The WonderCMS version 3.4.2 is vulnerable to remote code execution. An attacker can exploit this vulnerability by injecting a malicious .js file through an XSS attack, leading to the execution of arbitrary PHP code on the target system. This vulnerability has been assigned CVE-2023-41425.
The ABB Cylon Aspect BMS/BAS controller before 3.08.02 allows unauthenticated users to execute arbitrary shell commands via the deployStart.php script. This vulnerability can be exploited to run the 'rundeploy.sh' script, which initializes the Java deployment server and configures settings, leading to unauthorized server initialization and potential performance issues.
The ABB Cylon controller in the version 3.08.02 and below is vulnerable to an authenticated path traversal issue. By manipulating the 'devName' POST parameter in ethernetUpdate.php script, an attacker can write partially controlled data like IP addresses to arbitrary file paths. This could potentially result in unauthorized configuration changes, system compromise, and denial of service by overwriting ethernet configuration backup files.
Langflow version < 1.3.0 is vulnerable to remote code execution (RCE) due to a lack of proper input validation. An attacker can exploit this by sending crafted HTTP requests, leading to the execution of arbitrary code on the target system. This vulnerability has been assigned CVE-2025-3248.
A CSRF vulnerability in ERPNext versions 14.82.1 and 14.74.3 allows attackers to manipulate the accounts of logged-in administrators without their consent. This can lead to unauthorized actions such as user deletion, role assignment, and account takeover through password changes.
An arbitrary file upload vulnerability exists in flatCore 1.5.5, allowing attackers to upload malicious PHP files via the admin panel. By intercepting and modifying the upload request, an attacker can upload a PHP backdoor file to gain unauthorized access to the system.
The exploit allows an attacker to perform Cross Site Request Forgery (CSRF) on flatCore version 1.5. By tricking an authenticated user into visiting a malicious website, the attacker can upload files to the server due to lack of proper CSRF protection. This vulnerability has been assigned CVE-2019-13961.
SQL injection vulnerability found in the 'username' parameter on the '/?action=processlogin' page of Inventio Lite version 4 and below. The exploit allows an attacker to extract hashed passwords from the database and attempt to decrypt them using a specific hashing algorithm.
A Stored Cross Site Scripting (XSS) vulnerability exists in OpenCMS 17.0 in the author field when publishing an article. By crafting a malicious script in the author field, an attacker can execute arbitrary scripts on users who click on the 'Read More' button, potentially leading to unauthorized actions.
The TimeProvider 4100 grandmaster firmware through version 2.4.7 is vulnerable to stored Cross-Site Scripting (XSS) in the custom banner configuration field. An attacker exploiting this vulnerability can run arbitrary scripts in a user's context.
Services By CQR