Autodesk Fusion 360 <= 2.0.12887 parses SVG files with a vulnerable XML parser, leading to a Blind XML External Entities (XXE).
pfSense <= 2.5.2 allows authenticated users to inject arbitrary sed-specific code, which leads to an Arbitrary File Write, resulting in a Remote Code Execution. The vulnerability is also exploitable through a Cross-Site Request Forgery.
Visual Studio Code Remote Development Extension 1.50 failed to sanitize the host field before using it as an argument of the ssh command, allowing to inject a ProxyCommand option which could be used to run arbitray commands.
Corero SecureWatch Managed Services 9.7.2.0020 is affected by a Path Traversal vulnerability via the `snap_file` parameter in the `/it-IT/splunkd/__raw/services/get_snapshot` HTTP API endpoint. A 'low privileged' attacker can read any file on the target host.
Corero SecureWatch Managed Services 9.7.2.0020 does not correctly check swa-monitor and cns-monitor user's privileges, allowing a user to perform actions not belonging to his role.
The OAuth flow implemented in Mattermost server v5.32 > v5.36 is affected by a reflected XSS. An unauthenticated attacker might gain access to the victim's session.
A privileged user can obtain remote code execution on Q'center through a manipulated QPKG installation package.
An unauthenticated attacker can inject JavaScript code on Q'center Virtual Appliance event log page.
QNAP MusicStation and MalwareRemover pre-installed official apps are affected by an arbitrary file upload and a command injection, leading to pre-auth remote root command execution.
The unprivileged user portal part of CentOS Web Panel is affected by SQL Injection and Command Injection vulnerabilities, leading to root Remote Code Execution.