CWE-74

LCDS Laquis SCADA prior to version 4.1.0.4150 allows taking in user input without proper sanitation, which may allow an attacker to execute remote code on the server.

IBM Connections 5.0, 5.5, and 6.0 is vulnerable to possible host header injection attack that could cause navigation to the attacker’s domain. IBM X-Force ID: 152456.

Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single ‘$’ character as the Name of a Navigation item.

Virtualmin 6.03 allows Frame Injection via the settings-editor_read.cgi file parameter.

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

panel/login in Kirby v2.5.12 allows Host header injection via the “forget password” feature.