My CVEs 🛡️

🔗 ICTBroadcast <= 7.4 is vulnerable to an unauthenticated remote code execution. The /login.php page issues a session cookie, and certain cookie keys are evaluated using shell backticks in server-side code. This allows attackers to inject arbitrary system commands into the cookie, resulting in code execution during session handling, without authentication.

🔗 An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise.

🔗 An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise.

🔗 A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) during WPA2 configuration. The 'key' parameter is interpreted directly by the system shell, enabling attackers to execute arbitrary commands as root. Exploitation requires no authentication and can be triggered during wireless setup.

🔗 The PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) is vulnerable to command injection via the 'user' parameter. Input is processed unsafely during network setup, allowing attackers to execute arbitrary system commands with root privileges.

🔗 A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The input is passed directly to system-level commands without sanitation, enabling unauthenticated attackers to achieve root-level code execution.

🔗 An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal `date -s` command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

🔗 MagnusBilling 7.3.0 and lower is vulnerable to an unauthenticated stored XSS via the login logs feature. Malicious input submitted as a username during login is stored and later executed in the admin context.

🔗 MagnusBilling 7.3.0 and lower contains a stored XSS vulnerability in the Alarm module. Unsanitized message fields can lead to arbitrary JavaScript execution when viewed by an administrator.

🔗 Xorcom CompletePBX <= 5.2.35 is vulnerable to authenticated file disclosure, allowing access to sensitive files through crafted requests.

🔗 Xorcom CompletePBX <= 5.2.35 contains an authenticated command injection vulnerability, leading to remote code execution via system commands.

🔗 Xorcom CompletePBX <= 5.2.35 is affected by a path traversal vulnerability allowing authenticated file deletion and access to arbitrary paths.

🔗 Xorcom CompletePBX 5.2.35 is vulnerable to an authenticated reflected XSS, allowing JavaScript injection via crafted input.

🔗 Vembu BDRSuite <= 7.5.0.1 is affected by an unauthenticated stored XSS in serverbackupprogress.sgp via the ClientName and BackupName parameters.

🔗 Vembu BDRSuite <= 7.5.0.1 contains an unauthenticated stored XSS in restoreprogress.sgp through multiple unsanitized URL parameters.

🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.

🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function.

🔗 Vinchin Backup & Recovery v7.2 was discovered to use default MYSQL credentials.

🔗 Vinchin Backup & Recovery v7.2 was discovered to be configured with default root credentials.

🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function.

🔗 Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the render-document.php component.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the photo.php component.

🔗 SQL Injection vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the where Clause in Award Document Rendering.

🔗 SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the photo-thumbs.php component.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the ./inc/kiosks.inc component.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the racer-results.php component.

🔗 SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via 'classids' Parameter in ajax/query.slide.next.inc.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the 'back' Parameter in playlist.php.

🔗 Directory Traversal vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the page parameter of the kiosk.php component.

🔗 An issue in WWBN AVideo v12.4 through v14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.

🔗 Themify Builder < 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue.

🔗 Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php.

🔗 Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, leading to remote code execution (RCE).

🔗 MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters.