In Grocy version 4.0.2, there is a Cross-Site Request Forgery (CSRF) vulnerability when creating a new user. The lack of CSRF token or verification methods allows an attacker to craft requests in JSON format to create a new user, exploiting the permission settings of the target user.
The Cisco Firepower Management Center (FMC) versions 6.2.3.18, 6.4.0.16, and 6.6.7.1 are vulnerable to an authentication bypass vulnerability. An attacker can exploit this issue to gain unauthorized access to the FMC web services interface without proper authentication. This vulnerability has been assigned CVE-2023-20048.
The vulnerability in phpFox <= 4.8.13 allows remote attackers to inject arbitrary PHP objects by passing user input through the 'url' request parameter to the /core/redirect route without proper sanitization. This can lead to various attacks, including executing arbitrary PHP code.
The kk Star Ratings plugin before version 5.4.6 in WordPress is vulnerable to a race condition that allows an attacker to manipulate ratings. By intercepting the rating submission request using tools like Burp and Turbo Intruder, an attacker can send multiple requests simultaneously to the server, resulting in unauthorized changes to the rating values displayed on the page.
The Solar-Log 200 PM+ 3.6.0 Build 99 web panel is vulnerable to stored cross-site scripting (XSS) due to improper input validation. By inserting malicious code into the 'name' field under the Smart Energy configuration, an attacker can execute arbitrary scripts in the context of an authenticated user's session, potentially leading to cookie theft.
The TEM Opera Plus FM Family Transmitter 35.45 allows unauthorized access to a vulnerable endpoint, enabling an attacker to upload a binary image to the MPFS File System without any authentication. This vulnerability can be exploited to overwrite the flash program memory containing the web server's main interfaces, leading to the execution of arbitrary code.
The vulnerability in Moodle version 4.3 allows an authenticated user to access different user details, email addresses, country, city/town, city, and timezone by manipulating the 'id' parameter in URLs like profile.php?id=11. By changing the 'id' value to another number, the attacker can view information of other users on the platform.
The vulnerability exists in Sitecore version 8.2 and affects all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release. An attacker can exploit this vulnerability to execute arbitrary code remotely. CVE-2023-35813 has been assigned to this vulnerability.
The exploit allows an attacker to read arbitrary files on the target system. This affects Adobe ColdFusion versions 2018,15 and earlier, as well as 2021,5 and earlier. It exploits CVE-2023-26360.
The Petrol Pump Management Software version 1.0 is vulnerable to SQL Injection, allowing an attacker to execute malicious code by manipulating the email address parameter in the index.php component.
Services By CQR