HTTP Protocol Stack Remote Code Execution Vulnerability

Server-Side Request Forgery (SSRF) in kubeflow/kubeflow

Cross-site scripting (XSS) vulnerability in products/classified/headersearch.php in 2daybiz Online Classified Script allows remote attackers to inject arbitrary web script or HTML via the sid parameter.

HAMweather 2.x allows remote attackers to modify administrative settings and obtain sensitive information via a direct request to hwadmin.cgi.

An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account.

Cross-site scripting (XSS) vulnerability in default.asp in ClickTech Clickcart 6.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the cat parameter.

openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.

Improper access control vulnerability in ProfileSharingAccount in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to identify the device.

Memory corruption in Core when updating rollback version for TA and OTA feature is enabled.

Cross-site scripting (XSS) vulnerability in login.php in Utopia News Pro 1.4.0 allows remote attackers to inject arbitrary web script or HTML via the password parameter.

Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE.

Geutebruck IP Cameras G-Code(EEC-2xxx), G-Cam(EBC-21xx/EFD-22xx/ETHC-22xx/EWPC-22xx): All versions 1.12.0.25 and prior may allow a remote authenticated user, using a specially crafted URL command, to execute commands as root.

Cross-site request forgery (CSRF) vulnerability in the RESTful Web Services (restws) module 7.x-1.x before 7.x-1.2 and 7.x-2.x before 7.x-2.0-alpha4 for Drupal allows remote attackers to hijack the authentication of arbitrary users via unknown vectors.

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9640, SDM630, MSM8976, MSM8937, SDM845, MSM8976, and MSM8952, when running module or kernel code with improper access control allowing writing to arbitrary regions of memory, the user may utilize this vector to alter module executable code.

Heap-based buffer overflow in Tracker Software PDF-XChange before 2.5.208 allows remote attackers to execute arbitrary code via a crafted Define Huffman Table header in a JPEG image file stream in a PDF file.

An issue was discovered in DouCo DouPHP 1.5 20181221. admin/nav.php?rec=update has XSS via the nav_name parameter.

The CPDF_DIBSource::CreateDecoder function in core/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp in PDFium, as used in Google Chrome before 51.0.2704.63, mishandles decoder-initialization failure, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document.

Clustered Data ONTAP versions prior to 9.1P18 and 9.3P12 are susceptible to a vulnerability which could allow an attacker to discover node names via AutoSupport bundles even when the –remove-private-data parameter is set to true.

An issue in Open5GS v.2.7.0 allows an attacker to cause a denial of service via the 64 unsuccessful UE/gnb registration

Unrestricted Upload of File with Dangerous Type vulnerability in Michael Bourne Custom Icons for Elementor allows Upload a Web Shell to a Web Server.This issue affects Custom Icons for Elementor: from n/a through 0.3.3.