Wordpress Plugin Neon Text version 1.1 and above is prone to a Stored Cross-Site Scripting (XSS) vulnerability through the neontext_box shortcode, allowing attackers to execute malicious scripts.
The Proxmox Virtual Environment (VE) is vulnerable to a Time-based One-Time Password (TOTP) brute force attack. By repeatedly guessing TOTP codes, an attacker can gain unauthorized access to the system. This vulnerability has been assigned CVE-2023-43320.
The exploit allows an attacker to bypass identity verification in VMware Cloud Director version 10.5. By exploiting this vulnerability (CVE-2023-34060), an attacker can execute unauthorized commands on the target device.
The exploit allows remote attackers to execute arbitrary code on the target system without authentication. The vulnerability is due to improper input validation in the Wordpress Seotheme. The exploit code provided in the script allows attackers to upload a web shell and gain control over the target system.
The Lot Reservation Management System allows unauthenticated users to upload files, which can lead to remote code execution. By exploiting this vulnerability, an attacker can upload malicious files containing code that can be executed on the server, potentially leading to unauthorized access, data theft, or further compromise of the system.
The R Radio Network FM Transmitter 1.07 system.cgi endpoint has an improper access control issue that allows unauthenticated users to access and view the clear-text password of the admin user, enabling them to bypass authentication and access FM station setup.
Multiple HTML injection vulnerabilities are found in GoAhead Web Server version 2.5 due to insufficient input validation. Exploiting this vulnerability allows an attacker to inject and execute HTML code within the context of the affected site.
An SQL injection vulnerability in Online Shopping System Advanced allows attackers to gain unauthorized access to the database by injecting malicious SQL statements through the 'cm' parameter. This can lead to the disclosure of sensitive information like user credentials.
The searchtitle parameter in 101 News-1.0 is vulnerable to SQL injection attacks. By submitting a specific payload in the searchtitle parameter, an attacker can inject a SQL sub-query that calls MySQL's load_file function with a UNC file path pointing to an external domain. This allows the attacker to interact with the external domain, confirming the successful execution of the injected SQL query.
A vulnerability was found in WyreStorm Apollo VX20 devices prior to version 1.3.58, allowing remote attackers to trigger a device restart through an HTTP GET request to /device/reboot endpoint. This vulnerability is identified as CVE-2024-25736.
Services By CQR