| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This vulnerability affects the function sub_401AD4 of the file /cgi-bin/adm.cgi. Executing a manipulation of the argument Hostname can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 20260226 is able to resolve this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. |
| A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
| A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. Such manipulation of the argument linkName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| A security flaw has been discovered in SourceCodester Web-based Pharmacy Product Management System 1.0. This impacts an unknown function of the file edit-profile.php. Performing a manipulation of the argument fullname results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. |
| dye is a portable and respectful color library for shell scripts. Prior to 1.1.1, certain dye template expressions would result in execution of arbitrary code. This issue was discovered and fixed by dye's author, and is not known to be exploited. This vulnerability is fixed in 1.1.1. |
| Workbench is a suite of tools for administrators and developers to interact with Salesforce.com organizations via the Force.com APIs. Prior to 65.0.0, Workbench contains remote code execution vulnerability in the timezone conversion flow, which processes attacker-controlled cookie values in an unsafe manner. This vulnerability is fixed in 65.0.0. |
| Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42. |
| CORS misconfiguration in CoolerControl/coolercontrold <4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites |
| PHP remote file inclusion vulnerability in (1) admin.php, and possibly (2) details.php, (3) modify.php, (4) newgroup.php, (5) newtask.php, and (6) rss.php, in MoSpray (aka com_mospray) 1.8 RC1 allows remote attackers to execute arbitrary PHP code via a URL in the basedir parameter. |
| PHP remote file inclusion vulnerability in extadminmenus.class.php in the MultiBanners 1.0.1 for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. |
| PHP remote file inclusion vulnerability in resources/includes/popp.config.loader.inc.php in PopSoft Digital PopPhoto Studio 3.5.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter (cfg['popphoto_base_path'] variable). NOTE: Pixaria has notified CVE that "PopPhoto is NOT a product of Pixaria. It was a product of PopSoft Digital and is only hosted by Pixaria as a courtesy... The vulnerability listed was patched by the previous vendor and all previous users have received this update." |
| Multiple PHP remote file inclusion vulnerabilities in phpCMS 1.2.1pl2 allow remote attackers to execute arbitrary PHP code via a URL in the PHPCMS_INCLUDEPATH parameter to files in parser/include/ including (1) class.parser_phpcms.php, (2) class.session_phpcms.php, (3) class.edit_phpcms.php, (4) class.http_indexer_phpcms.php, (5) class.cache_phpcms.php, (6) class.search_phpcms.php, (7) class.lib_indexer_universal_phpcms.php, and (8) class.layout_phpcms.php, (9) parser/plugs/counter.php, and (10) parser/parser.php. NOTE: the class.cache_phpcms.php vector was also reported to affect 1.1.7. |
| PHP remote file inclusion vulnerability in session.inc.php in ISPConfig 2.2.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the go_info[server][classes_root] parameter. NOTE: the vendor has disputed this vulnerability, saying that session.inc.php is not under the web root in version 2.2, and register_globals is not enabled |
| Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4 and 6 SP1 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted web page that triggers memory corruption when it is saved as a multipart HTML (.mht) file. |
| Microsoft Office Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via malformed cell comments, which lead to modification of "critical data offsets" during the rebuilding process. |
| Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with a malformed property that triggers memory corruption related to record lengths, aka "Microsoft Office Property Vulnerability," a different vulnerability than CVE-2006-1316. |
| PHP remote file inclusion vulnerability in components/com_mambatstaff/mambatstaff.php in the Mambatstaff 3.1b and earlier component for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. |
| Ralf Image Gallery (RIG) 0.7.4 and other versions before 1.0, when register_globals is enabled, allows remote attackers to conduct PHP remote file inclusion and directory traversal attacks via URLs or ".." sequences in the (1) dir_abs_src parameter in (a) check_entry.php, (b) admin_album.php, (c) admin_image.php, and (d) admin_util.php; and the (2) dir_abs_admin_src parameter in admin_album.php and admin_image.php. NOTE: this issue can be leveraged to conduct cross-site scripting (XSS) attacks. |
| Multiple PHP remote file inclusion vulnerabilities in Grayscale BandSite CMS 1.1.1, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) includes/content/contact_content.php; multiple files in adminpanel/includes/add_forms/ including (2) addbioform.php, (3) addfliersform.php, (4) addgenmerchform.php, (5) addinterviewsform.php, (6) addlinksform.php, (7) addlyricsform.php, (8) addmembioform.php, (9) addmerchform.php, (10) addmerchpicform.php, (11) addnewsform.php, (12) addphotosform.php, (13) addreleaseform.php, (14) addreleasepicform.php, (15) addrelmerchform.php, (16) addreviewsform.php, (17) addshowsform.php, (18) addwearmerchform.php; (19) adminpanel/includes/mailinglist/disphtmltbl.php, and (20) adminpanel/includes/mailinglist/dispxls.php. |
| csNewsPro.cgi in CGIScript.net csNews Professional (csNewsPro) allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function. |
