Cross-site Scripting (XSS) - Reflected in Packagist microweber/microweber prior to 1.2.11. User can escape the meta tag because the user doesn't escape the double-quote in the $redirectUrl parameter when logging out.
This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro.
8
+
This is a de-serialization vulnerability that causes unauthenticated RCE in XML-RPC of Zoho Manage Engine Password Manager Pro,PAM360andAccessManagerPlus(Authenticated).
name: Wapples Web Application Firewall - Hardcoded credentials
5
+
author: For3stCo1d
6
+
severity: critical
7
+
description: |
8
+
WAPPLES through 6.0 has a hardcoded systemi account accessible via db/wp.no1 (as configured in the /opt/penta/wapples/script/wcc_auto_scaling.py file). A threat actor could use this account to access the system configuration and confidential information (such as SSL keys) via an HTTPS request to the /webapi/ URI on port 443 or 5001.
name: 3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
5
+
author: SecTheBit
6
+
severity: high
7
+
description: |
8
+
The p3dlite_handle_upload AJAX action of the plugin does not have any authorisation and does not check the uploaded file, allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.