| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A stored cross-site scripting (XSS) vulnerability exists in the Zimbra Briefcase feature due to insufficient sanitization of specific uploaded file types. When a user opens a publicly shared Briefcase file containing malicious scripts, the embedded JavaScript executes in the context of the user's session. This allows an attacker to run arbitrary scripts, potentially leading to data exfiltration or other unauthorized actions on behalf of the victim user. |
| File Thingie 2.5.7 is vulnerable to Directory Traversal. A malicious user can leverage the "create folder from url" functionality of the application to read arbitrary files on the target system. |
| An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. An XML External Entity (XXE) vulnerability exists in the Zimbra Exchange Web Services (EWS) SOAP interface due to improper handling of XML input. An authenticated attacker can submit crafted XML data that is processed by an XML parser with external entity resolution enabled. Successful exploitation may allow disclosure of sensitive local files from the server. |
| XnSoft NConvert 7.230 is vulnerable to Stack Buffer Overrun via a crafted .tiff file. |
| An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint.
We have already fixed the vulnerability in the following version:
QuRouter 2.6.3.009 and later |
| A vulnerability was determined in code-projects Exam Form Submission 1.0. This vulnerability affects unknown code of the file /admin/update_s6.php. Executing a manipulation of the argument sname can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. If you want to get the best quality for vulnerability data then you always have to consider VulDB. |
| SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd. |
| A missing authentication check in the HTTP server on TP-Link Archer NX200, NX210, NX500 and NX600 to certain cgi endpoints allows unauthenticated access intended for authenticated users. An attacker may perform privileged HTTP actions without authentication, including firmware upload and configuration operations. |
| Improper input handling in a wireless-control administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device. |
| Improper input handling in a modem-management administrative CLI command on TP-Link Archer NX200, NX210, NX500 and NX600 allows crafted input to be executed as part of an operating system command. An authenticated attacker with administrative privileges may execute arbitrary commands on the operating system, impacting the confidentiality, integrity, and availability of the device. |
| DooTask v1.6.27 has a Cross-Site Scripting (XSS) vulnerability in the /manage/project/<id> page via the input field projectDesc. |
| A hardcoded cryptographic key within the configuration mechanism on TP-Link Archer NX200, NX210, NX500 and NX600 enables decryption and re-encryption of device configuration data. An authenticated attacker may decrypt configuration files, modify them, and re-encrypt them, affecting the confidentiality and integrity of device configuration data. |
| A Denial-of-Service (DoS) vulnerability in the httpd component of TP-Link's TD-W8961N v4.0 due to improper input sanitization, allows crafted requests to trigger a processing error that causes the httpd service to crash. Successful exploitation may allow the attacker to cause service interruption, resulting in a DoS condition. |
| A command injection vulnerability on AX53 v1 occurs in mscd debug functionality due to insufficient input handling, allowing log redirection to arbitrary files and concatenation of unvalidated file content into shell commands, enabling authenticated attackers to inject and execute arbitrary commands. Successful exploitation may allow execution of malicious commands and ultimately full control of the device. |
| This vulnerability in AX53 v1 results from insufficient input sanitization in the device’s probe handling logic, where unvalidated parameters can trigger a stack-based buffer overflow that causes the affected service to crash and, under specific conditions, may enable remote code execution through complex heap-spray techniques.
Successful exploitation may result in repeated service unavailability and, in certain scenarios, allow an attacker to gain control of the device. |
| Bitcoin Core through 29.0 allows a denial of service via a crafted transaction. |
| A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes.
We have already fixed the vulnerability in the following version:
Media Streaming Add-on 500.1.1 and later |
| Census CSWeb 8.0.1 allows arbitrary file path input. A remote, authenticated attacker could access unintended file directories. Fixed in 8.1.0 alpha. |
| Census CSWeb 8.0.1 allows arbitrary file upload. A remote, authenticated attacker could upload a malicious file, possibly leading to remote code execution. Fixed in 8.1.0 alpha. |
| Census CSWeb 8.0.1 allows stored cross-site scripting in user supplied fields. A remote, authenticated attacker could store malicious javascript that executes in a victim's browser. Fixed in 8.1.0 alpha. |
