The Nagiosxi 5.6.6 allows authenticated remote attackers to execute arbitrary code by uploading a malicious check ping plugin. By exploiting this vulnerability, an attacker can gain unauthorized access to the target system.
The Jasmin Ransomware application is vulnerable to SQL Injection which allows an attacker to bypass authentication on the login page by inserting a specially crafted payload into the email and code fields. By entering the payload '=' 'or' in both the email and code fields, an attacker can bypass the authentication and gain unauthorized access to the admin panel.
The ZTE ZXV10 H201L router is vulnerable to remote code execution due to an authentication bypass. This allows an attacker to execute arbitrary code on the device without proper authentication. This vulnerability has the potential to be exploited remotely.
The ollama 0.6.4 application is vulnerable to Server-Side Request Forgery (SSRF) attack. An attacker can manipulate the 'from' parameter in the payload to make the server send requests to arbitrary hosts, potentially leading to unauthorized access to internal systems.
The ip_import_acl_csv request in GestioIP 3.5.7 allows for Reflected Cross-Site Scripting (XSS) where uploaded file content is reflected in the HTML response without proper sanitation. If the uploaded file has an incorrect format leading to an error during processing, parts of the file's content may be displayed in the browser. If this content contains HTML or scripts and is not escaped correctly, browsers may interpret it, potentially causing a security issue like data exfiltration and enabling Cross-Site Request Forgery (CSRF) attacks. Proper input validation and output encoding are crucial to mitigate this vulnerability.
The OpenPanel version 0.3.4 is vulnerable to OS command injection. An attacker can exploit this vulnerability by injecting a malicious command through the 'timezone' parameter in the HTTP POST request. This can lead to arbitrary command execution on the server.
The vulnerability in Next.js versions 13.0.0 to 13.5.8, 14.0.0 to 14.2.24, 15.0.0 to 15.2.2, and 11.1.4 to 12.3.4 allows attackers to bypass middleware restrictions. Exploiting this vulnerability can lead to unauthorized access or execution of malicious actions.
An unauthenticated SQL injection vulnerability was found in KiviCare Clinic & Patient Management System (EHR) version 3.6.4. The vulnerability exists in the tax_calculated_data AJAX action, where the visit_type[service_id] parameter is insufficiently escaped, allowing attackers to execute SQL injection attacks.
The ABB Cylon FLXeon BACnet controller in versions <=9.3.4 uses weak default administrative credentials, which can be exploited in remote password attacks to gain unauthorized access and full control of the system.
The Roundcube Webmail email client before version 1.5.6 or between versions 1.6 and 1.6.6 is vulnerable to stored XSS (Cross Site Scripting) identified as CVE-2024-37383. This vulnerability allows malicious attackers to execute JavaScript code on a user's page by sending a specially crafted email.
Services By CQR