Strike Database
Important Information
On August 12th, 2022, many of Keysight’s Network Test, Network Visibility, & Edge to Core (NAS/formerly Ixia) products will migrate to a new license structure.
CRITICAL: If you perform licensing operations after August 12th, 2022, without upgrading the licensing software to the latest version, licenses may not register properly, and some features may be missing. This could impact testing and result in downtime.
For details, click here.
Displaying 1 - 20 of 59925
CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
An OS command injection vulnerability exists in Ruckus IoT Controller 1.5.1.0.21 and prior due to lack of user input validation. The vulnerability exists in the '/service/v1/createUser' endpoint which is in charge of new users creation. By sending a crafted HTTP POST data, a remote authenticated attacker may execute arbitrary OS commands as the root user.
CVSS: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
An arbitrary file overwrite vulnerability has been identified in Advantech WebAccess NMS. The vulnerability is caused by the lack of proper input sanitisation on file paths within saveBackground servlet. The vulnerability can be exploited by sending a specially-crafted request, allowing the attacker to delete arbitrary files.
CVSS: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
An authorization bypass vulnerability exists in Citrix Application Delivery Controller (ADC) and Gateway. This vulnerability can be triggered by calling the function report() in the PHP pcidss.php script. The flaw may be exploited by an unauthenticated attacker to access certain protected URL endpoints.
CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
This strike exploits a buffer overflow vulnerability in the Belkin Wemo Smart Plug. Specifically a stack buffer overflow occurs inside the WemoApp libUPnPHndlr.so library. When an attacker sends a UPnP packet with a specially crafted EnergyPerUnitCostVersion field a crash may occur. It is possible to execute code remotely on the compromised device as the root user, and because the device uses UPnP it...
CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
An authentication bypass vulnerability exists in Ruckus IoT Controller 1.5.1.0.21 and prior. The vulnerability exists due to a hardcoded token used when the 'Authorization' HTTP header has a specific value. By sending a crafted HTTP request, a remote attacker may obtain unauthorized access to the device.
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits an SQL injection vulnerability in Artica Web Proxy. This vulnerability is due to improper validation of the apikey parameter of the fw.login.php page. An attacker can send a crafted HTTP request with SQL commands in the vulnerable parameter allowing remote code execution to occur.
CVSS: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
This strike exploits a remote code execution vulnerability in Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). The vulnerability is due to improper sanitization of user-supplied data sent via HTTP. A remote, unauthenticated attacker could exploit this by sending a maliciously crafted request to the server. A successful attack may result in arbitrary command execution...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits a vulnerability in Atlassian Crowd and Crowd Data Center due to the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permit remote code execution on systems running a vulnerable version of...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits a OS Command Injection vulnerability in the rConfig server. The vulnerability is in the 'nodeId' parameter in the 'search.crud.php' module, due to failure to properly sanitize the user-supplied input. A remote, authenticated attacker can create a malicious HTTP request resulting in arbitrary command execution on the target system with the privileges of the...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits a privilege escalation vulnerability in Kubernetes API. When an HTTP upgrade request is sent to an API service registered to an Aggregated API Server, or an HTTP upgrade request is sent to a Pod exec, attach, or port-forward resource the tryUpgrade function starts a proxy between the user and kubelet without verifying whether the upgrade request was successful. This results in a...
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits a SQL Injection vulnerability in the rConfig server. The vulnerability is caused by insufficient validation of the 'searchField' and 'searchColumn' parameter in the 'commands.inc.php' module. Successful exploitation could allow an attacker to execute SQL command on the target server.
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits a remote code execution vulnerability found in Apache Struts2 Framework. The vulnerability is due to the lack of input validation leading to a forced double Object Graph Navigation Library (OGNL) evaluation for raw user input. The vulnerability can be exploited by crafting a malicious HTTP POST request. Successful exploitation may result in executing arbitrarily code within the...
CVSS: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
This strike exploits a vulnerability inside D-Link Wireless N Unified Service Routers (DSR-250N) 3.12 that can cause a denial of service attack. The device which allows unauthenticated attackers in the same local network to execute a CGI script which reboots the device. The attack can be triggered without authentication.
CVSS: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
This strike exploits a reflected cross-site scripting vulnerability in KingComposer plugin through 2.9.4 for WordPress. The vulnerability takes advantage of kc-online-preset-data parameter to send base64 encoded Javascript. A remote, unauthenticated attacker can exploit this vulnerability by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset....
CVSS: 9.8 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
This strike exploits a vulnerability in Google Chrome. Specifically, a Use-After-Free condition occurs when the MediaElementEventListener::UpdateSources function is invoked in a specific manner. When this happens a denial of service condition, or potentially remote code execution, may occur.
CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
This strike exploits the vulnerability known as 'Zerologon'. This privilege escalation vulnerability is due to the insecure usage of AES-CFB8 encryption for Netlogon sessions in Microsoft Netlogon Remote Protocol (MS-NRPC). This is the SMB version of the ZeroLogon. A remote (same LAN) unauthenticated attacker can exploit this vulnerability to impersonate the identity of any machine on a...
CVSS: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
This strike exploits an information disclosure vulnerability in Kubernetes Dashboard. The vulnerability allows unauthorized access to the kubernetes-dashboard-certs secret object. When an HTTP GET request is sent to /api/v1/secret/kube-system/kubernetes-dashboard-certs, access to the kubernetes-dashboard-certs object is not restricted and the server responds with the TLS certificate and private key...
CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
This strike exploits a command injection vulnerability in IBM Spectrum Protect Plus. The vulnerability is due to a lack of input sanitization for injection or invalid characters in the timezone parameter. When an attacker sends an HTTP POST request to the "/emi/api/changetimezone" URI, command execution can occur.
CVSS: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
This strike exploits a command injection vulnerability in IBM Spectrum Protect Plus. The vulnerability is due to a lack of input sanitization for injection or invalid characters in the filename parameter. When an attacker sends an HTTP POST request to the "/emi/api/uploadhttpscertificate" URI, command execution can occur.
CVSS: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This strike exploits an insecure deserialization vulnerability in Oracle Coherence library, which is used in popular products such as Oracle WebLogic Server. The vulnerability is a result of insufficient validation of T3 requests in the UniversalExtractor class. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to a vulnerable server. Successful...
