The Hitachi NAS (HNAS) System Management Unit (SMU) before version 14.8.7825.01 is vulnerable to an Insecure Direct Object Reference (IDOR) issue. An attacker can exploit this vulnerability to download arbitrary files from the server. This vulnerability has been assigned CVE-2023-5808.
Stored Cross-site scripting (XSS) is a severe vulnerability where a malicious script is inserted into a vulnerable web application, leading to potential attacks on users. In this exploit for WEBIGniter v28.7.23, an attacker can inject a script by manipulating the 'Name' parameter in the 'Categories' section, allowing execution of arbitrary scripts on the victim's browser.
The Employee Management System v1 is vulnerable to SQL injection due to improper handling of user-provided data in the SQL query used for user login. This can lead to unauthorized access and potential data theft.
The vulnerability allows an authenticated admin user to perform a server-side injection attack by exploiting the XSLT configuration feature. By crafting a malicious XSLT payload, the attacker can execute arbitrary commands on the server.
In Grocy version 4.0.2, there is a Cross-Site Request Forgery (CSRF) vulnerability when creating a new user. The lack of CSRF token or verification methods allows an attacker to craft requests in JSON format to create a new user, exploiting the permission settings of the target user.
The Cisco Firepower Management Center (FMC) versions 6.2.3.18, 6.4.0.16, and 6.6.7.1 are vulnerable to an authentication bypass vulnerability. An attacker can exploit this issue to gain unauthorized access to the FMC web services interface without proper authentication. This vulnerability has been assigned CVE-2023-20048.
The vulnerability in phpFox <= 4.8.13 allows remote attackers to inject arbitrary PHP objects by passing user input through the 'url' request parameter to the /core/redirect route without proper sanitization. This can lead to various attacks, including executing arbitrary PHP code.
The kk Star Ratings plugin before version 5.4.6 in WordPress is vulnerable to a race condition that allows an attacker to manipulate ratings. By intercepting the rating submission request using tools like Burp and Turbo Intruder, an attacker can send multiple requests simultaneously to the server, resulting in unauthorized changes to the rating values displayed on the page.
The Solar-Log 200 PM+ 3.6.0 Build 99 web panel is vulnerable to stored cross-site scripting (XSS) due to improper input validation. By inserting malicious code into the 'name' field under the Smart Energy configuration, an attacker can execute arbitrary scripts in the context of an authenticated user's session, potentially leading to cookie theft.
The TEM Opera Plus FM Family Transmitter 35.45 allows unauthorized access to a vulnerable endpoint, enabling an attacker to upload a binary image to the MPFS File System without any authentication. This vulnerability can be exploited to overwrite the flash program memory containing the web server's main interfaces, leading to the execution of arbitrary code.
Services By CQR