Electrolink FM/DAB/TV Transmitter devices with web versions 01.09, 01.08, 01.07, display versions 1.4, 1.2, and control unit versions 01.06, 01.04, 01.03 are vulnerable to a pre-authentication remote code execution flaw. An attacker can exploit this vulnerability by uploading a malicious MPFS image, leading to the execution of arbitrary code on the affected device.
The GL.iNet version 4.3.7 is vulnerable to remote code execution via the OpenVPN client. By exploiting this vulnerability, an attacker can execute arbitrary code on the target system. This vulnerability has been assigned the CVE-2023-46454.
Unauthenticated users can exploit the Zoo Management System 1.0 by accessing the /zoomanagementsystem/admin/public_html/save_animal endpoint to upload malicious PHP files instead of animal images without any authentication.
SQL injection in Academy LMS 6.2 allows unauthorized access to sensitive data, data modification, and application crash. This can result in financial losses and harm a company's reputation. An attacker can exploit 'price_min' and 'price_max' parameters in the /academy/tutor/filter path to perform SQL injection attacks.
Automatic Systems SOC FL9600 FastLine V06 device contains hardcoded login credentials for the super admin account, which cannot be changed. An attacker can exploit this vulnerability to gain sensitive information using the following credentials: Login: automaticsystems, Password: astech. This vulnerability is identified as CVE-2023-37608.
Ladder version v0.0.21 is vulnerable to Server-side Request Forgery (SSRF) due to inadequate restrictions on destination addresses. This allows an attacker to send GET requests to addresses that are usually inaccessible externally. Attackers can exploit this to reach private address ranges, locally hosted services, and cloud instance metadata APIs.
The vulnerability in Real Estate Management System v1.0 allows an attacker to upload malicious files and execute command injection payloads on the web server.
Akaunting version 3.1.3 and below are vulnerable to Remote Code Execution (RCE) allowing an attacker to execute arbitrary commands on the target system. By injecting malicious commands through a crafted request to the 'companies' endpoint, an attacker can exploit this vulnerability. CVE-2024-22836 has been assigned to this issue.
An attacker can bypass authentication on Electrolink FM/DAB/TV Transmitter devices due to a lack of proper authentication mechanisms. This vulnerability affects various models and versions of Electrolink transmitters, allowing unauthorized access to the devices.
Services By CQR