| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Incorrect access control in logs management function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote attackers to get the device logs via HTTP GET request. The logs contain such information as user names and IP addresses used in the infrastructure. This information may help the attackers to conduct further attacks in the infrastructure. |
| Aten PE6208 2.3.228 and 2.4.232 have default credentials for the privileged telnet account. The user is not asked to change the credentials after first login. If not changed, attackers can log in to the telnet console and gain administrator privileges. |
| Aten PE6208 2.3.228 and 2.4.232 have default credentials for the privileged web interface account. The user is not asked to change the credentials after first login. If not changed, attackers can log in to the web interface and gain administrator privileges. |
| Incorrect access control in firmware upgrade function of web interface in Aten PE6208 2.3.228 and 2.4.232 allows remote authenticated users to submit a firmware image via HTTP POST requests. This may result in DoS or remote code execution. |
| D-link DI-8100 16.07.26A1 is vulnerable to Command Injection. An attacker can exploit this vulnerability by crafting specific HTTP requests, triggering the command execution flaw and gaining the highest privilege shell access to the firmware system. |
| An issue was discovered in Apiris Kafeo 6.4.4. It permits a bypass, of the protection in place, to access to the data stored in the embedded database file. |
| An issue was discovered in Apiris Kafeo 6.4.4. It permits DLL hijacking, allowing a user to trigger the execution of arbitrary code every time the product is executed. |
| An issue was discovered in ViewerJS 0.5.8. A script from the component loads content via URL TAGs without properly sanitizing it. This leads to both open redirection and out-of-band resource loading. |
| An issue was discovered in Regify Regipay Client for Windows version 4.5.1.0 allows DLL hijacking: a user can trigger the execution of arbitrary code every time the product is executed. |
| Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attacks in several locations, allowing an attacker to store a JavaScript payload. |
| Vound Intella Connect 2.6.0.3 is vulnerable to stored Cross-site Scripting (XSS). |
| Vound Intella Connect 2.6.0.3 has an Open Redirect vulnerability. |
| Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars. |
| An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking. |
| An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. |
| An issue was discovered in Independentsoft JSpreadsheet before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. |
| An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file. |
| An issue was discovered in the Open Document feature in Telindus Apsal 3.14.2022.235 b. An attacker may upload a crafted file to execute arbitrary code. |
| An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked. |
| An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to access the profile information of all connected users. |
