Improper Input Validation in Jenkins

A arbitrary file read vulnerability exists in Jenkins 2.132 and earlier, 2.121.1 and earlier in the Stapler web framework's org/kohsuke/stapler/Stapler.java that allows attackers to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins...

CVE-2022-29932

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 File Transfer allows an unauthenticated attacker to obtain sensitive data related to the content of transferred files via a crafted HTTP request...

CVE-2022-29932

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 File Transfer allows an unauthenticated attacker to obtain sensitive data related to the content of transferred files via a crafted HTTP request...

Directory traversal

A vulnerability in the web-based management interface of Cisco Unified Communications Manager Unified CM and Cisco Unified Communications Manager Session Management Edition Unified CM SME could allow an authenticated, remote attacker to read arbitrary files from the underlying operating system...

The vulnerability of the Connection Manager component of the Oracle Communications Billing and Revenue Management software lies in insufficient validation of input data. This allows attackers to compromise the confidentiality, integrity, and accessibility of protected information.

The vulnerability of the Connection Manager component of the Oracle Communications Billing and Revenue Management software exists due to insufficient validation of input data. Exploiting this vulnerability can allow an attacker, operating remotely, to compromise the confidentiality, integrity, an...

The vulnerability of the VMware Identity Manager administration console, the Workspace ONE Access application management platform, the Cloud Foundation virtualization platform, and the vRealize Suite Lifecycle Manager software for application lifecycle management, arises from improper code generation. This allows an attacker to execute arbitrary code.

The vulnerabilities of VMware Identity Manager administration consoles, Workspace ONE Access application management platform, Cloud Foundation virtualization platform, and the vRealize Suite Lifecycle Manager software are related to improper code generation. Exploiting these vulnerabilities allow...

CVE-2022-26616

PKP Vendor Open Journal System v2.4.8 to v3.3.8 allows attackers to perform reflected cross-site scripting XSS attacks via crafted HTTP headers...

CVE-2022-25420

NTT Resonant Incorporated goo blog App Web Application 1.0 is vulnerable to CLRF injection. This vulnerability allows attackers to execute arbitrary code via a crafted HTTP request...

Sql injection

Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the viewplan endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP requests...

CVE-2022-26285

Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the apply endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP requests...

The microweber application allows large characters to insert in the input field "Coupons" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Proof of Concept 1.Go to "Settings" click on "Coupons" and Add a new Coupons 2.Go to this drive link:- https://drive.google.com/file/d/1CcVCHWbvMk07IZ5v4dojrdJbC43ufhh/view?usp=sharing copy the payload and paste it on the "Code" input field 3.You will see the application accepts large characters...

ROS-20220317-01

Apache HTTP Server web server vulnerability is related to a bounds error in LimitXMLRequestBody. Exploitation vulnerability could allow an attacker acting remotely to cause memory corruption and execute arbitrary code on the target system Apache HTTP Server web server vulnerability is related to...

The microweber application allows large characters to insert in the input field "fist & last name" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. in microweber/microweber

Proof of Concept 1. Go to http://127.0.0.1/admin/view:modules/loadmodule:users/action:profile 2. Click on edit profile 3. Fill the first name & last name field with huge characters, more than 1 lakh 4. Copy the below payload and put it in the input fields and click on continue. 5. You will see th...

The microweber application allows large characters to insert in the input field "post title" which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

Proof of Concept 1. Go to add post http://site.com/admin/post/create 2. click on create new post 3. There will a option called post title 4. Fill the input field with huge characters, more than 1 lakh 5. Copy the below payload and put it in the input fields and click on continue. 6. You will see...

CVE-2021-43075

A improper neutralization of special elements used in an os command 'os command injection' in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to...

Sql injection

A improper neutralization of special elements used in an sql command 'sql injection' in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the AP...

Command injection

A improper neutralization of special elements used in an os command 'os command injection' in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to...

CVE-2022-25062

TP-LINK TL-WR840NESV6.20180709 was discovered to contain an integer overflow via the function dmcheckString. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted HTTP request...

CVE-2022-20650

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation of user supplied data that is sent to the NX-API. An attacker could exploit thi...

Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting Vulnerability

Exploit Title: Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting XSS Google Dork: inurl:/fmlurlsvc/ Exploit Author: Braiant Giraldo Villa Contact: @ironfortress Twitter Vendor Homepage: https://www.fortinet.com/products/email-security Software Link:...