Command injection in Totolik NR1800X firmware allows authenticated remote attackers to execute arbitrary commands through the Hostname parameter in the setWanCfg POST handler. Public exploit code exists for this vulnerability, creating elevated risk despite no patch availability. Affected devices can be compromised to gain full system control with network access and valid credentials.
Totolik NR1800X firmware versions up to 9.1.0u.6279_B20210910 contain a command injection vulnerability in the setTracerouteCfg function that allows authenticated remote attackers to execute arbitrary commands via malicious POST requests. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can leverage this to achieve remote code execution on affected network devices.
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4. [CVSS 8.1 HIGH]
Mikado-Themes Dolcino dolcino is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Justicia justicia is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Roam through version 2.1.1 contains an authorization bypass vulnerability where attackers with valid user credentials can manipulate access control mechanisms to gain unauthorized access to sensitive functionality. This authentication-required vulnerability allows authenticated users to circumvent properly configured security levels through user-controlled parameters. No patch is currently available for this issue.
Mikado-Themes Overton overton is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Innovio innovio is affected by authorization bypass through user-controlled key (CVSS 5.4).
Gitea may send release notification emails for private repositories to users whose access has been revoked. [CVSS 3.5 LOW]
Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. [CVSS 3.5 LOW]
Denial-of-service in jsdiff versions prior to 8.0.3, 5.2.2, 4.0.4, and 3.5.1 allows unauthenticated remote attackers to crash applications by providing maliciously crafted patches with line break characters in filename headers, triggering an infinite loop that exhausts system memory. Applications calling parsePatch with user-supplied input are vulnerable regardless of input size restrictions. A patch is available for all affected versions.