4985 matches found
VulnCheck KEV: CVE-2019-8720
WebKitGTK contains a memory corruption vulnerability which can allow an attacker to perform remote code execution...
VulnCheck KEV: CVE-2022-1609
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site...
VulnCheck KEV: CVE-2022-20821
Cisco IOS XR software health check opens TCP port 6379 by default on activation. An attacker can connect to the Redis instance on the open port and allow access to the Redis instance that is running within the NOSi container...
VulnCheck KEV: CVE-2022-30525
A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device...
VulnCheck KEV: CVE-2014-0112
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for...
VulnCheck KEV: CVE-2012-5469
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod...
VulnCheck KEV: CVE-2021-31805
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %... syntax. Using forced OGNL evaluation on untrusted user input can lead...
VulnCheck KEV: CVE-2014-0114
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute...
VulnCheck KEV: CVE-2014-0094
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method...
VulnCheck KEV: CVE-2014-0113
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists...
VulnCheck KEV: CVE-2022-26925
Microsoft Windows Local Security Authority LSA contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM...
VulnCheck KEV: CVE-2021-21311
Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information...
VulnCheck KEV: CVE-2022-29444
Plugin Settings Change leading to Cross-Site Scripting XSS vulnerability in Cloudways Breeze plugin = 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wpajax actions in the class BreezeConfiguration which includes the ability to change any of...
VulnCheck KEV: CVE-2022-22947
Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured...
VulnCheck KEV: CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in...
VulnCheck KEV: CVE-2022-21919
Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation...
VulnCheck KEV: CVE-2022-0847
Linux kernel contains an improper initialization vulnerability where an unprivileged local user could escalate their privileges on the system. This vulnerability has the moniker of "Dirty Pipe."...
VulnCheck KEV: CVE-2021-41357
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation...
VulnCheck KEV: CVE-2021-40450
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation...
VulnCheck KEV: CVE-2022-29464
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution...
VulnCheck KEV: CVE-2022-22718
Microsoft Windows Print Spooler contains an unspecified vulnerability which allow for privilege escalation...
VulnCheck KEV: CVE-2022-28810
Zoho ManageEngine ADSelfService Plus contains an unspecified vulnerability allowing for remote code execution when performing a password change or reset...
VulnCheck KEV: CVE-2022-26904
Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation...
VulnCheck KEV: CVE-2018-6882
Synacor Zimbra Collaboration Suite ZCS contains a cross-site scripting vulnerability that might allow remote attackers to inject arbitrary web script or HTML...
VulnCheck KEV: CVE-2022-26809
Remote Procedure Call Runtime Remote Code Execution Vulnerability...
VulnCheck KEV: CVE-2014-8356
The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference...
VulnCheck KEV: CVE-2022-1329
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the /core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious...
VulnCheck KEV: CVE-2022-1364
Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft...
VulnCheck KEV: CVE-2014-8357
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf...
VulnCheck KEV: CVE-2020-15368
AsrDrv103.sys in the ASRock RGB Driver does not properly restrict access from user space, as demonstrated by triggering a triple fault via a request to zero CR3...
VulnCheck KEV: CVE-2022-27226
A CSRF issue in /api/crontab on iRZ Mobile Routers through 2022-03-16 allows a threat actor to create a crontab entry in the router administration panel. The cronjob will consequently execute the entry on the threat actor's defined interval, leading to remote code execution, allowing the threat...
VulnCheck KEV: CVE-2022-24521
Microsoft Windows Common Log File System CLFS Driver contains an unspecified vulnerability that allows for privilege escalation...
VulnCheck KEV: CVE-2014-9118
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd...
VulnCheck KEV: CVE-2020-17456
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the systemlog.cgi page...
VulnCheck KEV: CVE-2019-18426
A vulnerability in WhatsApp Desktop when paired with WhatsApp for iPhone allows cross-site scripting and local file reading...
VulnCheck KEV: CVE-2020-2509
QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution...
VulnCheck KEV: CVE-2021-42287
Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation...
VulnCheck KEV: CVE-2021-27852
Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code...
VulnCheck KEV: CVE-2021-42278
Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation...
VulnCheck KEV: CVE-2022-24990
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint...
VulnCheck KEV: CVE-2021-3156
Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation...
VulnCheck KEV: CVE-2022-22954
VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection...
VulnCheck KEV: CVE-2022-22960
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts...
VulnCheck KEV: CVE-2022-22965
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution RCE via data binding...
VulnCheck KEV: CVE-2022-25080
TOTOLink A830R V5.9c.4729B20191112 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERYSTRING parameter...
VulnCheck KEV: CVE-2022-25079
TOTOLink A810R V4.1.2cu.5182B20201026 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERYSTRING parameter...
VulnCheck KEV: CVE-2022-25083
TOTOLink A860R V4.1.2cu.5182B20201027 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERYSTRING parameter...
VulnCheck KEV: CVE-2022-26186
TOTOLINK N600R V4.3.0cu.7570B20200620 was discovered to contain a command injection vulnerability via the exportOvpn interface at cstecgi.cgi...
VulnCheck KEV: CVE-2021-4045
TP-Link Tapo C200 IP camera, on its 1.1.15 firmware version and below, is affected by an unauthenticated RCE vulnerability, present in the uhttpd binary running by default as root. The exploitation of this vulnerability allows an attacker to take full control of the camera...
VulnCheck KEV: CVE-2022-25075
TOTOLink A3000RU V5.9c.2280B20180512 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERYSTRING parameter...