SSRF on index.php/cobrowse/proxycss/ in GitHub repository livehelperchat/livehelperchat prior to 3.96. Date published : 2022-03-31 https://huntr.dev/bounties/7264a2e1-17e7-4244-93e4-49ec14f282b3 https://github.com/livehelperchat/livehelperchat/commit/c41f283a2c1b46c42dd2af16ecbeaedd2fe1f5df
Loose comparison causes IDOR on multiple endpoints in GitHub repository livehelperchat/livehelperchat prior to 3.96. Date published : 2022-03-31 https://huntr.dev/bounties/3e30171b-c9bf-415c-82f1-6f55a44d09d3 https://github.com/livehelperchat/livehelperchat/commit/72c0df160bfe9838c618652facef29af99392ce3
Cross-site Scripting (XSS) – Stored in GitHub repository vanessa219/vditor prior to 3.8.13. Date published : 2022-03-31 https://huntr.dev/bounties/8202aa06-4b49-45ff-aa0f-00982f62005c https://github.com/vanessa219/vditor/commit/e912e36ea98251d700499b1ac7702708d3398476
Totolink A3100R V5.9c.4577 suffers from Use of Insufficiently Random Values via the web configuration. The SESSION_ID is predictable. An attacker can hijack a valid session and conduct further malicious operations. Date published : 2022-03-30...
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies. Date published : 2022-03-30 http://a3100r.com http://totolink.com
In totolink a3100r V5.9c.4577, the hard-coded telnet password can be discovered from official released firmware. An attacker, who has connected to the Wi-Fi, can easily telnet into the target with root shell if the...
totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command...
In Totolink A3100R V5.9c.4577, "test.asp" contains an API-like function, which is not authenticated. Using this function, an attacker can configure multiple settings without authentication. Date published : 2022-03-30 http://a3100r.com http://totolink.com
Vivoh Webinar Manager before 3.6.3.0 has improper API authentication. When a user logs in to the administration configuration web portlet, a VIVOH_AUTH cookie is assigned so that they can be uniquely identified. Certain APIs...
A vulnerability in MEPSAN’s USC+ before version 3.0 has a weakness in login function which lets attackers to generate high privileged accounts passwords. Date published : 2022-03-30 https://www.usom.gov.tr/bildirim/tr-22-0269
An issue was discovered in Firmware Analysis and Comparison Tool v3.2. Logged in administrators could be targeted by a CSRF attack through visiting a crafted web page. Date published : 2022-03-30 https://brainy-sternum-995.notion.site/CVE-2021-44312-Reserved-b4a4415e95444c0e847f926a9e9d6266
An issue was discovered in Firmware Analysis and Comparison Tool v3.2. With administrator privileges, the attacker could perform stored XSS attacks by inserting JavaScript and HTML code in user creation functionality. Date published :...
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component process forceugpo. Date published : 2022-03-30 https://github.com/chibataiki/iot-vuls/blob/main/totolink/command-injection2.md
totolink EX300_v2 V4.0.3c.140_B20210429 was discovered to contain a command injection vulnerability via the component cloudupdate_check. Date published : 2022-03-30 https://github.com/chibataiki/iot-vuls/blob/main/totolink/command-injection1.md