Total CVEs: 30 🛡️
🔗 MagnusBilling 7.3.0 and lower is vulnerable to an unauthenticated stored XSS via the login logs feature. Malicious input submitted as a username during login is stored and later executed in the admin context.
🔗 MagnusBilling 7.3.0 and lower contains a stored XSS vulnerability in the Alarm module. Unsanitized message fields can lead to arbitrary JavaScript execution when viewed by an administrator.
🔗 Xorcom CompletePBX <= 5.2.35 is vulnerable to authenticated file disclosure, allowing access to sensitive files through crafted requests.
🔗 Xorcom CompletePBX <= 5.2.35 contains an authenticated command injection vulnerability, leading to remote code execution via system commands.
🔗 Xorcom CompletePBX <= 5.2.35 is affected by a path traversal vulnerability allowing authenticated file deletion and access to arbitrary paths.
🔗 Xorcom CompletePBX 5.2.35 is vulnerable to an authenticated reflected XSS, allowing JavaScript injection via crafted input.
🔗 Vembu BDRSuite <= 7.5.0.1 is affected by an unauthenticated stored XSS in serverbackupprogress.sgp via the ClientName and BackupName parameters.
🔗 Vembu BDRSuite <= 7.5.0.1 contains an unauthenticated stored XSS in restoreprogress.sgp through multiple unsanitized URL parameters.
🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.
🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function.
🔗 Vinchin Backup & Recovery v7.2 was discovered to use default MYSQL credentials.
🔗 Vinchin Backup & Recovery v7.2 was discovered to be configured with default root credentials.
🔗 Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function.
🔗 Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php.
🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the render-document.php component.
🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the photo.php component.
🔗 SQL Injection vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the where Clause in Award Document Rendering.
🔗 SQL Injection vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the where Clause in Racer Document Rendering.
🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the checkin.php component.
🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the photo-thumbs.php component.
🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the ./inc/kiosks.inc component.
🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the racer-results.php component.
🔗 SQL Injection vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary SQL commands via 'classids' Parameter in ajax/query.slide.next.inc.
🔗 Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows attackers to execute arbitrary code via the 'back' Parameter in playlist.php.
🔗 Directory Traversal vulnerability in DerbyNet v9.0 allows a remote attacker to execute arbitrary code via the page parameter of the kiosk.php component.
🔗 An issue in WWBN AVideo v12.4 through v14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component.
🔗 Themify Builder < 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue.
🔗 Mocodo Online 4.2.6 and below is vulnerable to Remote Code Execution via /web/rewrite.php.
🔗 Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, leading to remote code execution (RCE).
🔗 MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters.