MAL-2025-191692 Malicious code in bh-usa-req-ase (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8c83e1a14cfb125b4cfcb3e1ca52afd31fb170b78ade2aa3fd31cc846b8ac7da If run, the package exfiltrates AWS credentials. Though it's described as test, the exfiltration really happens --- Category: MALICIOUS - The campaign has...

Malicious code in bh-usa-req-ase (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8c83e1a14cfb125b4cfcb3e1ca52afd31fb170b78ade2aa3fd31cc846b8ac7da If run, the package exfiltrates AWS credentials. Though it's described as test, the exfiltration really happens --- Category: MALICIOUS - The campaign has...

CVE-2014-5017

SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipantsjson, related to a search paramet...

ROS-20250326-10

A vulnerability in the Nextcloud calendar cloud software application for creating and utilizing a Nextcloud data warehouse is related to the failure to clean up line breaks and special characters in the email value in a JSON request. Exploitation of the vulnerability could allow an attacker actin...

Mattermost Server exposes private team invite ID

An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and 3.10.3. It allows attackers to discover a team invite ID by requesting a JSON document...

FreeBSD : Nextcloud Calendar -- SMTP Command Injection (2a314635-be46-11ec-a06f-d4c9ef517024)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2a314635-be46-11ec-a06f-d4c9ef517024 advisory. - Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in...

Command injection

Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the RCPT TO:...

CVE-2022-24838 Command Injection in Appointment Emails for Nextcloud Calendar

Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the RCPT TO:...

Command Injection in Appointment Emails for Calendar

None...

Nextcloud Calendar -- SMTP Command Injection

reports: SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the RCPT TO: SMTP command and begin injecting arbitrary SMTP commands...

CVE-2021-3774

Meross Smart Wi-Fi 2 Way Wall Switch MSS550X, on its 3.1.3 version and before, creates an open Wi-Fi Access Point without the required security measures in its initial setup. This could allow a remote attacker to obtain the Wi-Fi SSID as well as the password configured by the user from Meross app...

CVE-2021-33483

An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. The comment posting functionality allows an attacker to add an XSS payload to the JSON request that will execute when users visit the page with the comment...

CVE-2021-33483

An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. The comment posting functionality allows an attacker to add an XSS payload to the JSON request that will execute when users visit the page with the comment...

User (Encrypted) Password Field Being Serialised

Impact Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed. Patches Issue has been patched in version 0.3.7-beta and onwards. Workarounds Add the 'password' field to the Users...

CVE-2020-4580

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439...

Design/Logic Flaw

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439...

CVE-2020-4580

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439...

CVE-2020-4580

CVE-2020-4580 affects IBM DataPower Gateway 2018.4.1.0–2018.4.1.12, where a remote attacker could cause a denial of service by sending a specially crafted JSON request with invalid characters. IBM’s security bulletin confirms the issue and lists the affected versions, with a fix available in 2018...

RHEL 6 : rubygem-activesupport (RHSA-2013:0202)

An updated rubygem-activesupport package that fixes one security issue is now available for Red Hat OpenShift Enterprise 1.0. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed...

CVE-2017-18349

parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is...