Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authentication of administrators via updating user's 'Basic Info'...

Siemens SIMATIC Teleservice Adapter IE Basic 6ES7972-0EB00-0XA0

Binary data 764662.prm...

Design/Logic Flaw

An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary performs a memcpy operation at address 0x00011E34 with the value sent in the "Authorization: Basic" RTS...

Ewon Flexy IoT Router. A Deep dive

First off I would like to thank the techs at PTP for their insights and help during this process. I know what I know, and I don't know what I don’t know, so I asked for help sometimes. I've learned a lot from this project e.g. how XOR works, and how to use IDA to analyse ARM binaries better, so I...

Aida64 6.00.5100 - Log to CSV File Local SEH Buffer Overflow

Aida64 6.00.5100 - Log to CSV File Local SEH Buffer Overflow !/usr/bin/python Exploit : Aida64 6.00.5100 'Log to CSV File' Local SEH Buffer Overflow Exploit Author : Nipun Jaswal Tested On : Windows 7 Home Basicx86 Version : 6.00.5100 Release Date : 31/May/2019 Build : 21/May/2019 Vendor Homepage...

Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow

!/usr/bin/python Exploit : Aida64 6.00.5100 'Log to CSV File' Local SEH Buffer Overflow Exploit Author : Nipun Jaswal Tested On : Windows 7 Home Basicx86 Version : 6.00.5100 Release Date : 31/May/2019 Build : 21/May/2019 Vendor Homepage: https://www.aida64.com/downloads Software Link:...

Aida64 6.00.5100 - (Log to CSV File) Local SEH Buffer Overflow Exploit

Exploit for windows platform in category local exploits !/usr/bin/python Exploit : Aida64 6.00.5100 'Log to CSV File' Local SEH Buffer Overflow Exploit Author : Nipun Jaswal Tested On : Windows 7 Home Basicx86 Version : 6.00.5100 Vendor Homepage: https://www.aida64.com/downloads Software Link:...

Multiple vulnerabilities in GROWI

Overview GROWI provided by WESEEK, Inc. contains multiple vulnerabilities listed below. Cross-site request forgery vulnerability in the process of updating user's "Basic Info" CWE-352 - CVE-2019-5968 Open redirect vulnerability in the process of login CWE-601 - CVE-2019-5969 Security Group of...

@blitzbank/dashboard (>=0.0.1 <=0.0.2), @coinmesh/lnd-adapter (>=0.0.1 <=0.2.12) +15 more potentially affected by unknown CVE via express-basic-auth (>=0.1.3 <=1.1.6)

express-basic-auth NPM version =0.1.3, =0.0.1, =0.0.1, =2.0.0, =1.0.0, =0.1.5, =3.0.0, =1.0.1, =1.0.0, =0.1.5, =0.0.1, =1.0.0, =0.1.0, =2.0.0, =36.1.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-C35V-QWQG-87JC...

express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison

Versions of express-basic-auth prior to 1.1.7 are vulnerable to Timing Attacks. The package uses native string comparison instead of a constant time string comparison, which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the...

GHSA-C35V-QWQG-87JC express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison

Versions of express-basic-auth prior to 1.1.7 are vulnerable to Timing Attacks. The package uses native string comparison instead of a constant time string comparison, which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the...

CVE-2019-11367

An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully...

CVE-2019-11367

An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully...

Hardcoded credentials

An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully...

Sql injection

A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite LDMS, aka Endpoint Manager 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll...

CVE-2019-12374

A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite LDMS, aka Endpoint Manager 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll...

CVE-2019-11367

An issue was discovered in AUO Solar Data Recorder before 1.3.0. The web portal uses HTTP Basic Authentication and provides the account and password in the WWW-Authenticate attribute. By using this account and password, anyone can login successfully...

CVE-2019-12374

A SQL Injection vulnerability exists in Ivanti LANDESK Management Suite LDMS, aka Endpoint Manager 10.0.1.168 Service Update 5 due to improper username sanitization in the Basic Authentication implementation in core/provisioning.secure/ProvisioningSecure.asmx in Provisioning.Secure.dll...

Basic Authentication Without HTTPS

The remote web server contains web pages that are protected by 'Basic' authentication over cleartext. An attacker eavesdropping the traffic might obtain logins and passwords of valid users. No source data...

AUO Solar Data Recorder 1.3.0 - Incorrect Access Control

AUO Solar Data Recorder 1.3.0 - Incorrect Access Control Exploit Title: AUO Solar Data Recorder - Incorrect Access Control Date: 2019-04-16 Exploit Author: Luca.Chiou Vendor Homepage: https://www.auo.com/zh-TW Version: AUO Solar Data Recorder all versions prior to v1.3.0 Tested on: It is a...