Wed, May 19 · 02:15 PM CDTCVE-2017-17674
9.8/10 · Must read/watchNVDvuln
Summary
BMC Remedy Mid Tier 9.1SP3 is affected by remote and local file inclusion. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE).
CVECVE-2017-17674
SeverityCRITICAL
TypeUPDATED
PublishedWed, May 19 · 02:15 PM CDT
ModifiedSun, Jul 05 · 04:16 PM CDT
Mon, Dec 21 · 03:15 PM CSTCVE-2020-35276
9.8/10 · Must read/watchNVDvuln
Summary
EgavilanMedia ECM Address Book 1.0 is affected by SQL injection. An attacker can bypass the Admin Login panel through SQLi and get Admin access and add or remove any user.
CVECVE-2020-35276
SeverityCRITICAL
TypeUPDATED
PublishedMon, Dec 21 · 03:15 PM CST
ModifiedSun, Jul 05 · 04:16 PM CDT
Tue, Jun 14 · 05:15 PM CDTCVE-2021-42675
9.8/10 · Must read/watchNVDvuln
Summary
Kreado Kreasfero 1.5 does not properly sanitize uploaded files to the media directory. One can upload a malicious PHP file and obtain remote code execution.
CVECVE-2021-42675
SeverityCRITICAL
TypeUPDATED
PublishedTue, Jun 14 · 05:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Fri, Apr 29 · 12:15 PM CDTCVE-2021-44596
9.8/10 · Must read/watchNVDvuln
Summary
Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any
CVECVE-2021-44596
SeverityCRITICAL
TypeUPDATED
PublishedFri, Apr 29 · 12:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Fri, Mar 11 · 04:15 PM CSTCVE-2021-44620
9.8/10 · Must read/watchNVDvuln
Summary
A Command Injection vulnerability exits in TOTOLINK A3100R <=V4.1.2cu.5050_B20200504 in adm/ntm.asp via the hosTime parameters.
CVECVE-2021-44620
SeverityCRITICAL
TypeUPDATED
PublishedFri, Mar 11 · 04:15 PM CST
ModifiedSun, Jul 05 · 04:17 PM CDT
Fri, Jan 28 · 07:15 PM CSTCVE-2021-44971
9.8/10 · Must read/watchNVDvuln
Summary
Multiple Tenda devices are affected by authentication bypass, such as AC15V1.0 Firmware V15.03.05.20_multi?AC5V1.0 Firmware V15.03.06.48_multi and so on. an attacker can obtain sensitive information, and even combine it with authenticated command injection to implement RCE.
CVECVE-2021-44971
SeverityCRITICAL
TypeUPDATED
PublishedFri, Jan 28 · 07:15 PM CST
ModifiedSun, Jul 05 · 04:17 PM CDT
Fri, Jun 17 · 01:15 PM CDTCVE-2021-45024
9.8/10 · Must read/watchNVDvuln
Summary
ASG technologies ( A Rocket Software Company) ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to XML External Entity (XXE).
CVECVE-2021-45024
SeverityCRITICAL
TypeUPDATED
PublishedFri, Jun 17 · 01:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Mon, Feb 14 · 02:15 PM CSTCVE-2021-45420
9.8/10 · Must read/watchNVDvuln
Summary
Emerson Dixell XWEB-500 products are affected by arbitrary file write vulnerability in /cgi-bin/logo_extra_upload.cgi, /cgi-bin/cal_save.cgi, and /cgi-bin/lo_utils.cgi. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to denial of service an
CVECVE-2021-45420
SeverityCRITICAL
TypeUPDATED
PublishedMon, Feb 14 · 02:15 PM CST
ModifiedSun, Jul 05 · 04:17 PM CDT
Wed, Mar 23 · 11:15 AM CDTCVE-2021-45756
9.8/10 · Must read/watchNVDvuln
Summary
Asus RT-AC68U <3.0.0.4.385.20633 and RT-AC5300 <3.0.0.4.384.82072 are affected by a buffer overflow in blocking_request.cgi.
CVECVE-2021-45756
SeverityCRITICAL
TypeUPDATED
PublishedWed, Mar 23 · 11:15 AM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Wed, Mar 30 · 11:15 PM CDTCVE-2021-46007
9.8/10 · Must read/watchNVDvuln
Summary
totolink a3100r V5.9c.4577 is vulnerable to os command injection. The backend of a page is executing the "ping" command, and the input field does not adequately filter special symbols. This can lead to command injection attacks.
CVECVE-2021-46007
SeverityCRITICAL
TypeUPDATED
PublishedWed, Mar 30 · 11:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Wed, Mar 30 · 11:15 PM CDTCVE-2021-46009
9.8/10 · Must read/watchNVDvuln
Summary
In Totolink A3100R V5.9c.4577, multiple pages can be read by curl or Burp Suite without authentication. Additionally, admin configurations can be set without cookies.
CVECVE-2021-46009
SeverityCRITICAL
TypeUPDATED
PublishedWed, Mar 30 · 11:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Thu, Jun 02 · 02:15 PM CDTCVE-2022-24239
9.8/10 · Must read/watchNVDvuln
Summary
ACEweb Online Portal 3.5.065 was discovered to contain an unrestricted file upload vulnerability via attachments.awp.
CVECVE-2022-24239
SeverityCRITICAL
TypeUPDATED
PublishedThu, Jun 02 · 02:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Thu, Jun 02 · 02:15 PM CDTCVE-2022-24240
9.8/10 · Must read/watchNVDvuln
Summary
ACEweb Online Portal 3.5.065 was discovered to contain a SQL injection vulnerability via the criteria parameter in showschedule.awp.
CVECVE-2022-24240
SeverityCRITICAL
TypeUPDATED
PublishedThu, Jun 02 · 02:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Thu, Jun 16 · 07:15 PM CDTCVE-2022-24562
9.8/10 · Must read/watchNVDvuln
Summary
In IOBit IOTransfer 4.3.1.1561, an unauthenticated attacker can send GET and POST requests to Airserv and gain arbitrary read/write access to the entire file-system (with admin privileges) on the victim's endpoint, which can result in data theft and remote code execution.
CVECVE-2022-24562
SeverityCRITICAL
TypeUPDATED
PublishedThu, Jun 16 · 07:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Fri, Feb 25 · 08:15 PM CSTCVE-2022-25060
9.8/10 · Must read/watchNVDvuln
Summary
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_startPing.
CVECVE-2022-25060
SeverityCRITICAL
TypeUPDATED
PublishedFri, Feb 25 · 08:15 PM CST
ModifiedSun, Jul 05 · 04:17 PM CDT
Fri, Feb 25 · 08:15 PM CSTCVE-2022-25061
9.8/10 · Must read/watchNVDvuln
Summary
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a command injection vulnerability via the component oal_setIp6DefaultRoute.
CVECVE-2022-25061
SeverityCRITICAL
TypeUPDATED
PublishedFri, Feb 25 · 08:15 PM CST
ModifiedSun, Jul 05 · 04:17 PM CDT
Fri, Feb 25 · 08:15 PM CSTCVE-2022-25064
9.8/10 · Must read/watchNVDvuln
Summary
TP-LINK TL-WR840N(ES)_V6.20_180709 was discovered to contain a remote code execution (RCE) vulnerability via the function oal_wan6_setIpAddr.
CVECVE-2022-25064
SeverityCRITICAL
TypeUPDATED
PublishedFri, Feb 25 · 08:15 PM CST
ModifiedSun, Jul 05 · 04:17 PM CDT
Mon, Mar 28 · 12:15 AM CDTCVE-2022-26258
9.8/10 · Must read/watchNVDvuln
Summary
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set ccp.
CVECVE-2022-26258
SeverityCRITICAL
TypeUPDATED
PublishedMon, Mar 28 · 12:15 AM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Tue, Apr 12 · 05:15 PM CDTCVE-2022-28397
9.8/10 · Must read/watchNVDvuln
Summary
An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file. NOTE: Vendor states as detailed in Ghost's security documentation, files can only be uploaded and published by trusted users, this is intentional.
CVECVE-2022-28397
SeverityCRITICAL
TypeUPDATED
PublishedTue, Apr 12 · 05:15 PM CDT
ModifiedSun, Jul 05 · 01:16 PM CDT
Wed, May 04 · 03:15 PM CDTCVE-2022-28568
9.8/10 · Must read/watchNVDvuln
Summary
Sourcecodester Doctor's Appointment System 1.0 is vulnerable to File Upload to RCE via Image upload from the administrator panel. An attacker can obtain remote command execution just by knowing the path where the images are stored.
CVECVE-2022-28568
SeverityCRITICAL
TypeUPDATED
PublishedWed, May 04 · 03:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Mon, May 23 · 04:16 PM CDTCVE-2022-28932
9.8/10 · Must read/watchNVDvuln
Summary
D-Link DSL-G2452DG HW:T1\\tFW:ME_2.00 was discovered to contain insecure permissions.
CVECVE-2022-28932
SeverityCRITICAL
TypeUPDATED
PublishedMon, May 23 · 04:16 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Thu, Jun 02 · 02:15 PM CDTCVE-2022-28945
9.8/10 · Must read/watchNVDvuln
Summary
An issue in Webbank WeCube v3.2.2 allows attackers to execute a directory traversal via a crafted ZIP file.
CVECVE-2022-28945
SeverityCRITICAL
TypeUPDATED
PublishedThu, Jun 02 · 02:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Wed, May 04 · 03:15 PM CDTCVE-2022-29347
9.8/10 · Must read/watchNVDvuln
Summary
An arbitrary file upload vulnerability in Web@rchiv 1.0 allows attackers to execute arbitrary commands via a crafted PHP file.
CVECVE-2022-29347
SeverityCRITICAL
TypeUPDATED
PublishedWed, May 04 · 03:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT
Mon, May 16 · 02:15 PM CDTCVE-2022-29351
9.8/10 · Must read/watchNVDvuln
Summary
An arbitrary file upload vulnerability in the file upload module of Tiddlywiki5 v5.2.2 allows attackers to execute arbitrary code via a crafted SVG file. Note: The vendor argues that this is not a legitimate issue and there is no vulnerability here.
CVECVE-2022-29351
SeverityCRITICAL
TypeUPDATED
PublishedMon, May 16 · 02:15 PM CDT
ModifiedSun, Jul 05 · 02:16 PM CDT
Thu, Jun 16 · 05:15 PM CDTCVE-2022-31382
9.8/10 · Must read/watchNVDvuln
Summary
Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchdata parameter in search-dirctory.php.
CVECVE-2022-31382
SeverityCRITICAL
TypeUPDATED
PublishedThu, Jun 16 · 05:15 PM CDT
ModifiedSun, Jul 05 · 04:17 PM CDT