Information Disclosure

gatsby-plugin-sharp is vulnerable to Information Disclosure. The vulnerability is due to a path traversal when running the Gatsby development server because it exposes several image processing functions which allows an attacker to gain access to arbitrary files on the host...

PHP Development Server Information Disclosure Vulnerability

PHP is a widely used general purpose scripting language that is particularly well suited for web development and can be embedded in HTML.An information disclosure vulnerability exists in PHP Development Server, which stems from a logic flaw in the php cli server begin send static when parsing htt...

lite-dev-server 路径遍历漏洞

lite-dev-server is an http file server for development by the individual developer Gavrilov Rusla. A security vulnerability exists in lite-dev-server that stems from a lack of input cleanup and a directory traversal vulnerability...

Path traversal in unjs/storage leads to code injection due to unsanitzed code generation

Path Traversal A path traversal vulnerability exists within unjs/unstorage when using the file system storage driver. This vulnerability can be exploited when the user has control over the key name. By creating key names containing sequences of ../ or ..: we can navigate the file system. We are...

CVE-2021-20146

An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time of discovery, the ssh key could be used to login to the development server hosted in Amazon Web Services...

CVE-2021-20146

An unprotected ssh private key exists on the Gryphon devices which could be used to achieve root access to a server affiliated with Gryphon's development and infrastructure. At the time of discovery, the ssh key could be used to login to the development server hosted in Amazon Web Services...

Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0.8 allows local user to execute arbitrary JavaScript code by opening crafted URL in browser. See CWE-172: Encoding Erro...

HashiCorp Nomad Remote Command Execution Exploit

This Metasploit module lets you create a batch job on HashiCorp's Nomad service to spawn a shell. The default option is to use the rawexec driver, which runs with high privileges. Development servers and clients explicitly enabling the rawexec plugin can spawn these type of jobs. Regular exec job...

Researcher Demonstrates Several Zoom Vulnerabilities at DEF CON 28

Popular video conferencing app Zoom has addressed several security vulnerabilities, two of which affect its Linux client that could have allowed an attacker with access to a compromised system to read and exfiltrate Zoom user data—and even run stealthy malware as a sub-process of a trusted...

openSUSE Security Update : python-Werkzeug (openSUSE-2019-2145)

This update for python-Werkzeug fixes the following issues : Security issue fixed : - CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container bsc1145383. This update was imported from the SUSE:SLE-15-SP1:Update update project. C Tenable Networ...

SUSE-SU-2019:2308-1 Security update for python-Werkzeug

This update for python-Werkzeug fixes the following issues: Security issue fixed: - CVE-2019-14806: Fixed the development server in Docker, the debugger security pin is now unique per container bsc1145383...

Ruby on Rails 路径穿越与任意文件读取漏洞(CVE-2018-3760)分析

漏洞公告 该漏洞由安全研究人员 Orange Tsai发现。漏洞公告来自 https://groups.google.com/forum/!topic/rubyonrails-security/ftJ--l55fM There is an information leak vulnerability in Sprockets. This vulnerability has been assigned the CVE identifier CVE-2018-3760. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower,...

Information disclosure

The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads a set of dependencies from api.hubapi.com. It appears in the code that these files are downloaded over HTTPS however the api.hubapi.com endpoint redirects to a HTTP url. Because of this...

MHA - Mail Header Analyzer

Mail header analyzer is a tool written in flask for parsing email headers and converting them to a human readable format and it also can: Identify hop delays. Identify the source of the email. Identify hop country. MHA is an alternative for the following: Name | Dev | Issues ---|---|---...

Sun ONE Unified Development Server 5.0 Recursive Document Type Definition Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/6626/info It has been reported that problems with the handling of recursive document type definitions DTDs occur in Sun ONE Unified Development Server UDS. When a document is uploaded containing these types of constructs,...

Millions of Passwords leaked from Social Site Formspring

Formspring, a social Q&A website popular with teenagers,this week disabled its users' passwords after discovering a security breach. Formspring founder and CEO Ade Olonoh apologized to users for the inconvenience, and advised them to change their passwords when they log back into Formspring. A bl...

Sun ONE Unified Development Server 5.0 - Recursive Document Type Definition

source: https://www.securityfocus.com/bid/6626/info It has been reported that problems with the handling of recursive document type definitions DTDs occur in Sun ONE Unified Development Server UDS. When a document is uploaded containing these types of constructs, the system experiences high...