248 matches found
Octopus Deploy Elevation of Privilege Vulnerability
Octopus is an automated tool for development and deployment of .NET from Octopus Deploy Australia. A security vulnerability exists in versions of Octopus prior to 3.17.7. An attacker could exploit the vulnerability to invite users to groups with elevated privileges...
Privilege Escalation
CloudFoundry User Account and Authentication UAA is vulnerable to privilege escalation attacks. These attacks are possible because any user is able to access the invitations endpoint. Through the endpoint, malicious users are able to perform a password reset on a different user...
CVE-2017-4992: Privilege escalation with user invitations | Cloud Foundry
Severity Critical Vendor Cloud Foundry Foundation Versions Affected cf-release versions prior to v261 UAA release: 2.x versions prior to v2.7.4.17 3.6.x versions prior to v3.6.11 3.9.x versions prior to v3.9.13 Other versions prior to v4.2.0 UAA bosh release uaa-release: 13.x versions prior to...
WordPress Invite Anyone Plugin Security Bypass Vulnerability
WordPress is the WordPress Software Foundation's suite of blogging platforms developed using the PHP language, which supports personal blog sites on servers running PHP and MySQL.Invite Anyone is one of the invitation components. A security bypass vulnerability exists in the by-email/by-email.php...
HackerOne: Report invitation links not restricted to any existing user
We recently made a change to how report invitations in order to make the Disclosure Assistance process better. Parts of this change regressed the fix we made in 123420 regarding how report invitations such as to become an external participant are handled. @japzdivino notified of this regression a...
King Phisher 1.5.2 - Phishing Campaign Toolkit
King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. It features an easy to use, yet very flexible architecture allowing full control over both emails and server content. King Phisher can be used to run campaigns ranging from simple awareness...
Microsoft Exchange Server Cross-Site Scripting Vulnerability (CNVD-2016-07681)
Microsoft Exchange Server is a suite of e-mail service components from Microsoft. Microsoft Exchange Server cross-site scripting vulnerability can be exploited by a remote attacker to inject arbitrary Web script or HTML via a meeting invitation request...
Apple iOS Calendar Denial of Service Vulnerability
Apple iOS is an operating system developed for mobile devices. A security vulnerability in Calendar in Apple iOS allows remote attackers to exploit the vulnerability to conduct denial-of-service attacks using special invitations...
HackerOne: Content spoofing on invitations page
When you are an owner of a program on h1 , you are allowed to invite external users to access any report through email . As you invite someone , this is how the body of invitation is being sent through email :- link to researcher's profile invited you to join the bug Title Of The Bug for Name of...
Polycom RealPresence CloudAXIS Suite Cross-Site Scripting Vulnerability
Polycom RealPresence CloudAXIS Suite is a cloud-based, cross-platform video collaboration solution from Polycom. The solution allows meeting schedules to be sent to contacts via email and calendar invitations. A cross-site scripting vulnerability exists in Polycom RealPresence CloudAXIS Suite 1.6...
HackerOne: Team member invitations to sandboxed teams are not invalidated consistently (v2)
As per our email conversation on ticket 2527, I am giving you a proof of concept of my claim. 1. I have a sandboxed team in hackerone,named movielee. 2. The manager of that team @haxorsistz sends an invite to = ██████████ 3. The link which I received on email was =...
HackerOne: Team member invitations to sandboxed teams are not invalidated consistently
hello today i found a Bug about Auth in Send invitation to member to join the team ,, so if Now The Victim Send invition to Another Victim Account to join the team as a Manager,, the link of the invitation is will Be Valid For Many Many Many time to Accept the invtiation from Another Accounts in ...
php云越权发面试邀请扣招聘者积分
简要描述: 版本v3.1 9.23 1.控制邀请面试的参数也就那么几个,自己可以构造,无需登录可使招聘者向求职者发面试邀请。发面试邀请前提,每发一次扣去12积分。购买积分的时候1元=20个积分。 详细说明: 文件位置:https://images.seebug.org/upload/model/ajax.class.php function savaajaxresumeaction $data'uid'=int$POST'uid';//邀请面试人的uid $data'title'='面试邀请';...
WordPress Social Invitations Plugin 'test.php' XSS Vulnerability
WordPress Social Invitations Plugin is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
WP Social Invitations <=1.4.4.2 - test.php Multiple Parameter Reflected XSS
The wp-social-invitations WordPress plugin was affected by a test.php Multiple Parameter Reflected XSS security vulnerability...
CVE-2014-4597
Cross-site scripting XSS vulnerability in test.php in the WP Social Invitations plugin before 1.4.4.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xhrurl parameter...
Cross site scripting
Cross-site scripting XSS vulnerability in test.php in the WP Social Invitations plugin before 1.4.4.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xhrurl parameter...
CVE-2014-4597
Affected software: WordPress WP Social Invitations Plugin. Vulnerable component: test.php parameter handling (xhrurl) in versions before 1.4.4.3. Root cause: cross-site scripting (XSS) vulnerability allowing remote attackers to inject arbitrary script/HTML via the xhrurl parameter. Impact: potent...
CVE-2014-4597
Cross-site scripting XSS vulnerability in test.php in the WP Social Invitations plugin before 1.4.4.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the xhrurl parameter...
WordPress WP Social Invitations Plugin <= 1.4.4.2 - XSS
Because of this vulnerability in test.php, the attackers can inject arbitrary web script or HTML via the "xhrurl" parameter. Solution Update the plugin...