4985 matches found
VulnCheck KEV: CVE-2021-42912
FiberHome ONU GPON AN5506-04-F RP2617 is affected by an OS command injection vulnerability. This vulnerability allows the attacker, once logged in, to send commands to the operating system as the root user via the ping diagnostic tool, bypassing the IP address field, and concatenating OS commands...
VulnCheck KEV: CVE-2024-12356
BeyondTrust Privileged Remote Access PRA and Remote Support RS contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user...
VulnCheck KEV: CVE-2023-52163
Digiever DS-2105 Pro contains a missing authorization vulnerability which could allow for command injection via timetzsetup.cgi...
VulnCheck KEV: CVE-2022-3699
A privilege escalation vulnerability was reported in the Lenovo HardwareScanPlugin prior to version 1.3.1.2 and Lenovo Diagnostics prior to version 4.45 that could allow a local user to execute code with elevated privileges...
VulnCheck KEV: CVE-2019-11001
Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail" functionality to inject and run OS commands as root...
VulnCheck KEV: CVE-2021-40407
Reolink RLC-410W IP cameras contain an authenticated OS command injection vulnerability in the device network settings functionality...
VulnCheck KEV: CVE-2022-23227
NUUO NVRmini2 devices contain a missing authentication vulnerability that allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users...
VulnCheck KEV: CVE-2024-12686
BeyondTrust Privileged Remote Access PRA and Remote Support RS contain an OS command injection vulnerability that can be exploited by an attacker with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to...
VulnCheck KEV: CVE-2020-25206
The web console for Mimosa B5, B5c, and C5x firmware through 2.8.0.2 allows authenticated command injection in the Throughput, WANStats, PhyStats, and QosStats API classes. An attacker with access to a web console account may execute operating system commands on affected devices by sending...
VulnCheck KEV: CVE-2024-35250
Microsoft Windows Kernel-Mode Driver contains an untrusted pointer dereference vulnerability that allows a local attacker to escalate privileges...
VulnCheck KEV: CVE-2024-53677
File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload...
VulnCheck KEV: CVE-2024-38653
XXE in SmartDeviceServer in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to read arbitrary files on the server...
VulnCheck KEV: CVE-2024-11015
The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticateuser' user function not implementing sufficient null value checks when setting the access token and user information. This makes it...
VulnCheck KEV: CVE-2024-55550
Mitel MiCollab contains a path traversal vulnerability that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization. This vulnerability can be chained with CVE-2024-41713, which allows an unauthenticated,...
VulnCheck KEV: CVE-2024-55956
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the...
VulnCheck KEV: CVE-2024-35286
A vulnerability in NuPoint Messenger NPM of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary...
VulnCheck KEV: CVE-2024-10081
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints...
VulnCheck KEV: CVE-2024-41713
Mitel MiCollab contains a path traversal vulnerability that could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server...
VulnCheck KEV: CVE-2024-3378
A vulnerability has been found in iboss Secure Web Gateway up to 10.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login of the component Login Portal. The manipulation of the argument redirectUrl leads to cross site scripting. The...
VulnCheck KEV: CVE-2024-49138
Microsoft Windows Common Log File System CLFS driver contains a heap-based buffer overflow vulnerability that allows a local attacker to escalate privileges...
VulnCheck KEV: CVE-2024-11972
A vulnerability is present in the Hunk Companion plugin that allows installation and activation of plugins from the Wordpress.org repository via an unauthenticated POST request...
VulnCheck KEV: CVE-2024-50623
Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges...
VulnCheck KEV: CVE-2023-22809
In Sudo before 1.9.12p2, the sudoedit aka -e feature mishandles extra arguments passed in the user-provided environment variables SUDOEDITOR, VISUAL, and EDITOR, allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation...
VulnCheck KEV: CVE-2023-31248
Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; nftchainlookupbyid failed to check whether a chain was active and CAPNETADMIN is in any user or network namespace...
VulnCheck KEV: CVE-2023-32233
In the Linux kernel through 6.3.1, a use-after-free in Netfilter nftables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled...
VulnCheck KEV: CVE-2023-3269
A vulnerability exists in the memory management subsystem of the Linux kernel. The lock handling for accessing and updating virtual memory areas VMAs is incorrect, leading to use-after-free problems. This issue can be successfully exploited to execute arbitrary kernel code, escalate containers,...
VulnCheck KEV: CVE-2024-51211
SQL injection vulnerability exists in OS4ED openSIS-Classic Version 9.1, specifically in the resetuserinfo.php file. The vulnerability is due to improper input validation of the $usernamestnid parameter, which can be manipulated by an attacker to inject arbitrary SQL commands...
VulnCheck KEV: CVE-2024-45388
Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The /api/v2/simulation POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary...
VulnCheck KEV: CVE-2024-52276
User Interface UI Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. 1. Displayed version does not show the layer flattened version, which is provided when the "Print" option is used. 2. Displayed version does not show the layer flattened version, which...
VulnCheck KEV: CVE-2024-35219
OpenAPI Generator allows generation of API client libraries SDK generation, server stubs, documentation and configuration automatically given an OpenAPI Spec. Prior to version 7.6.0, attackers can exploit a path traversal vulnerability to read and delete files and folders from an arbitrary,...
VulnCheck KEV: CVE-2024-52270
User Interface UI Misrepresentation of Critical Information vulnerability in DropBox SignHelloSign allows Content Spoofing. Displayed version does not show the layer flattened version, once download, If printed e.g. via Google Chrome - Examine the print preview: Will render the...
VulnCheck KEV: CVE-2022-45835
Server-Side Request Forgery SSRF vulnerability in PhonePe PhonePe Payment Solutions.This issue affects PhonePe Payment Solutions: from n/a through 1.0.15...
VulnCheck KEV: CVE-2024-39914
FOG is a cloning/imaging/rescue suite/inventory management system. Prior to 1.5.10.34, packages/web/lib/fog/reportmaker.class.php in FOG was affected by a command injection via the filename parameter to /fog/management/export.php. This vulnerability is fixed in 1.5.10.34...
VulnCheck KEV: CVE-2024-21390
Microsoft Authenticator Elevation of Privilege Vulnerability...
VulnCheck KEV: CVE-2024-12209
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute...
VulnCheck KEV: CVE-2023-4220
Unrestricted file upload in big file upload functionality in /main/inc/lib/javascript/bigupload/inc/bigUpload.php in Chamilo LMS = v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell...
VulnCheck KEV: CVE-2021-43163
A Remote Code Execution RCE vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW3.01B11P55 via the checkNet function in /cgi-bin/luci/api/auth...
VulnCheck KEV: CVE-2024-52271
User Interface UI Misrepresentation of Critical Information vulnerability in Documenso allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed e.g. via Google Chrome - Examine the print preview: Will render the vulnerability only, not...
VulnCheck KEV: CVE-2022-36559
Seiko SkyBridge MB-A200 v01.00.04 and below was discovered to contain a command injection vulnerability via the Ping parameter at pingexec.cgi...
VulnCheck KEV: CVE-2021-20617
Improper access control vulnerability in acmailer ver. 4.0.1 and earlier, and acmailer DB ver. 1.1.3 and earlier allows remote attackers to execute an arbitrary OS command, or gain an administrative privilege which may result in obtaining the sensitive information on the server via unspecified...
VulnCheck KEV: CVE-2024-34854
F-logic DataCube3 v1.0 is vulnerable to File Upload via /admin/transceiverschedule.php...
VulnCheck KEV: CVE-2024-45507
Server-Side Request Forgery SSRF, Improper Control of Generation of Code 'Code Injection' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue...
VulnCheck KEV: CVE-2023-38192
An issue was discovered in SuperWebMailer 9.00.0.01710. It allows superadmincreate.php XSS via crafted incorrect passwords...
VulnCheck KEV: CVE-2022-23900
A command injection vulnerability in the API of the Wavlink WL-WN531P3 router, version M31G3.V5030.201204, allows an attacker to achieve unauthorized remote code execution via a malicious POST request through /cgi-bin/adm.cgi...
VulnCheck KEV: CVE-2024-52277
User Interface UI Misrepresentation of Critical Information vulnerability in DocuSeal allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed e.g. via Google Chrome - Examine the print preview: Will render the vulnerability only, not all...
VulnCheck KEV: CVE-2024-5827
Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents ?php...
VulnCheck KEV: CVE-2024-52269
User Interface UI Misrepresentation of Critical Information vulnerability in DocuSign allows Content Spoofing. The SaaS AI assistant ignores hidden content that is rendered after signing, misleading the user. For reference see: CVE-2024-52276 This issue affects DocuSign: through 2024-12-04...
VulnCheck KEV: CVE-2024-53197
Linux Kernel contains an out-of-bounds access vulnerability in the USB-audio driver that allows an attacker with physical access to the system to use a malicious USB device to potentially manipulate system memory, escalate privileges, or execute arbitrary code...
VulnCheck KEV: CVE-2024-52564
Inclusion of undocumented features or chicken bits issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. A remote attacker may disable the firewall function of the affected products. As a result, an arbitrary OS command may be executed and/or...
VulnCheck KEV: CVE-2024-45841
Incorrect permission assignment for critical resource issue exists in UD-LT1 firmware Ver.2.1.8 and earlier and UD-LT1/EX firmware Ver.2.1.8 and earlier. If an attacker with the guest account of the affected products accesses a specific file, the information containing credentials may be obtained...