CVE-2018-7491

In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors'...

CVE-2018-7491

In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors'...

CVE-2018-7491

In PrestaShop through 1.7.2.5, a UI-Redressing/Clickjacking vulnerability was found that might lead to state-changing impact in the context of a user or an admin, because the generateHtaccess function in classes/Tools.php sets neither X-Frame-Options nor 'Content-Security-Policy "frame-ancestors'...

Dodocool DC38 N300 - Cross-site Request Forgery

Dodocool DC38 N300 - Cross-site Request Forgery Exploit Title: DODOCOOL DC38 N300 Cross-site Request Forgery Date: 17-01-2018 Exploit Authors: Raffaele Sabato Contact: https://twitter.com/syrion89 Vendor: DODOCOOL Vendor Homepage: www.dodocool.com Version: RTN2-AW.GD.R3465.1.20161103 CVE:...

CVE-2017-15091

The CVE-2017-15091 issue affects PowerDNS Authoritative Server (4.x up to 4.0.4 and 3.x up to 3.4.11). Although the API can be configured as read-only via api-readonly, a missing check permits operations that alter server state: flushing the cache, triggering a zone transfer, or sending NOTIFY wh...

CVE-2017-15091

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly...

CVE-2017-15091

An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only via the api-readonly...

Friday Squid Blogging: Squid Populations Are Exploding

New research: "Global proliferation of cephalopods" Summary: Human activities have substantially changed the world's oceans in recent decades, altering marine food webs, habitats and biogeochemical processes. Cephalopods squid, cuttlefish and octopuses have a unique set of biological traits,...

Student Arrested For Using Keylogger and Changing Grades 90 Times

By Uzair Amir An ex-wrestler and student of the University of Iowa is This is a post from HackRead.com Read the original post: Student Arrested For Using Keylogger and Changing Grades 90 Times...

CVE-2017-7969

A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack require...

Cross site request forgery (csrf)

A cross-site request forgery vulnerability exists on the Secure Gateway component of Schneider Electric's PowerSCADA Anywhere v1.0 redistributed with PowerSCADA Expert v8.1 and PowerSCADA Expert v8.2 and Citect Anywhere version 1.0 for multiple state-changing requests. This type of attack require...

CVE-2017-7505

Foreman since version 1.5 is vulnerable to an incorrect authorization check due to which users with user management permission who are assigned to some organizations can do all operations granted by these permissions on all administrator user object outside of their scope, such as editing global...

e107 CMS 2.1.4 - Cross-Site Request Forgery

...

Faveo Helpdesk Community 1.9.3 Cross Site Request Forgery

Exploit Title: CSRF / Privilege Escalation Manipulation of Role Agent to Admin on Faveo version Community 1.9.3 Google Dork: no Date: 05-April-2017 Exploit Author: @runggareksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy Vendor Homepage: http://www.faveohelpdesk.com/ Software Link:...

Harvest: Editing a project (LIMITED)

Hey there, I found out that invited user to a project cannot edit the project settings unless he is a PROJECT MANAGER on it. Now there is an option while editing project to make it BILLABLE OR NOT... When it is NOT billable it is quite impossible to BILL an invoice for it without making it...

Shopify: Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor

Hi , I managed to bypass the fix you deployed to the issue I reported in 159522. Apparently this is what the fix does: - Redirecting to https://checkout.shopify.com/ / only is allowed. - For example: victim.myshopify.com/account/logout?returnurl=https://checkout.shopify.com// will work - but...

Changing delivery group icons with storefront 3.0 or above in the environment.

...

Mail.ru: [cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info'

Hi, I noticed that when we change userinfo of https://cfire.mail.ru from here: https://cfire.mail.ru/account/userinfo, there are two Anti-CSRF tokens or you can say that; they just do the work of Anti-CSRF token: - signature - submit2 Actually, I was able to bypass both Anti-CSRF tokens, and afte...

SecNews: Querying private posts and changing post meta

Summary --- Unauthenticated user can run arbitrary post queries and insert arbitrary numeric post meta via vulnerable /wp-content/themes/SecNews-NewCustom/functions/ajax.php file. I'm including two exploits in one report because the fix for both is the same, i.e. delete ajax.php. Run arbitrary po...

Open Upload 0.4.2 - Cross-Site Request Forgery (Add Admin)

Exploit for php platform in category web applications ================================================================================================================ Open Upload 0.4.2 Remote Admin Add CSRF Exploit and Changing Normal user permission...