For providers

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the...

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the...

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Cross-process screen stack vulnerability in the UIExtension module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Concurrent variable access vulnerability in the ability module Impact: Successful exploitation of this vulnerability may affect availability.

The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a...

An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web...

An unauthenticated attacker can perform an SQL injection by accessing the /class/dbconnect.php file and supplying malicious GET parameters. The HTTP GET parameters search, table, field, and value...

The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database...

An authenticated attacker with the user/role "Poweruser" can perform an SQL injection by accessing the /class/template_io.php file and supplying malicious GET parameters. The "templates" parameter...