| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A Cross Site Scripting (XSS) vulnerability exists in DanPros htmly 2.8.1 via the Description field in (1) admin/config, and (2) index.php pages. |
| A Cross Site Scripting vulnerabilty exists in Pixelimity 1.0 via the Site Description field in pixelimity/admin/setting.php |
| A buffer overflow in ecma_builtin_typedarray_prototype_filter() in JerryScript version fe3a5c0 allows an attacker to construct a fake object or a fake arraybuffer with unlimited size. |
| A stack buffer overflow exists in Mini-XML v3.2. When inputting an unformed XML string to the mxmlLoadString API, it will cause a stack-buffer-overflow in mxml_string_getc:2611. NOTE: it is unclear whether this input is allowed by the API specification |
| A memory leak issue was discovered in Mini-XML v3.2 that could cause a denial of service. NOTE: testing reports are inconsistent, with some testers seeing the issue in both the 3.2 release and in the October 2021 development code, but others not seeing the issue in the 3.2 release |
| It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDaServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/agent/da/pcf" API. The affected endpoint does not have any validation of the user's input that allows a malicious payload to be injected. |
| It was discovered that the /DsaDataTest endpoint is susceptible to Cross-site scripting (XSS) attack. It was noted that the Metric parameter does not have any input checks on the user input that allows an attacker to craft its own malicious payload to trigger a XSS vulnerability. |
| It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent (DSA) uses the ".debug_command.config" file to store a json string that contains a list of IDs and pre-configured commands. The config file is subsequently used by the "/api/appInternals/1.0/agent/configuration" API to map the corresponding ID to a command to be executed. |
| It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) PluginServlet has directory traversal vulnerabilities at the "/api/appInternals/1.0/plugin/pmx" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. |
| It was discovered that the SteelCentral AppInternals Dynamic Sampling Agent's (DSA) AgentDiagnosticServlet has directory traversal vulnerability at the "/api/appInternals/1.0/agent/diagnostic/logs" API. The affected endpoint does not have any input validation of the user's input that allows a malicious payload to be injected. |
| A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device. |
| A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account. |
| A weak default administrator password for the web interface and serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical or local network access. |
| A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access. |
| An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details. |
| Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files. |
| Insta HMS before 12.4.10 is vulnerable to XSS because of improper validation of user-supplied input by multiple scripts. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. |
| SuiteCRM before 7.11.19 allows remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, logger_file_name can refer to an attacker-controlled PHP file under the web root, because only the all-lowercase PHP file extensions were blocked. NOTE: this issue exists because of an incomplete fix for CVE-2020-28328. |
| Grand Vice info Co. webopac7 file upload function fails to filter special characters. While logging in with general user’s permission, remote attackers can upload malicious script and execute arbitrary code to control the system or interrupt services. |
| Grand Vice info Co. webopac7 book search field parameter does not properly restrict the input of special characters, thus unauthenticated attackers can inject JavaScript syntax remotely, and further perform reflective XSS attacks. |
