ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK stores fragile information under the web root with insufficient access control, which allows remote attackers to read backup files via a direct request for rom-0. (CVSS:5.0) (Concluding Update:2020-02-28)
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) conduct cross-site scripting (XSS) attacks via the page_title parameter to admin/content_pages_edit.php; the (3) category_name[] parameter to admin/products_category.php; the (4) site_name, (5) seo_title, or (6) meta_keywords parameter to admin/settings_siteinfo.php; the (7) company_name, (8) address1, (9) address2, (10) city, (11) state, (12) country, (13) author_first_name, (14) author_last_name, (15) author_email, (16) contact_first_name, (17) contact_last_name, (18) contact_email, (19) general_email, (20) general_phone, (21) general_fax, (22) sales_email, (23) sales_phone, (24) support_email, or (25) support_phone parameter to admin/settings_company.php; or the (26) system_email, (27) sender_name, (28) smtp_server, (29) smtp_username, (30) smtp_password, or (31) order_notice_email parameter to admin/settings_email.php. (CVSS:6.8) (Closing Update:2020-02-28)
D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password. (CVSS:9.0) (Closing Update:2020-03-05)
A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 owed to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code (CVSS:7.5) (Concluding Update:2020-02-19)
A Privilege Escalation Vulnerability exists in Free Reprintables ArticleFR 11.06.2014 due to insufficient accession restrictions in the data.php script, which could let a remote malicious user obtain admittance or modify or delete database information. (CVSS:7.5) (Concluding Update:2020-02-19)
A Cross-Site Scripting (XSS) Vulnerability exists in OTRS ITSM prior to 3.2.4, 3.1.8, and 3.0.7 and FAQ prior to 2.1.4 and 2.0.8 via changes, workorder items, and FAQ articles, which could let a remote malicious user execute arbitrary code. (CVSS:4.3) (Concluding Update:2020-02-18)
WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability (CVSS:7.5) (Last Update:2020-02-14)
The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636. (CVSS:6.8) (Terminal Update:2020-02-19)
ZPanel through 10.1.0 has Remote Command Execution (CVSS:9.3) (Terminal Update:2020-02-24)
An Authentication Bypass vulnerability exists in the MatchPasswordData function in DBEngine.dll in Filemaker Pro 13.03 and Filemaker Pro Advanced 12.04, which could let a malicious user obtain elevated privileges. (CVSS:4.6) (Closing Update:2020-02-13)