An issue was discovered in Weblib Ucopia before 6.0.13. OS Command Injection injection can occur, related to chroot.

Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.1-rc4 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.1-rc4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_beta1 through 8.1 allows remote attackers to take over the account.

STW (aka Sensor-Technik Wiedemann) TCG-4 Connectivity Module DeploymentPackage_v3.03r0-Impala and DeploymentPackage_v3.04r2-Jellyfish and TCG-4lite Connectivity Module DeploymentPackage_v3.04r2-Jellyfish allow an attacker to gain full remote access with root privileges without the need for authentication, giving an attacker arbitrary remote code execution over LTE / 4G network via SMS.

D-Link DIR-823G firmware version 1.02B05 has a buffer overflow vulnerability, which originates from the URL field in SetParentsControlInfo.

An OS command injection vulnerability in D-Link DIR-823G firmware version 1.02B05 allows unauthorized attackers to execute arbitrary operating system commands via a crafted GET request to EXCU_SHELL.

D-Link DIR-823G firmware version 1.02B05 has a buffer overflow vulnerability, which originates from the HostName field in SetParentsControlInfo.

An unauthorized command injection vulnerability exists in the ActionLogin function of the webman.lua file in Ikuai router OS through 3.7.1.

Play With Docker < 0.0.2 has an insecure CAP_SYS_ADMIN privileged mode causing the docker container to escape.

Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response.

A vulnerability was found in SourceCodester Shopping Website 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file forgot-password.php. The manipulation of the argument contact leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232675.

A vulnerability was found in SourceCodester Shopping Website 1.0. It has been classified as critical. Affected is an unknown function of the file index.php. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-232674 is the identifier assigned to this vulnerability.

Property Cloud Platform Management Center 1.0 is vulnerable to error-based SQL injection.

itsourcecode Online Hotel Management System Project In PHP v1.0.0 is vulnerable to SQL Injection. SQL injection points exist in the login password input box. This vulnerability can be exploited through time-based blind injection.

The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.

Chemex through 3.7.1 is vulnerable to arbitrary file upload.

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1.

** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash and utilize it to create new sessions. The hash is also a poorly salted MD5 hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix: Upgrade to a supported product such as Alerton ACM.] Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. 

D-Link DSL-224 firmware version 3.0.10 CWE-307: Improper Restriction of Excessive Authentication Attempts

D-Link DSL-G256DG version vBZ_1.00.27 web management interface allows authentication bypass via an unspecified method.