Remote Code Execution

This vulnerability allows an attacker to inject malicious scripts that can run automatically whenever users access a specific part of the Kubysoft application. It can be exploited through various input fields, meaning that if an attacker can submit data to the application, they can potentially compromise other users' sessions.

An attacker can upload a malicious SVG image that contains harmful scripts, which are then stored on the server and executed whenever any user views that image. This vulnerability occurs because the system fails to properly clean or check the SVG files before saving them.

This vulnerability allows any low-privileged user of the eNet SMART HOME server to delete other user accounts, except for the admin account, simply by sending a specially crafted request. The attacker just needs to be logged in as a regular user, and there are no additional permissions or confirmations required to carry out this action.

This vulnerability allows an attacker to predict the next valid code used for unlocking a vehicle, potentially granting them unauthorized access. The attacker can exploit this weakness by trying all possible combinations, as the system only has 64 different codes to guess from.

An attacker can gain unauthorized access to a vehicle by exploiting a flaw in the Micca KE700 system that allows them to reuse old security codes. This requires the attacker to capture and send two specific codes in the right order, enabling them to clone the alarm key and control the vehicle's locks.

An attacker can intercept and capture sensitive information from the Micca KE700 car alarm system because it transmits data without encryption. To exploit this vulnerability, the attacker needs access to radio interception tools to listen in on the communication between the alarm system and its components.

This vulnerability allows an attacker with Contributor-level access or higher to include and run any PHP files on the server by manipulating a specific shortcode in their posts. They can exploit this flaw if they can create posts that use the affected shortcode, potentially leading to full control over the website.

This vulnerability allows an attacker with contributor-level access or higher to inject malicious scripts into WordPress pages, which will run when other users visit those pages. It occurs because the plugin does not properly check or clean up the input it receives, making it easier for attackers to exploit.

This vulnerability allows an attacker to access and read private chat messages between users without needing to log in. It affects all versions of the One to One user Chat by WPGuppy plugin up to version 1.1.4, making it easy for anyone to intercept these messages if they know where to look.

An attacker can exploit a flaw in the Cursor code editor to gain control of the system by manipulating Git settings, allowing them to run harmful commands without any user interaction. This vulnerability affects versions prior to 2.5 and can lead to remote code execution when certain Git hooks are triggered.

An attacker can exploit a critical vulnerability in Hyland OnBase to send malicious requests that allow them to read or write files on the server, potentially leading to remote code execution. This requires the attacker to have network access to the OnBase Workflow Timer Service, which listens on a specific port.

This vulnerability allows attackers to run malicious scripts on the OpenSourcePOS platform, potentially stealing sensitive information from users or manipulating transactions. It occurs when an attacker can inject harmful code into the item management or sales invoice sections, which requires them to have access to those functions in the application.

This vulnerability allows attackers to run malicious scripts on a user's browser by injecting harmful code into the Item Category field when generating barcodes. It requires the attacker to have access to the web interface of OpenSourcePOS, making it important for users to be cautious about input validation and access controls.

This vulnerability allows attackers to run any code they want on the OpenSourcePOS system by sending a specially crafted response through AJAX. It requires the attacker to have access to the system's web interface, making it a serious risk if proper security measures are not in place.

This vulnerability allows attackers to run malicious scripts in a user's browser by injecting harmful code into the Phone Number field in the Customers function of OpenSourcePOS v3.4.1. It requires the attacker to trick a user into visiting a page where this code is executed, potentially leading to data theft or session hijacking.

An attacker can execute malicious code on the Yoke system, potentially gaining control over Kubernetes resources or escalating their privileges to the highest level. This vulnerability requires the attacker to have permissions to create or update resources in the system.

This vulnerability allows an authenticated user to run malicious code on the backend server of the AutoGPT platform, potentially taking full control of the system. It occurs because the platform fails to properly enforce restrictions on a development tool, enabling users to bypass security measures by embedding it in their workflows.

This vulnerability allows an attacker to send requests to internal servers on a network by tricking the system into thinking they are accessing a video from an external URL. Even regular users can exploit this flaw without needing special permissions, making it possible for them to scan and potentially discover sensitive information about the internal network.

An attacker with physical access to a modified Arduino board can exploit a flaw in the Arduino App Lab to inject malicious commands that run on the user's computer, potentially allowing them to take control of the system. This requires the attacker to tamper with the board beforehand and connect it to the app.

An attacker can inject a harmful authentication message into the authentik identity provider, potentially allowing them to impersonate a legitimate user. This can happen if the system is configured to verify the signature of the assertion but not the response, or if it lacks proper encryption settings.