| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An issue was discovered in zzcms 8.3. SQL Injection exists in admin/classmanage.php via the tablename parameter. (This needs an admin user login.) |
| An issue was discovered in zzcms 8.3. SQL Injection exists in zs/zs.php via a pxzs cookie. |
| An issue was discovered in zzcms 8.3. SQL Injection exists in ajax/zs.php via a pxzs cookie. |
| An issue was discovered in zzcms 8.3. SQL Injection exists in zs/subzs.php with a zzcmscpid cookie to zs/search.php. |
| An issue was discovered in zzcms 8.3. SQL Injection exists in admin/tagmanage.php via the tabletag parameter. (This needs an admin user login.) |
| XSS was discovered in SEMCMS V3.4 via the semcms_remail.php?type=ok umail parameter. |
| Reflected XSS exists in DedeCMS 5.7 SP2 via the /member/myfriend.php ftype parameter. |
| DedeCMS 5.7 SP2 allows XSS via the /member/uploads_select.php f or keyword parameter. |
| ACME mini_httpd before 1.30 lets remote users read arbitrary files. |
| Directory traversal vulnerability in Microstrategy Web, version 7, in "/WebMstr7/servlet/mstrWeb" (in the parameter subpage) allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application. NOTE: this is a deprecated product. |
| Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the admin/admin.asp ShowAll parameter. NOTE: this is a deprecated product. |
| Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product. |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows XSS via the admin/index.php module parameter. |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=rootpwd, as demonstrated by changing the root password. |
| CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 0.9.8.740 allows CSRF via admin/index.php?module=send_ssh, as demonstrated by executing an arbitrary OS command. |
| An issue was discovered in LuLu CMS through 2015-05-14. backend\modules\filemanager\controllers\DefaultController.php allows arbitrary file upload by entering a filename, directory name, and PHP code into the three text input fields. |
| An issue was discovered in D-Link 'myDlink Baby App' version 2.04.06. Whenever actions are performed from the app (e.g., change camera settings or play lullabies), it communicates directly with the Wi-Fi camera (D-Link 825L firmware 1.08) with the credentials (username and password) in base64 cleartext. An attacker could conduct an MitM attack on the local network and very easily obtain these credentials. |
| An elevation of privilege vulnerability exists in the Call Dispatcher in Provisio SiteKiosk before 9.7.4905. |
| An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in mg_mqtt_next_subscribe_topic. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability. |
| An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in a parse_mqtt getu16 call. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability. |
