Latest CVE Feed
Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.
MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns …
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() metho…
MajorDoMo (aka Major Domestic Module) contains an unauthenticated SQL injection vulnerability in the commands module. The commands_search.inc.php file directly interpolates the $_GET['parent'] parame…
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenti…
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability via the /objects/?op=set endpoint, which is intentionally unauthenticated for IoT device integration. …
MajorDoMo (aka Major Domestic Module) contains a reflected cross-site scripting (XSS) vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via…
MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double q…
MajorDoMo (aka Major Domestic Module) allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to conti…
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the Edit Invoices functions of InvoiceP…
InvoicePlane is a self-hosted open source application for managing invoices, clients, and payments. A Stored Cross-Site Scripting (XSS) vulnerability occurs in the upload Invoice Logo functions of In…
Bematech (formerly Logic Controls, now Elgin) MP-4200 TH printer contains a denial of service vulnerability in the admin configuration page. Remote attackers can send crafted POST requests with malfo…
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters inc…
IPFire 2.21 Core Update 127 contains multiple stored cross-site scripting vulnerabilities in the extrahd.cgi script that allow attackers to inject malicious scripts through the FS, PATH, and UUID par…
IPFire 2.21 Core Update 127 contains multiple cross-site scripting vulnerabilities in the ovpnmain.cgi script that allow attackers to inject malicious scripts through VPN configuration parameters. At…
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. A…
IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attacker…
ChaosPro 2.0 contains a buffer overflow vulnerability in the configuration file path handling that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attacker…
MailCarrier 2.51 contains a buffer overflow vulnerability in the POP3 USER command that allows remote attackers to execute arbitrary code. Attackers can send a crafted oversized buffer to the POP3 se…
WMV to AVI MPEG DVD WMV Convertor 4.6.1217 contains a buffer overflow vulnerability that allows attackers to crash the application by providing an oversized license input. Attackers can generate a 60…
WMV to AVI MPEG DVD WMV Convertor 4.6.1217 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the license name and license code fields. Attackers …