interface can execute any system command via the "msgevents.php" script as the www-data user. The HTTP GET parameter "data" is not properly sanitized...
CVE-2024-28781
IBM UrbanCode Deploy UCD 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4, and 8.0 through 8.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality...
CVE-2024-45177
An issue was discovered in za-internet C-MOR Video Surveillance 5.2401 and 6.00PL01. Due to improper input validation, the C-MOR web interface is vulnerable to persistent cross-site scripting XSS attacks. It was found out that the camera configuration is vulnerable to a persistent cross-site...
CVE-2024-55515
A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /uploadipslib.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded...
CVE-2024-55516
A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 v3.90. The component affected by this issue is /uploadsysconfig.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissio...
CVE-2024-55514
A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /uploadsfmig.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissions...
CVE-2024-13130
A vulnerability was found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to...
CVE-2024-48418
In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not properly handle special characters in any of user provided parameters, allowing an attacker with access to the web interface to inject and execute arbitrary shell commands...
CVE-2024-57514
The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting XSS due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL...
CVE-2024-48419
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in /bin/goahead. Specifically, these issues can be triggered through /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd Each of these issues allows an attacker with access t...
CVE-2024-48197
Cross Site Scripting vulnerability in Audiocodes MP-202b v.4.4.3 allows a remote attacker to escalate privileges via the login page of the web interface...
CVE-2024-55544
Missing input validation in the ORing IAP-420 web-interface allows authenticated Command Injections on OS level.This issue affects IAP-420 version 2.01e and below...
CVE-2024-28808
An issue was discovered in Infinera hiT 7300 5.60.50. Hidden functionality in the web interface allows a remote authenticated attacker to access reserved information by accessing undocumented web applications...
CVE-2023-25802
Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Versions prior to 6.3.6.0 don't correctly neutralize dir/../filename sequences, such as /etc/nginx/../passwd, allowing an actor to gain information about a server. Version 6.3.6.0 has a patch for this issue...
CVE-2023-30467
This vulnerability exists in Milesight 4K/H.265 Series NVR models MS-Nxxxx-xxG, MS-Nxxxx-xxE, MS-Nxxxx-xxT, MS-Nxxxx-xxH and MS-Nxxxx-xxC, due to improper authorization at the Milesight NVR web-based management interface. A remote attacker could exploit this vulnerability by sending a specially...
CVE-2023-28520
IBM Planning Analytics Local 2.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 250454...
CVE-2023-28627
pymedusa is an automatic video library manager for TV Shows. In versions prior 1.0.12 an attacker with access to the web interface can update the git executable path in /config/general/ advanced settings with arbitrary OS commands. An attacker may exploit this vulnerability to take execute...