| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent). |
| Cross Site Scripting (XSS) vulnerability in FusionPBX 4.5.26 allows remote unauthenticated users to inject arbitrary web script or HTML via an unsanitized "path" parameter in resources/login.php. |
| SQL injection vulnerability in HKing2802 Locke-Bot 2.0.2 allows remote attackers to run arbitrary SQL commands via crafted string to /src/db.js, /commands/mute.js, /modules/event/messageDelete.js. |
| An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fixed version is 14.0.0,in the forgot-password function becuase the application allows email addresses as usernames, which can cause a Denial of Service. |
| A cross-site scripting (XSS) vulnerability in the fileNameStr parameter of jQuery-Upload-File v4.0.11 allows attackers to execute arbitrary web scripts or HTML via a crafted file with a Javascript payload in the file name. |
| In NavigateCMS version 2.9.4 and below, function `block` is vulnerable to sql injection on parameter `block-order`, which results in arbitrary sql query execution in the backend database. |
| In NavigateCMS version 2.9.4 and below, function in `structure.php` is vulnerable to sql injection on parameter `children_order`, which results in arbitrary sql query execution in the backend database. |
| In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `id` through a post request, which results in arbitrary sql query execution in the backend database. |
| In NavigateCMS version 2.9.4 and below, function in `templates.php` is vulnerable to sql injection on parameter `template-properties-order`, which results in arbitrary sql query execution in the backend database. |
| In NavigateCMS version 2.9.4 and below, function in `product.php` is vulnerable to sql injection on parameter `products-order` through a post request, which results in arbitrary sql query execution in the backend database. |
| Cradlepoint IBR900-600 devices running versions < 7.21.10 are vulnerable to a restricted shell escape sequence that provides an attacker the capability to simultaneously deny availability to the device's NetCloud Manager console, local console and SSH command-line. |
| In NCH WebDictate v2.13, persistent Cross Site Scripting (XSS) exists in the Recipient Name field. An authenticated user can add or modify the affected field to inject arbitrary JavaScript. |
| In NCH WebDictate v2.13 and earlier, authenticated users can abuse logprop?file=/.. path traversal to read files on the filesystem. |
| NCH Reflect CRM 3.01 allows local users to discover cleartext user account information by reading the configuration files. |
| In NCH Quorum v2.03 and earlier, XSS exists via /conferencebrowseuploadfile?confid= (reflected). |
| In NCH Quorum v2.03 and earlier, XSS exists via /conference?id= (reflected). |
| In NCH Quorum v2.03 and earlier, XSS exists via /uploaddoc?id= (reflected). |
| In NCH Quorum v2.03 and earlier, XSS exists via Conference Description (stored). |
| In NCH Quorum v2.03 and earlier, XSS exists via User Display Name (stored). |
| Cross Site Scripting (XSS) exists in NCH Axon PBX v2.22 and earlier via /ipblacklist?errorip= (reflected). |
