| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-41110 | Cri | 0.00 | 9.1 | 0.03 | Oct 1, 2021 | cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no… | ||
| CVE-2020-20797 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php. | ||
| CVE-2020-20796 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter. | ||
| CVE-2021-33583 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa password that is hardcoded in the TCServer.jar file. | ||
| CVE-2021-41288 | Cri | 0.70 | 9.8 | 0.80 | Sep 30, 2021 | Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API. | ||
| CVE-2021-20578 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls. IBM X-Force ID: 199282. | ||
| CVE-2021-41729 | Cri | 0.59 | 9.1 | 0.01 | Sep 30, 2021 | BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server through /user/ppsave.php. | ||
| CVE-2021-41301 | Cri | 0.64 | 9.8 | 0.02 | Sep 30, 2021 | ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass,… | ||
| CVE-2021-41300 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality. | ||
| CVE-2021-41299 | Cri | 0.64 | 9.8 | 0.02 | Sep 30, 2021 | ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in. | ||
| CVE-2021-41296 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system. | ||
| CVE-2021-41294 | Cri | 0.59 | 9.1 | 0.01 | Sep 30, 2021 | ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario. | ||
| CVE-2021-41292 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate… | ||
| CVE-2021-41290 | Cri | 0.64 | 9.8 | 0.02 | Sep 30, 2021 | ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected… | ||
| CVE-2021-41616 | — | Cri | 0.64 | 9.8 | 0.03 | Sep 30, 2021 | Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure and used… | |
| CVE-2020-18685 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of unchecked prerequisites related to TCP or UDP ports, or group or table IDs. | ||
| CVE-2020-18684 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | Floodlight through 1.2 has an integer overflow in checkFlow in StaticFlowEntryPusherResource.java via priority or port number. | ||
| CVE-2020-18683 | Cri | 0.64 | 9.8 | 0.01 | Sep 30, 2021 | Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of undefined fields mishandling. | ||
| CVE-2021-35943 | Cri | 0.64 | 9.8 | 0.01 | Sep 29, 2021 | Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513. | ||
| CVE-2020-12030 | Cri | 0.65 | 10.0 | 0.01 | Sep 29, 2021 | There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway. | ||
| CVE-2021-36745 | Cri | 0.64 | 9.8 | 0.09 | Sep 29, 2021 | A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected… | ||
| CVE-2021-33924 | Cri | 0.64 | 9.8 | 0.02 | Sep 29, 2021 | Confluent Ansible (cp-ansible) version 5.5.0, 5.5.1, 5.5.2 and 6.0.0 is vulnerable to Incorrect Access Control via its auxiliary component that allows remote attackers to access sensitive information. | ||
| CVE-2020-20122 | Cri | 0.64 | 9.8 | 0.01 | Sep 28, 2021 | Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php. | ||
| CVE-2020-20120 | — | Cri | 0.64 | 9.8 | 0.02 | Sep 28, 2021 | ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods. | |
| CVE-2021-38303 | Cri | 0.64 | 9.8 | 0.01 | Sep 28, 2021 | A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360. | ||
| CVE-2021-36366 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards. | ||
| CVE-2021-36365 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh. | ||
| CVE-2021-36364 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards. | ||
| CVE-2021-36363 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2021 | Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php. | ||
| CVE-2021-38124 | Cri | 0.64 | 9.8 | 0.02 | Sep 28, 2021 | Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5. The vulnerability could be exploited resulting in remote code execution. | ||
| CVE-2021-37270 | Cri | 0.64 | 9.8 | 0.01 | Sep 27, 2021 | There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator authority. | ||
| CVE-2021-41097 | Cri | 0.53 | 9.1 | 0.05 | Sep 27, 2021 | aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The… | ||
| CVE-2021-20034 | Cri | 0.69 | 9.1 | 0.81 | Sep 27, 2021 | An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. | ||
| CVE-2021-41558 | Cri | 0.64 | 9.8 | 0.01 | Sep 27, 2021 | The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config. | ||
| CVE-2021-40329 | Cri | 0.64 | 9.8 | 0.01 | Sep 27, 2021 | The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management. | ||
| CVE-2021-37761 | Cri | 0.64 | 9.8 | 0.09 | Sep 27, 2021 | Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution. | ||
| CVE-2021-36879 | Cri | 0.64 | 9.8 | 0.02 | Sep 27, 2021 | Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration. | ||
| CVE-2021-24666 | Cri | 0.01 | 9.8 | 0.09 | Sep 27, 2021 | The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for… | ||
| CVE-2021-37539 | Cri | 0.71 | 9.8 | 0.93 | Sep 27, 2021 | Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution. | ||
| CVE-2021-36219 | Cri | 0.00 | 9.8 | 0.02 | Sep 27, 2021 | An issue was discovered in SKALE sgxwallet 1.58.3. The provided input for ECALL 14 triggers a branch in trustedEcdsaSign that frees a non-initialized pointer from the stack. An attacker can chain multiple enclave calls to prepare a stack that contains a valid address. This… | ||
| CVE-2021-34416 | Cri | 0.64 | 9.8 | 0.02 | Sep 27, 2021 | The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom… | ||
| CVE-2021-33907 | Cri | 0.64 | 9.8 | 0.03 | Sep 27, 2021 | The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context. | ||
| CVE-2021-40098 | Cri | 0.64 | 9.8 | 0.02 | Sep 27, 2021 | An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression. | ||
| CVE-2021-38299 | — | Cri | 0.57 | 9.8 | 0.02 | Sep 27, 2021 | Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence. | |
| CVE-2021-34351 | Cri | 0.64 | 9.8 | 0.01 | Sep 27, 2021 | A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and… | ||
| CVE-2021-34348 | Cri | 0.64 | 9.8 | 0.01 | Sep 27, 2021 | A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and… | ||
| CVE-2021-22869 | Cri | 0.64 | 9.8 | 0.01 | Sep 24, 2021 | An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one… | ||
| CVE-2021-40102 | Cri | 0.59 | 9.1 | 0.01 | Sep 24, 2021 | An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method). | ||
| CVE-2021-26794 | Cri | 0.64 | 9.8 | 0.02 | Sep 23, 2021 | Privilege escalation in 'upload.php' in FrogCMS SentCMS v0.9.5 allows attacker to execute arbitrary code via crafted php file. | ||
| CVE-2020-4690 | Cri | 0.64 | 9.8 | 0.01 | Sep 23, 2021 | IBM Security Guardium 11.3 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 186697. |
- risk 0.00cvss 9.1epss 0.03
cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no…
- risk 0.64cvss 9.8epss 0.01
FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability in /account/register.php.
- risk 0.64cvss 9.8epss 0.01
FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/article.php via the "Id" parameter.
- risk 0.64cvss 9.8epss 0.01
REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa password that is hardcoded in the TCServer.jar file.
- risk 0.70cvss 9.8epss 0.80
Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.
- risk 0.64cvss 9.8epss 0.01
IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls. IBM X-Force ID: 199282.
- risk 0.59cvss 9.1epss 0.01
BaiCloud-cms v2.5.7 is affected by an arbitrary file deletion vulnerability, which allows an attacker to delete arbitrary files on the server through /user/ppsave.php.
- risk 0.64cvss 9.8epss 0.02
ECOA BAS controller is vulnerable to configuration disclosure when direct object reference is made to the specific files using an HTTP GET request. This will enable the unauthenticated attacker to remotely disclose sensitive information and help her in authentication bypass,…
- risk 0.64cvss 9.8epss 0.01
ECOA BAS controller’s special page displays user account and passwords in plain text, thus unauthenticated attackers can access the page and obtain privilege with full functionality.
- risk 0.64cvss 9.8epss 0.02
ECOA BAS controller is vulnerable to hard-coded credentials within its Linux distribution image, thus remote attackers can obtain administrator’s privilege without logging in.
- risk 0.64cvss 9.8epss 0.01
ECOA BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system.
- risk 0.59cvss 9.1epss 0.01
ECOA BAS controller suffers from a path traversal vulnerability, causing arbitrary files deletion. Using the specific GET parameter, unauthenticated attackers can remotely delete arbitrary files on the affected device and cause denial of service scenario.
- risk 0.64cvss 9.8epss 0.01
ECOA BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can remotely bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate…
- risk 0.64cvss 9.8epss 0.02
ECOA BAS controller suffers from an arbitrary file write and path traversal vulnerability. Using the POST parameters, unauthenticated attackers can remotely set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected…
- risk 0.64cvss 9.8epss 0.03
Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure and used…
- risk 0.64cvss 9.8epss 0.01
Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of unchecked prerequisites related to TCP or UDP ports, or group or table IDs.
- risk 0.64cvss 9.8epss 0.01
Floodlight through 1.2 has an integer overflow in checkFlow in StaticFlowEntryPusherResource.java via priority or port number.
- risk 0.64cvss 9.8epss 0.01
Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of undefined fields mishandling.
- risk 0.64cvss 9.8epss 0.01
Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Access Control. Externally managed users are not prevented from using an empty password, per RFC4513.
- risk 0.65cvss 10.0epss 0.01
There is a flaw in the code used to configure the internal gateway firewall when the gateway's VLAN feature is enabled. If a user enables the VLAN setting, the internal gateway firewall becomes disabled resulting in exposure of all ports used by the gateway.
- risk 0.64cvss 9.8epss 0.09
A vulnerability in Trend Micro ServerProtect for Storage 6.0, ServerProtect for EMC Celerra 5.8, ServerProtect for Network Appliance Filers 5.8, and ServerProtect for Microsoft Windows / Novell Netware 5.8 could allow a remote attacker to bypass authentication on affected…
- risk 0.64cvss 9.8epss 0.02
Confluent Ansible (cp-ansible) version 5.5.0, 5.5.1, 5.5.2 and 6.0.0 is vulnerable to Incorrect Access Control via its auxiliary component that allows remote attackers to access sensitive information.
- risk 0.64cvss 9.8epss 0.01
Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php.
- risk 0.64cvss 9.8epss 0.02
ThinkPHP v3.2.3 and below contains a SQL injection vulnerability which is triggered when the array is not passed to the "where" and "query" methods.
- risk 0.64cvss 9.8epss 0.01
A SQL injection vulnerability exists in Sureline SUREedge Migrator 7.0.7.29360.
- risk 0.64cvss 9.8epss 0.04
Nagios XI before 5.8.5 incorrectly allows manage_services.sh wildcards.
- risk 0.64cvss 9.8epss 0.04
Nagios XI before 5.8.5 has Incorrect Permission Assignment for repairmysql.sh.
- risk 0.64cvss 9.8epss 0.04
Nagios XI before 5.8.5 incorrectly allows backup_xi.sh wildcards.
- risk 0.64cvss 9.8epss 0.04
Nagios XI before 5.8.5 has Incorrect Permission Assignment for migrate.php.
- risk 0.64cvss 9.8epss 0.02
Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5. The vulnerability could be exploited resulting in remote code execution.
- risk 0.64cvss 9.8epss 0.01
There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator authority.
- risk 0.53cvss 9.1epss 0.05
aurelia-path is part of the Aurelia platform and contains utilities for path manipulation. There is a prototype pollution vulnerability in aurelia-path before version 1.1.7. The vulnerability exposes Aurelia application that uses `aurelia-path` package to parse a string. The…
- risk 0.69cvss 9.1epss 0.81
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
- risk 0.64cvss 9.8epss 0.01
The set_user extension module before 3.0.0 for PostgreSQL allows ProcessUtility_hook bypass via set_config.
- risk 0.64cvss 9.8epss 0.01
The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.
- risk 0.64cvss 9.8epss 0.09
Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution.
- risk 0.64cvss 9.8epss 0.02
Unauthenticated Privilege Escalation vulnerability in WordPress uListing plugin (versions <= 2.0.5). Possible if WordPress configuration allows user registration.
- risk 0.01cvss 9.8epss 0.09
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for…
- risk 0.71cvss 9.8epss 0.93
Zoho ManageEngine ADManager Plus before 7111 is vulnerable to unrestricted file which leads to Remote code execution.
- risk 0.00cvss 9.8epss 0.02
An issue was discovered in SKALE sgxwallet 1.58.3. The provided input for ECALL 14 triggers a branch in trustedEcdsaSign that frees a non-initialized pointer from the stack. An attacker can chain multiple enclave calls to prepare a stack that contains a valid address. This…
- risk 0.64cvss 9.8epss 0.02
The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom…
- risk 0.64cvss 9.8epss 0.03
The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression.
- risk 0.57cvss 9.8epss 0.02
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence.
- risk 0.64cvss 9.8epss 0.01
A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and…
- risk 0.64cvss 9.8epss 0.01
A command injection vulnerability has been reported to affect QNAP device running QVR. If exploited, this vulnerability could allow remote attackers to run arbitrary commands. We have already fixed this vulnerability in the following versions of QVR: QVR 5.1.5 build 20210803 and…
- risk 0.64cvss 9.8epss 0.01
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one…
- risk 0.59cvss 9.1epss 0.01
An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).
- risk 0.64cvss 9.8epss 0.02
Privilege escalation in 'upload.php' in FrogCMS SentCMS v0.9.5 allows attacker to execute arbitrary code via crafted php file.
- risk 0.64cvss 9.8epss 0.01
IBM Security Guardium 11.3 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 186697.