My CVEs 🛡️

🔗 Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities that allow an authenticated attacker to write arbitrary files to the server filesystem.

🔗 AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.

🔗 AVideo versions prior to 20.0 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.

🔗 AVideo versions prior to 20.0 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.

🔗 AVideo versions prior to 20.0 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.

🔗 AVideo versions prior to 20.0 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.

🔗 AVideo versions prior to 20.0 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.

🔗 AVideo versions prior to 20.0 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks.

🔗 AVideo versions prior to 20.0 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks.

🔗 AVideo versions prior to 20.0 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.

🔗 AVideo versions prior to 20.0 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.

🔗 ICTBroadcast <= 7.4 is vulnerable to an unauthenticated remote code execution. The /login.php page issues a session cookie, and certain cookie keys are evaluated using shell backticks in server-side code. This allows attackers to inject arbitrary system commands into the cookie, resulting in code execution during session handling, without authentication.

🔗 An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise.

🔗 An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise.

🔗 A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) during WPA2 configuration. The 'key' parameter is interpreted directly by the system shell, enabling attackers to execute arbitrary commands as root. Exploitation requires no authentication and can be triggered during wireless setup.

🔗 The PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) is vulnerable to command injection via the 'user' parameter. Input is processed unsafely during network setup, allowing attackers to execute arbitrary system commands with root privileges.

🔗 A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The input is passed directly to system-level commands without sanitation, enabling unauthenticated attackers to achieve root-level code execution.

🔗 An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal `date -s` command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes.

🔗 MagnusBilling 7.3.0 and lower is vulnerable to an unauthenticated stored XSS via the login logs feature. Malicious input submitted as a username during login is stored and later executed in the admin context.

🔗 MagnusBilling 7.3.0 and lower contains a stored XSS vulnerability in the Alarm module. Unsanitized message fields can lead to arbitrary JavaScript execution when viewed by an administrator.

🔗 Xorcom CompletePBX <= 5.2.35 is vulnerable to authenticated file disclosure, allowing access to sensitive files through crafted requests.

🔗 Xorcom CompletePBX <= 5.2.35 contains an authenticated command injection vulnerability, leading to remote code execution via system commands.

🔗 Xorcom CompletePBX <= 5.2.35 is affected by a path traversal vulnerability allowing authenticated file deletion and access to arbitrary paths.

🔗 Xorcom CompletePBX 5.2.35 is vulnerable to an authenticated reflected XSS, allowing JavaScript injection via crafted input.

🔗 Vembu BDRSuite <= 7.5.0.1 is affected by an unauthenticated stored XSS in serverbackupprogress.sgp via the ClientName and BackupName parameters.

🔗 Vembu BDRSuite <= 7.5.0.1 contains an unauthenticated stored XSS in restoreprogress.sgp through multiple unsanitized URL parameters.

🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.

🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function.

🔗 Vinchin Backup & Recovery v7.2 was discovered to use default MYSQL credentials.

🔗 Vinchin Backup & Recovery v7.2 was discovered to be configured with default root credentials.

🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function.

🔗 Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the render-document.php component.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the photo.php component.

🔗 SQL Injection vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the where Clause in Award Document Rendering.

🔗 SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the photo-thumbs.php component.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the ./inc/kiosks.inc component.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the racer-results.php component.

🔗 SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via 'classids' Parameter in ajax/query.slide.next.inc.

🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the 'back' Parameter in playlist.php.

🔗 Directory Traversal vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the page parameter of the kiosk.php component.

🔗 An issue in WWBN AVideo v12.4 through v14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.

🔗 Themify Builder < 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue.

🔗 Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php.

🔗 Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, leading to remote code execution (RCE).

🔗 MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters.