A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "from_time" parameter.
A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the "redirect" parameter. The payload used was x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 and the steps to reproduce were to login to the SEO admin panel, visit http://localhost/settings.php?category=x%22%20onmouseover%3dalert(document.cookie)%20x%3d%22 and hover the mouse to the "Cancel" field.
A cross-site scripting (XSS) issue in the SEO admin login panel version 4.8.0 allows remote attackers to inject JavaScript via the 'redirect' parameter.
An open redirect vulnerability exists in Products.PluggableAuthService version 2.6.0 and below. An attacker can exploit this vulnerability by changing the 'came_from' parameter value to a malicious website in the login page. This will redirect the user to an attacker-controlled website.
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/<username>.xml, (2) backups/users/<username>.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml.
The Thecus N4800Eco Nas Server Control Panel is vulnerable to command injection. An attacker can exploit this vulnerability by sending malicious input to the web application. This can allow the attacker to execute arbitrary commands on the vulnerable system.
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
A username information disclosure vulnerability exists in Atlassian JIRA from versions 8.11.x to 8.15.x. Unauthenticated users can ENUMRATE valid users via /secure/QueryComponent!Jql.jspa endpoint.
A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components.
Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws. A GET request to component mentioned (if.cgi) with payload appended at the end of the vulnerable parameter (TF_submask) can lead to payload execution.
Services By CQR