| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Open edX Ironwood.1 allows support/certificates?course_id= reflected XSS. |
| ERPNext 11.1.47 allows blog?blog_category= Frame Injection. |
| service/krashrpt.php in Quest KACE K1000 Systems Management Appliance before 6.4 SP3 (6.4.120822) allows a remote attacker to execute code via shell metacharacters in the kuid parameter. |
| usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init. |
| An issue was discovered in EFS Easy Chat Server 3.1. There is a buffer overflow via a long body2.ghp message parameter. |
| D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Upgrade Firmware functionality in the Web interface, using shell metacharacters in the admin.cgi?action=upgrade firmwareRestore or firmwareServerip parameter. |
| D-Link DWL-2600AP 4.2.0.15 Rev A devices have an authenticated OS command injection vulnerability via the Restore Configuration functionality in the Web interface, using shell metacharacters in the admin.cgi?action=config_restore configRestore or configServerip parameter. |
| cPanel before 82.0.18 allows WebDAV authentication bypass because the connection-sharing logic is incorrect (SEC-534). |
| cPanel before 82.0.18 allows stored XSS via WHM Backup Restoration (SEC-533). |
| cPanel before 82.0.18 allows attackers to conduct arbitrary chown operations as root during log processing (SEC-532). |
| cPanel before 82.0.18 allows attackers to read an arbitrary database via MySQL dump streaming (SEC-531). |
| In cPanel before 82.0.18, Cpanel::Rand::Get can produce a predictable series of numbers (SEC-525). |
| cPanel before 82.0.18 allows self-XSS because JSON string escaping is mishandled (SEC-520). |
| cPanel before 82.0.18 allows authentication bypass because of misparsing of the format of the password file (SEC-516). |
| cPanel before 82.0.18 allows attackers to leverage virtual mail accounts in order to bypass account suspensions (SEC-508). |
| cPanel before 82.0.18 allows authentication bypass because webmail usernames are processed inconsistently (SEC-499). |
| An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. The web management interface (setup.cgi) has an authentication bypass and other problems that ultimately allow an attacker to remotely compromise the device from a malicious webpage. The attacker sends an FW_remote.htm&todo=cfg_init request without a cookie, reads the Set-Cookie header in the 401 Unauthorized response, and then repeats the FW_remote.htm&todo=cfg_init request with the specified cookie. |
| An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the web management interface (setup.cgi) are vulnerable to command injection, allowing remote attackers to execute arbitrary commands, as demonstrated by shell metacharacters in the sysDNSHost parameter. |
| An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple actions within the WNR1000V4 web management console are vulnerable to an unauthenticated GET request (exploitable directly or through CSRF), as demonstrated by the setup.cgi?todo=save_htp_account URI. |
| An issue was discovered on NETGEAR WNR1000V4 1.1.0.54 devices. Multiple pages (setup.cgi and adv_index.htm) within the web management console are vulnerable to stored XSS, as demonstrated by the configuration of the UI language. |
