213680 matches found
Privilege escalation
ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation...
Memory corruption
A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against...
Design/Logic Flaw
LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 firmware 7.2.4 are vulnerable to Incorrect Access Control via dpalconfig.zml file. This vulnerability allows remote attackers to disclose sensitive information on Loytec device data point configuration...
Design/Logic Flaw
LOYTEC electronics GmbH LINX-212 6.2.4 and LINX-151 7.2.4 are vulnerable to Insecure Permissions via dpalconfig.zml file. This vulnerability allows remote attackers to disclose smtp client account credentials and bypass email authentication...
Sql injection
SQL injection vulnerability in Packers and Movers Management System v.1.0 allows a remote attacker to execute arbitrary code via crafted payload to the /mpms/admin/?page=user/manageuser&id file...
Buffer overflow
Buffer Overflow vulnerability in /apply.cgi in Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 allows attackers to cause a denial of service via the ApCliAuthMode parameter...
Authentication flaw
LOYTEC electronics GmbH LINX Configurator 7.4.10 is vulnerable to Insecure Permissions. Cleartext storage of credentials allows remote attackers to disclose admin password and bypass an authentication to login Loytec device...
Design/Logic Flaw
In Delta Electronics InfraSuite Device Master v.1.0.7, A vulnerability exists that allows an unauthenticated attacker to disclose user information through a single UDP packet, obtain plaintext credentials, or perform NTLM relaying...
Input validation
An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versio...
Remote file inclusion
LOYTEC electronics GmbH LINX-212 firmware 6.2.4 and LINX-151 Firmware 7.2.4 are vulnerable to Incorrect Access Control via registry.xml file. This vulnerability allows remote attackers to disclose sensitive information on LINX configuration...
Design/Logic Flaw
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute code with local administrator privileges...
Remote code execution
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an attacker to write to any file to any location of the filesystem, which could lead to remote code execution...
Design/Logic Flaw
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute arbitrary code through a single UDP packet...
Improper access control
Incorrect Access Control vulnerability in jshERP V3.3 allows attackers to obtain sensitive information via the doFilter function...
Buffer overflow
KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information...
Path traversal
Absolute path traversal vulnerability in the Systematica SMTP Adapter component up to v2.0.1.101 in Systematica Radius up to v.3.9.256.777 allows remote attackers to read arbitrary files via a full pathname in GET parameter "file" in URL. Also: affected components in same product - HTTP Adapter u...
Code injection
KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect...
Path traversal
UNSUPPORTED WHEN ASSIGNED The value set as the DefaultLocaleResolver.LOCALEKEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to...
Design/Logic Flaw
An Untrusted search path vulnerability in Sohu Video Player 7.0.15.0 allows local users to gain escalated privileges through the version.dll file in the current working directory...
Design/Logic Flaw
An Untrusted search path vulnerability in NetEase CloudMusic 2.10.4 for Windows allows local users to gain escalated privileges through the urlmon.dll file in the current working directory...
Cross site scripting
A vulnerability was found in SourceCodester Book Borrower System 1.0 and classified as problematic. This issue affects some unknown processing of the file endpoint/add-book.php. The manipulation of the argument Book Title/Book Author leads to cross site scripting. The attack may be initiated...
Cross site scripting
A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file add-phlebotomist.php. The manipulation of the argument empid/fullname leads to cross site scripting. The...
Design/Logic Flaw
An Untrusted search path vulnerability in notepad++ 6.5 allows local users to gain escalated privileges through the msimg32.dll file in the current working directory...
Cross site scripting
A vulnerability classified as problematic was found in ZenTao PMS 18.8. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function when passed to the CsteSystem function creates a command execution vulnerability...
Design/Logic Flaw
Tyler Technologies Court Case Management Plus allows a remote, unauthenticated attacker to enumerate and access sensitive files using the tiffserver/tssp.aspx 'FN' and 'PN' parameters. This behavior is related to the use of a deprecated version of Aquaforest TIFF Server, possibly 2.x. The...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function that when passed to the CsteSystem function creates a command execution vulnerability...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF, Missing Authorization vulnerability in gVectors Team wpForo Forum wpforo allows Cross Site Request Forgery, Accessing Functionality Not Properly Constrained by ACLs leading to forced all users log out.This issue affects wpForo Forum: from n/a through 2.2.6...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function when passed to the CsteSystem function creates a command execution vulnerability...
Design/Logic Flaw
Catalis previously Icon Software CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation...
Code injection
Tyler Technologies Court Case Management Plus allows a remote attacker to authenticate as any user by manipulating at least the 'CmWebSearchPfp/Login.aspx?xyzldk=' and 'payforprintCM/Redirector.ashx?userid=' parameters. The vulnerable "pay for print" feature was removed on or around 2023-11-01...
Design/Logic Flaw
Tyler Technologies Civil and Criminal Electronic Filing allows an unauthenticated, remote attacker to upload, delete, and view files by manipulating the Upload.aspx 'enky' parameter...
Code injection
Tyler Technologies Magistrate Court Case Management Plus allows an unauthenticated, remote attacker to upload, delete, and view files by manipulating the PDFViewer.aspx 'filename' parameter...
Authentication flaw
The default configuration of Aquaforest TIFF Server allows access to arbitrary file paths, subject to any restrictions imposed by Internet Information Services IIS or Microsoft Windows. Depending on how a web application uses and configures TIFF Server, a remote attacker may be able to enumerate...
Information disclosure
Tyler Technologies Court Case Management Plus may store backups in a location that can be accessed by a remote, unauthenticated attacker. Backups may contain sensitive information such as database credentials...
Design/Logic Flaw
Henschen & Associates court document management software does not sufficiently randomize file names of cached documents, allowing a remote, unauthenticated attacker to access restricted documents...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function when passed to the CsteSystem function creates a command execution vulnerability...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function when passed to the CsteSystem function creates a command execution vulnerability...
Default configuration
Tyler Technologies Court Case Management Plus allows a remote, unauthenticated attacker to enumerate directories using the tiffserver/te003.aspx or te004.aspx 'ifolder' parameter. This behavior is related to the use of a deprecated version of Aquaforest TIFF Server, possibly 2.x. The vulnerable...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file sub4119A0 function obtains fields from the front-end through Uci Set The Str function that when passed to the CsteSystem function creates a command execution vulnerability...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function when passed to the CsteSystem function creates a command execution vulnerability...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function when passed to the CsteSystem function creates a command execution vulnerability...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function when passed to the CsteSystem function creates a command execution vulnerability...
Command injection
In TOTOLINK X6000R V9.4.0cu.852B20230719, the shttpd file, sub4119A0 function obtains fields from the front-end through Uci Set The Str function when passed to the CsteSystem function creates a command execution vulnerability...
Cross site scripting
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in gVectors Team wpForo Forum allows Stored XSS.This issue affects wpForo Forum: from n/a through 2.2.3...
Authentication flaw
An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication. See product Instruction Manual Appendix A dated 20230830 for more details...
Input validation
An Improper Input Validation vulnerability in Schweitzer Engineering Laboratories SEL-411L could allow an attacker to perform reflection attacks against an authorized and authenticated user. See product Instruction Manual Appendix A dated 20230830 for more details...
Cross site scripting
An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system. See product Instruction Manual Appendix A dated 20230830 for mor...
Cross site scripting
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Theme nectar Salient Core allows Stored XSS.This issue affects Salient Core: from n/a through 2.0.2...
Cross site scripting
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Ahmed Kaludi, Mohammed Kaludi AMP for WP – Accelerated Mobile Pages allows Stored XSS.This issue affects AMP for WP – Accelerated Mobile Pages: from n/a through 1.0.88.1...