The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-19734 | _account_move_file_in_folder.ajax.php in MFScripts YetiShare 3.5.2 directly inserts values from the fileIds parameter into a SQL string. This allows an attacker to inject their own SQL and manipulate the query, typically extracting data from the database, aka SQL Injection. | MEDIUM | Jan 7, 2020 | n/a |
| CVE-2019-19805 | _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 takes a different amount of time to return depending on whether an email address is configured for the account name provided. This can be used by an attacker to enumerate accounts by guessing email addresses. | MEDIUM | Jan 8, 2020 | n/a |
| CVE-2019-19806 | _account_forgot_password.ajax.php in MFScripts YetiShare 3.5.2 through 4.5.3 displays a message indicating whether an email address is configured for the account name provided. This can be used by an attacker to enumerate accounts by guessing email addresses. | MEDIUM | Jan 7, 2020 | n/a |
| CVE-2022-40069 | ]Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetSysTime. | -- | Sep 21, 2022 | n/a |
| CVE-2022-22148 | \'Root Service\' service implemented in the following Yokogawa Electric products creates some named pipe with improper ACL configuration. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00. | MEDIUM | Mar 11, 2022 | n/a |
| CVE-2022-20238 | \'remap_pfn_range\' here may map out of size kernel memory (for example, may map the kernel area), and because the \'vma->vm_page_prot\' can also be controlled by userspace, so userspace may map the kernel area to be writable, which is easy to be exploitedProduct: AndroidVersions: Android SoCAndroid ID: A-233154555 | HIGH | Jul 14, 2022 | n/a |
| CVE-2022-29482 | \'Mobaoku-Auction&Flea Market\' App for iOS versions prior to 5.5.16 improperly verifies server certificates, which may allow an attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack. | MEDIUM | Jun 14, 2022 | n/a |
| CVE-2022-22141 | \'Long-term Data Archive Package\' service implemented in the following Yokogawa Electric products creates some named pipe with imporper ACL configuration. CENTUM CS 3000 versions from R3.08.10 to R3.09.00, CENTUM VP versions from R4.01.00 to R4.03.00, from R5.01.00 to R5.04.20, and from R6.01.00 to R6.08.00, Exaopc versions from R3.72.00 to R3.79.00. | MEDIUM | Mar 11, 2022 | n/a |
| CVE-2022-34156 | \'Hulu / ????\' App for iOS versions prior to 3.0.81 improperly verifies server certificates, which may allow an attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack. | -- | Aug 17, 2022 | n/a |
| CVE-2022-35734 | \'Hulu / ????\' App for Android from version 3.0.47 to the version prior to 3.1.2 uses a hard-coded API key for an external service. By exploiting this vulnerability, API key for an external service may be obtained by analyzing data in the app. | -- | Aug 17, 2022 | n/a |
| CVE-2018-11077 | \'getlogs\' utility in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1 and 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 is affected by an OS command injection vulnerability. A malicious Avamar admin user may potentially be able to execute arbitrary commands under root privilege. | HIGH | Nov 26, 2018 | n/a |
| CVE-2018-4445 | \"Clear History and Website Data\" did not clear the history. The issue was addressed with improved data deletion. This issue affected versions prior to iOS 12.1.1, Safari 12.0.2. | MEDIUM | Apr 5, 2019 | n/a |
| CVE-2023-1370 | [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software. | -- | Mar 22, 2023 | n/a |
| CVE-2017-1000120 | [ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in frappe.share.get_users allows remote authenticated users to execute arbitrary SQL commands via the fields parameter. | MEDIUM | Oct 4, 2017 | n/a |
| CVE-2020-5616 | [Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] free edition ver1.0.0, [Gallery01] free edition ver1.0.3 and earlier, [CalendarForm01] free edition ver1.0.3 and earlier, and [Link01] free edition ver1.0.0 allows remote attackers to bypass authentication and log in to the product with administrative privileges via unspecified vectors. | HIGH | Aug 6, 2020 | n/a |
| CVE-2022-23881 | ZZZCMS zzzphp v2.1.0 was discovered to contain a remote command execution (RCE) vulnerability via danger_key() at zzz_template.php. | HIGH | Mar 24, 2022 | n/a |
| CVE-2019-16722 | ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an str_ireplace operation. | HIGH | Sep 23, 2019 | n/a |
| CVE-2019-16720 | ZZZCMS zzzphp v1.7.2 does not properly restrict file upload in plugins/ueditor/php/controller.php?upfolder=news&action=catchimage, as demonstrated by uploading a .htaccess or .php5 file. | MEDIUM | Sep 23, 2019 | n/a |
| CVE-2019-10647 | ZZZCMS zzzphp v1.6.3 allows remote attackers to execute arbitrary PHP code via a .php URL in the plugins/ueditor/php/controller.php?action=catchimage source[] parameter because of a lack of inc/zzz_file.php restrictions. For example, source%5B%5D=http%3A%2F%2F192.168.0.1%2Ftest.php can be used if the 192.168.0.1 web server sends the contents of a .php file (i.e., it does not interpret a .php file). | HIGH | Apr 1, 2019 | n/a |
| CVE-2021-32605 | zzzcms zzzphp before 2.0.4 allows remote attackers to execute arbitrary OS commands by placing them in the keys parameter of a ?location=search URI, as demonstrated by an OS command within an if end if block. | HIGH | May 11, 2021 | n/a |
| CVE-2019-1010151 | zzcms zzmcms 8.3 and earlier is affected by: File Delete to getshell. The impact is: getshell. The component is: /user/ppsave.php. | HIGH | Jul 29, 2019 | n/a |
| CVE-2019-1010148 | zzcms version 8.3 and earlier is affected by: SQL Injection. The impact is: zzcms File Delete to Code Execution. | HIGH | Jul 24, 2019 | n/a |
| CVE-2019-1010149 | zzcms version 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: zzcms File Delete to Code Execution. The component is: user/licence_save.php. | HIGH | Jul 26, 2019 | n/a |
| CVE-2018-1000653 | zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx. | HIGH | Aug 20, 2018 | n/a |
| CVE-2018-17415 | zzcms V8.3 has a SQL injection in /user/zs_elite.php via the id parameter. | MEDIUM | Mar 22, 2019 | n/a |
| CVE-2018-17414 | zzcms v8.3 has a SQL injection in /user/jobmanage.php via the bigclass parameter. | MEDIUM | Mar 22, 2019 | n/a |
| CVE-2018-17412 | zzcms v8.3 contains a SQL Injection vulnerability in /user/logincheck.php via an X-Forwarded-For HTTP header. | HIGH | Mar 22, 2019 | n/a |
| CVE-2018-14962 | zzcms 8.3 has stored XSS related to the content variable in user/manage.php and zt/show.php. | LOW | Aug 6, 2018 | n/a |
| CVE-2018-14963 | zzcms 8.3 has CSRF via the admin/adminadd.php?action=add URI. | MEDIUM | Aug 6, 2018 | n/a |
| CVE-2018-17136 | zzcms 8.3 contains a SQL Injection vulnerability in /user/check.php via a Client-Ip HTTP header. | HIGH | Sep 17, 2018 | n/a |
| CVE-2019-1010153 | zzcms 8.3 and earlier is affected by: SQL Injection. The impact is: sql inject. The component is: zs/subzs.php. | HIGH | Jul 24, 2019 | n/a |
| CVE-2019-1010152 | zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: user/manage.php line 31-80. | HIGH | Jul 24, 2019 | n/a |
| CVE-2019-1010150 | zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: /user/zssave.php. | HIGH | Jul 26, 2019 | n/a |
| CVE-2018-7434 | zzcms 8.2 allows remote attackers to discover the full path via a direct request to 3/qq_connect2.0/API/class/ErrorCase.class.php or 3/ucenter_api/code/friend.php. | MEDIUM | Feb 23, 2018 | n/a |
| CVE-2022-40447 | ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php. | -- | Sep 22, 2022 | n/a |
| CVE-2022-40446 | ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=. | -- | Sep 23, 2022 | n/a |
| CVE-2022-40444 | ZZCMS 2022 was discovered to contain a full path disclosure vulnerability via the page /admin/index.PHP? _server. | -- | Sep 23, 2022 | n/a |
| CVE-2020-23426 | zzcms 201910 contains an access control vulnerability through escalation of privileges in /user/adv.php, which allows an attacker to modify data for further attacks such as CSRF. | HIGH | Apr 8, 2021 | n/a |
| CVE-2019-9078 | zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter because inc/stopsqlin.php does not block a mixed-case string such as sCrIpT. | LOW | Mar 20, 2019 | n/a |
| CVE-2022-24644 | ZZ Inc. KeyMouse Windows 3.08 and prior is affected by a remote code execution vulnerability during an unauthenticated update. To exploit this vulnerability, a user must trigger an update of an affected installation of KeyMouse. | MEDIUM | Mar 10, 2022 | n/a |
| CVE-2018-9129 | ZyXEL ZyWALL/USG series devices have a Bleichenbacher vulnerability in their Internet Key Exchange (IKE) handshake implementation used for IPsec based VPN connections. | MEDIUM | Aug 15, 2018 | n/a |
| CVE-2017-17550 | ZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a CSRF vulnerability via a cgi-bin/zysh-cgi cmd action to add a user account. This account\'s access could, for example, subsequently be used for stored XSS. | MEDIUM | Nov 10, 2018 | n/a |
| CVE-2021-46387 | ZyXEL ZyWALL 2 Plus Internet Security Appliance is affected by Cross Site Scripting (XSS). Insecure URI handling leads to bypass security restriction to achieve Cross Site Scripting, which allows an attacker able to execute arbitrary JavaScript codes to perform multiple attacks such as clipboard hijacking and session hijacking. | MEDIUM | Mar 2, 2022 | n/a |
| CVE-2017-7964 | Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process. | HIGH | Apr 19, 2017 | n/a |
| CVE-2020-24354 | Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by shell injection. | MEDIUM | Sep 4, 2020 | n/a |
| CVE-2020-24355 | Zyxel VMG5313-B30B router on firmware 5.13(ABCJ.6)b3_1127, and possibly older versions of firmware are affected by insecure permissions which allows regular and other users to create new users with elevated privileges. This is done by changing FirstIndex field in JSON that is POST-ed during account creation. Similar may also be possible with account deletion. | HIGH | Sep 2, 2020 | n/a |
| CVE-2019-7391 | ZyXEL VMG3312-B10B DSL-491HNU-B1B v2 devices allow login/login-page.cgi CSRF. | MEDIUM | Mar 25, 2019 | n/a |
| CVE-2018-18754 | ZyXEL VMG3312-B10B 1.00(AAPP.7) devices have a backdoor root account with the tTn3+Z@!Sr0O+ password hash in the etc/default.cfg file. | MEDIUM | Oct 29, 2018 | n/a |
| CVE-2018-15602 | Zyxel VMG3312 B10B devices are affected by a persistent XSS vulnerability via the pages/connectionStatus/connectionStatus-hostEntry.cmd hostname parameter. | MEDIUM | Aug 26, 2018 | n/a |
| CVE-2018-19326 | Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd. | MEDIUM | Nov 17, 2018 | n/a |
