#php

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.

An emerging Python-based credential harvester and a hacking tool named Legion are being marketed via Telegram as a way for threat actors to break into various online services for further exploitation. Legion, according to Cado Labs, includes modules to enumerate vulnerable SMTP servers, conduct remote code execution (RCE) attacks, exploit unpatched versions of Apache, and brute-force cPanel and

Sielco PolyEco Digital FM Transmitter version 2.0.6 uses a weak set of default administrative credentials that can be easily guessed in remote password attacks to gain full control of the system.

Sielco PolyEco Digital FM Transmitter version 2.0.6 suffers from a cookie brute forcing vulnerability that can allow for session hijacking.

Sielco PolyEco Digital FM Transmitter version 2.0.6 suffers from authentication bypass, account takeover / lockout, and privilege escalation vulnerabilities that can be triggered by directly calling the user object and modifying the password of the two constants user/role (user/admin). This can be exploited by an unauthenticated adversary by issuing a single POST request to the vulnerable endpoint and gain unauthorized access to the affected device with administrative privileges.

Sielco PolyEco Digital FM Transmitter version 2.0.6 suffers from an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this issue via a specially crafted request to gain access to sensitive information.

Sielco PolyEco Digital FM Transmitter version 2.0.6 suffers from a radio data system POST manipulation vulnerability.

Sielco PolyEco Digital FM Transmitter version 2.0.6 suffers from an authorization bypass vulnerability.

Sielco PolyEco Digital FM Transmitter version 2.0.6 suffers from an authentication bypass vulnerability.

Sielco Radio Link version 2.06 suffers from a remote privilege escalation vulnerability.