| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An authentication flaw in the AVPNC_RP service in Aviatrix VPN Client through 2.2.10 allows an attacker to gain elevated privileges through arbitrary code execution on Windows, Linux, and macOS. |
| The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimate.php. |
| The animate-it plugin before 2.3.5 for WordPress has XSS. |
| The animate-it plugin before 2.3.4 for WordPress has XSS. |
| The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions, such that a gem install may result in 0777 permissions in the target filesystem. |
| An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Report, Screen, or Map without any Username/Password (i.e., anonymously). All created elements (Dashboard/Report/Screen/Map) are accessible by other users and by an admin. |
| cPanel before 82.0.15 allows self XSS in the WHM Update Preferences interface (SEC-528). |
| cPanel before 82.0.15 allows self stored XSS in the WHM SSL Storage Manager interface (SEC-527). |
| cPanel before 82.0.15 allows self XSS in the SSL Key Delete interface (SEC-526). |
| cPanel before 82.0.15 allows self XSS in LiveAPI example scripts (SEC-524). |
| cPanel before 82.0.15 allows self XSS in the SSL Certificate Upload interface (SEC-521). |
| cPanel before 82.0.15 allows API token credentials to persist after an account has been renamed or terminated (SEC-517). |
| Certain NETGEAR devices allow unauthenticated access to critical .cgi and .htm pages via a substring ending with .jpg, such as by appending ?x=1.jpg to a URL. This affects MBR1515, MBR1516, DGN2200, DGN2200M, DGND3700, WNR2000v2, WNDR3300, WNDR3400, WNR3500, and WNR834Bv2. |
| Certain NETGEAR devices allow remote attackers to disable all authentication requirements by visiting genieDisableLanChanged.cgi. The attacker can then, for example, visit MNU_accessPassword_recovered.html to obtain a valid new admin password. This affects AC1450, D8500, DC112A, JNDR3000, LG2200D, R4500, R6200, R6200V2, R6250, R6300, R6300v2, R6400, R6700, R6900P, R6900, R7000P, R7000, R7100LG, R7300, R7900, R8000, R8300, R8500, WGR614v10, WN2500RPv2, WNDR3400v2, WNDR3700v3, WNDR4000, WNDR4500, WNDR4500v2, WNR1000, WNR1000v3, WNR3500L, and WNR3500L. |
| gif2png 2.5.13 has a memory leak in the writefile function. |
| OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheckFile_deal.php blocks "into outfile" in a SELECT statement, but does not block the "into/**/outfile" manipulation. Therefore, the attacker can create a .php file. |
| OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, leading to creation of a new management group account, as demonstrated by superadmin. |
| S-CMS v1.5 has XSS in tpl.php via the member/member_login.php from parameter. |
| OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/. |
| Citrix Application Delivery Management (ADM) 12.1 before build 54.13 has Incorrect Access Control. |
