#auth

There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.

There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.

A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023. "GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive

IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270.

SQL Injection vulnerability in functions/point_list.php in Common Services soliberte before v4.3.03 allows attackers to obtain sensitive information via the lat and lng parameters.

Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

Path traversal in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows may allow an authenticated user to conduct an escalation of privilege via network access.

The extension fails to verify whether a specified content element identifier is permitted by the plugin. This enables an unauthenticated user to display various content elements, leading to an insecure direct object reference (IDOR) vulnerability with the potential to expose internal content elements.

The extension fails to check access permissions for the edit user component. An authenticated frontend user can use the vulnerability to either edit data of various frontend users or to delete various frontend user accounts. Another missing access check in the backend module of the extensions allows an authenticated backend user to perform various actions (userLogout, confirmUser, refuseUser and resendUserConfirmation) for any frontend user in the system.