In Selesta Visual Access Manager < 4.42.2, an authenticated user can access the administrative page /common/vam_Sql.php, which allows for arbitrary SQL queries.

In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with network access to a XC-303 PLC can login as root over SSH. The root password is hardcoded in the firmware. NOTE: This vulnerability appears in versions that are no longer supported by Eaton.

An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can perform SQL Injection in a GET parameter of /monitor/s_terminal.php.

Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Directory Traversal via the Attachment/DownloadTempFile function.

Pat Infinite Solutions HelpdeskAdvanced <= 11.0.33 is vulnerable to Cross Site Scripting (XSS) via the Filter/FilterEditor function.

BigId PrivacyPortal v179 is vulnerable to Cross Site Scripting (XSS) via the "Label" field in the Report template function.

An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can perform SQL Injection in multiple POST parameters of /vam/vam_eps.php.

An issue was discovered in Selesta Visual Access Manager (VAM) prior to 4.42.2. An authenticated attacker can perform SQL Injection in multiple POST parameters of /vam/vam_visits.php.

Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.

MonicaHQ v4.1.2 was discovered to contain a Client-Side Injection vulnerability via the last_name parameter the General Information module.