A CSRF vulnerability exists in GeoVision GV-ASManager web application version 6.1.1.0 or earlier, enabling attackers to create Admin accounts via a crafted GET request. This exploit is often combined with CVE-2024-56903 for a successful CSRF attack.
The feature 'http://localhost/gestioip/res/ip_mod_dns_key_form.cgi' in GestioIP 3.5.7 is susceptible to Stored XSS. An authenticated attacker can inject malicious code into the 'tsig_key' form field, which when saved to the database, can be triggered by any user accessing the 'DNS Key' page, resulting in the execution of malicious code.
The DocsGPT version 0.8.1 through 0.12.0 allows remote attackers to execute arbitrary code via a crafted HTTP request. An attacker can exploit this vulnerability by sending a malicious payload in the 'data' parameter, leading to the execution of arbitrary commands on the target system. This vulnerability has been assigned CVE-2025-0868.
An information disclosure vulnerability has been found in the GeoVision GV-ASManager web application with version 6.1.0.0 or lower. This vulnerability allows unauthorized access to sensitive information within the application, such as user accounts and clear text passwords, potentially leading to unauthorized access to monitoring cameras, access cards, and other critical data.
GestioIP v3.5.7 is vulnerable to CSRF attacks due to multiple endpoints. An attacker can trick an authenticated admin to visit a malicious URL, leading to unauthorized actions such as data modification, deletion, or exfiltration.
GestioIP 3.5.7 is prone to an authenticated cross-site scripting vulnerability in the 'ip_do_job' feature. This could allow attackers to perform data exfiltration and cross-site request forgery (CSRF) attacks. The vulnerability can be exploited by injecting malicious scripts into parameters like 'host_id' and 'stored_config'.
The exploit allows an attacker to enumerate valid usernames on Webmin Usermin version 2.100. By sending requests to the password change endpoint with different usernames, the attacker can identify existing user accounts based on the server's responses.
The GestioIP version 3.5.7 is vulnerable to remote command execution. An attacker can exploit this vulnerability to execute arbitrary commands on the target server. This exploit is identified by CVE-2024-48760.
The vulnerability exists in GeoVision GV-ASManager web application version 6.1.0.0 or below. An attacker with network access and a low privilege account can perform unauthorized actions like enabling/disabling accounts, creating new accounts, modifying privileges, and accessing resources. After privilege escalation, the attacker can access monitoring cameras, employee information, change configurations, disrupt services, clone access control data, and retrieve cleartext passwords for further attacks.
The exploit allows an attacker to take over accounts in Cisco Smart Software Manager On-Prem version 8-202206 and earlier. By obtaining necessary tokens, the attacker can gain unauthorized access to user accounts.
Services By CQR