The ABB Cylon Aspect BMS/BAS controller has hard-coded credentials such as usernames, passwords, and encryption keys in various java classes. This vulnerability could be exploited by attackers to gain unauthorized access and compromise system integrity.
Two critical vulnerabilities found in TP-Link VN020-F3v(T) router's UPnP implementation affecting the WANIPConnection service. These vulnerabilities enable unauthenticated attackers to trigger denial of service and potential memory corruption via malformed SOAP requests.
An attacker can execute arbitrary code on Sony XAV-AX5500 devices without requiring authentication by exploiting a vulnerability in the software update handling process. The flaw lies in the lack of proper validation of software update packages, enabling code execution within the device context. This exploit bypasses firmware validation, allowing an attacker with physical access to achieve Remote Code Execution (RCE) on the infotainment unit. The vulnerability affects firmware versions prior to v2.00.
Unauthenticated remote code execution vulnerability in Chamilo LMS version 1.11.24 (Beersel) allows attackers to upload files without restrictions, leading to remote code execution.
The exploit allows an attacker to execute arbitrary JavaScript code in PDF.js in Firefox ESR version 115.11. By manipulating a crafted PDF file, an attacker can trigger this vulnerability. This exploit is identified as CVE-2024-4367.
The ABB Cylon Aspect BMS/BAS controller through webServerDeviceLabelUpdate.php script allows authenticated attackers to inject arbitrary content via the 'deviceLabel' POST parameter, leading to writing content to a fixed file location (/usr/local/aam/etc/deviceLabel) and potentially causing denial of service.
An API-level vulnerability in Nagios Log Server 2024R1.3.1 allows any user with a valid API token to retrieve a full list of user accounts along with their plaintext API keys, including administrator credentials. This flaw enables user enumeration, privilege escalation, and full system compromise via unauthorized use of exposed tokens.
The exploit allows an attacker to perform SQL injection in PandoraFMS version 7.0NG.772. By manipulating certain parameters, an attacker can inject malicious SQL queries, potentially gaining unauthorized access to the database. This vulnerability has been assigned CVE-2023-44088.
A CSRF vulnerability is found in the ABB Cylon FLXeon series. Exploitation is restricted due to the server's CORS configuration, which lacks Access-Control-Allow-Credentials. The exploit conditions include hosting the malicious page on the same domain, Man-in-the-Middle attacks, LAN access, subdomain hosting, and misconfigured CORS policies.
The vulnerability in Gnuboard5 version 5.3.2.8 allows an attacker to execute arbitrary SQL queries through the 'mysql_user', 'mysql_pass', 'mysql_db', and 'table_prefix' parameters in the 'install_db.php' script, leading to unauthorized access to the database. This exploit utilizes SQL injection to manipulate the SQL queries, potentially resulting in data leakage, modification, or deletion. The CVE associated with this vulnerability is CVE-2020-18662.
Services By CQR