GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. A remote unauthenticated attacker can exploit this vulnerability to obtain administrative access to the webpage, access the user database, modify...
Thecus 4800Eco was discovered to contain a command injection vulnerability via the username parameter in /adm/setmain.php. Date published : 2022-05-19 https://docs.unsafe-inline.com/0day/thecus-n4800eco-nas-server-control-panel-comand-injection
The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using...
Improper input validation vulnerability in Mangboard commerce package could lead to occur for abnormal request. A remote attacker can exploit this vulnerability to manipulate the total order amount into a negative number and then...
Improper input validation vulnerability in HANDY Groupware’s ActiveX moudle allows attackers to download or execute arbitrary files. This vulnerability can be exploited by using the file download or execution path as the parameter value...
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user...
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created...
Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the machine...
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client. Date published : 2022-05-19 https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.md https://packetstormsecurity.com/files/166641/Online-Sports-Complex-Booking-System-1.0-Cross-Site-Scripting.html
Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Opal Hotel Room Booking plugin
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company’s Counter Box plugin
Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /classes/master.php?f=delete_ Facility. Date published : 2022-05-19 https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20SQL%20Injection%28%E4%B8%89%29.md
ManageEngine ADSelfService Plus v6.1 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. Date published : 2022-05-19 https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.py
A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. Date published : 2022-05-19 https://github.com/orangehrm/orangehrm/issues/1217