| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability was found in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_cms_assemble_control/jaxrs/form of the component Personal Profile Page. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." |
| A vulnerability has been found in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_cms_assemble_control/jaxrs/design/appdict of the component Personal Profile Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." |
| A flaw has been found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_program_center/jaxrs/agent of the component Personal Profile Page. Executing manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." |
| A vulnerability was detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_portal_assemble_designer/jaxrs/page of the component Personal Profile Page. Performing manipulation results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." |
| A security vulnerability has been detected in itsourcecode Student Information System 1.0. This affects an unknown function of the file /course_edit1.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. |
| A weakness has been identified in Campcodes Online Loan Management System 1.0. The impacted element is an unknown function of the file /ajax.php?action=delete_borrower. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. |
| A security flaw has been discovered in Modo Legend of the Phoenix up to 1.0.5. The affected element is an unknown function of the file AndroidManifest.xml of the component com.duige.hzw.multilingual. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. |
| An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) A use-after-free vulnerability in the write_interleaved method allows an attacker to cause a denial of service or memory corruption. The method violates Rust's aliasing rules by modifying a data structure through a mutable pointer while only holding an immutable reference, which can lead to undefined behavior when the data is accessed later. |
| An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) An integer overflow vulnerability in the Vector::new constructor function allows an attacker to cause a denial of service via a null pointer dereference. The vulnerability stems from an unchecked cast of a usize parameter to c_int, which can result in a negative value being passed to the underlying C function sws_allocVec(). |
| An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) Integer overflow and invalid input vulnerability in the cached method allows an attacker to cause a denial of service or potentially execute arbitrary code. The vulnerability occurs when dimension parameters are zero or exceed i32::MAX, leading to an unchecked cast that violates the underlying C function's preconditions and triggers undefined behavior. |
| An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) A null pointer dereference vulnerability in the input() constructor function allows an attacker to cause a denial of service. The vulnerability is triggered when the avio_alloc_context() call fails and returns NULL, which is then stored and later dereferenced by the Io struct's Drop implementation. |
| An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) Null pointer dereference vulnerability in the name() method allows an attacker to cause a denial of service. The vulnerability exists because the method fails to check for a NULL return value from the av_get_sample_fmt_name() C function, which can be triggered by providing an unrecognized sample format. |
| An issue was discovered in rust-ffmpeg 0.3.0 (after comit 5ac0527) Null pointer dereference vulnerability in the dump() method allows an attacker to cause a denial of service. The vulnerability exists because the method fails to check the return value of avfilter_graph_dump() for NULL, leading to a crash if the underlying memory allocation fails. |
| SolidInvoice version 2.3.7 is vulnerable to a stored cross-site scripting (XSS) issue in the Clients module. An authenticated attacker can inject JavaScript that executes in other users' browsers when the Clients page is viewed. The vulnerability is fixed in version 2.3.8. |
| SolidInvoice version 2.3.7 is vulnerable to a Stored Cross-Site Scripting (XSS) issue in the Tax Rates functionality. The vulnerability is fixed in version 2.3.8. |
| An arbitrary file upload vulnerability in Beakon Application before v5.4.3 allows attackers to execute arbitrary code via uploading a crafted file. |
| The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows account takeover, if SSO is used, when a victim changes the email address that they have configured. To exploit this, an attacker would create their own account and perform an SSO login. The root cause of the issue is SSO misconfiguration. |
| TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. The vulnerability arises from the improper input validation of the pppoe_dns1 parameter in the formIpv6Setup interface of /bin/boa. |
| Cross Site Scripting vulnerability in Infor Global HR GHR v.11.23.03.00.21 and before allows a remote attacker to execute arbitrary code via the class parameter. |
| QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product. |
