| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| JM-DATA ONU JF511-TV version 1.0.67 uses default credentials that allow attackers to gain unauthorized access to the device with administrative privileges. |
| Improper Input validation leads to XSS or Cross-site Scripting vulnerability in OpenText Advanced Authentication. This issue affects Advanced Authentication versions before 6.5. |
| A SQL injection vulnerability has been identified in DobryCMS. Improper neutralization of input provided by user into language functionality allows for SQL Injection attacks.
This issue affects older branches of this software. |
| Infinix devices contain a pre-loaded "com.transsion.agingfunction" application, that exposes an unsecured broadcast receiver. An attacker can communicate with the receiver and force the device to perform a factory reset without any Android system permissions.
After multiple attempts to contact the vendor we did not receive any answer. We suppose this issue affects all Infinix Mobile devices. |
| Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Grup Arge Energy and Control Systems Smartpower allows SQL Injection.This issue affects Smartpower: through V24.05.27. |
| XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence |
| Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication. |
| The ISOinsight from Netvision has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. |
| Honeywell OneWireless
Wireless Device Manager (WDM) for the following versions R310.x, R320.x, R321.x, R322.1, R322.2, R323.x, R330.1 contains a command injection vulnerability. An attacker who is authenticated could use the firmware update process to potentially exploit the vulnerability, leading to a command injection. Honeywell recommends updating to
R322.3, R330.2 or the most recent version of this product2. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RSM Design Website Template allows SQL Injection.This issue affects Website Template: before 1.2. |
| A vulnerability has been identified in Opcenter Quality (All versions < V2406), Opcenter RDnL (All versions < V2410), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions < V4.1 Update 2), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SINEC NMS (All versions), SINEMA Remote Connect Client (All versions < V3.2 SP3), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 5), Totally Integrated Automation Portal (TIA Portal) V19 (All versions < V19 Update 3). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component. This could allow an unauthenticated remote attacker to execute arbitrary code. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1. |
| A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA30) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA10) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA20) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-1EA30) (All versions < V3.0.1.1). The affected application assigns incorrect permissions to a user management component. This could allow a privileged attacker to escalate their privileges from the Administrators group to the Systemadministrator group. |
| DBLTek GoIP devices (models GoIP 1, 4, 8, 16, and 32) contain an undocumented vendor backdoor in the Telnet administrative interface that allows remote authentication as an undocumented user via a proprietary challenge–response scheme which is fundamentally flawed. Because the challenge response can be computed from the challenge itself, a remote attacker can authenticate without knowledge of a secret and obtain a root shell on the device. This can lead to persistent remote code execution, full device compromise, and arbitrary control of the device and any managed services. The firmware used within these devices was updated in December 2016 to make this vulnerability more complex to exploit. However, it is unknown if DBLTek has taken steps to fully mitigate. |
| In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function. |
| Unauthenticated access to the "/cgi-bin/CliniNET.prd/GetActiveSessions.pl" endpoint allows takeover of any user session logged into the system, including users with admin privileges. |
| When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to take over devices as primary user via sharing unnecessary device-sensitive information. |
| UNI-NMS-Lite is vulnerable to a command injection attack that could
allow an unauthenticated attacker to read or manipulate device data. |
| ReQuest Serious Play F3 Media Server 7.0.3 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands as the web server user. Attackers can upload PHP executable files via the Quick File Uploader page, resulting in remote code execution on the server. |
