| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh. |
| Black Box iCOMPEL 9.2.3 through 11.1.4, as used in ONELAN Net-Top-Box 9.2.3 through 11.1.4 and other products, has default credentials that allow remote attackers to access devices remotely via SSH, HTTP, HTTPS, and FTP. |
| MyT Project Management 1.5.1 lacks CSRF protection and, for example, allows a user/create CSRF attack. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page. |
| openITCOCKPIT before 3.7.1 allows SSRF, aka RVID 5-445b21. |
| openITCOCKPIT before 3.7.1 allows deletion of files, aka RVID 4-445b21. |
| openITCOCKPIT before 3.7.1 has reflected XSS, aka RVID 3-445b21. |
| openITCOCKPIT before 3.7.1 has CSRF, aka RVID 2-445b21. |
| openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. |
| laracom (aka Laravel FREE E-Commerce Software) 1.4.11 has search?q= XSS. |
| Ignite Realtime Openfire before 4.4.1 has reflected XSS via an LDAP setup test. |
| DfE School Experience before v16333-GA has XSS via a teacher training URL. |
| django-js-reverse (aka Django JS Reverse) before 0.9.1 has XSS via js_reverse_inline. |
| Bolt before 3.6.10 has XSS via createFolder or createFile in Controller/Async/FilesystemManager.php. |
| Bolt before 3.6.10 has XSS via an image's alt or title field. |
| Bolt before 3.6.10 has XSS via a title that is mishandled in the system log. |
| selectize-plugin-a11y before 1.1.0 has XSS via the msg field. |
| Kimai v2 before 1.1 has XSS via a timesheet description. |
| Domoticz 4.10717 has XSS via item.Name. |
| Status Board 1.1.81 has reflected XSS via dashboard.ts. |
| Status Board 1.1.81 has reflected XSS via logic.ts. |
