Improper Input Validation in Apache Hadoop

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0...

CVE-2022-28077

Home Owners Collection Management v1 was discovered to contain a reflected cross-site scripting XSS vulnerability in the Admin panel via the $GET's' parameter...

CVE-2022-27183

The Monitoring Console app configured in Distributed mode allows for a Reflected XSS in a query parameter in Splunk Enterprise versions before 8.1.4. The Monitoring Console app is a bundled app included in Splunk Enterprise, not for download on SplunkBase, and not installed on Splunk Cloud Platfo...

Alkacon OpenCms XSS via query parameter in a search action

Cross-site scripting XSS vulnerability in search.html in Alkacon OpenCms 6.0.0, 6.0.2, and 6.0.3 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search action...

CVE-2022-29810

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter...

Design/Logic Flaw

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter...

CVE-2022-29810

CVE-2022-29810 affects the HashiCorp go-getter library, where versions before 1.5.11 fail to redact an SSH private key in a URL query parameter. In practice, this can lead to exposure of SSH credentials in logs or error messages, potentially readable by local users with access to the logfile. Con...

Cross-site Scripting (XSS)

Overview whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine Affected versions of this package are vulnerable to Cross-site Scripting XSS via the query string parameter q. In the case where it does not contain the http string, it is used to build the errormessage that i...

Exrick XMall 跨站脚本漏洞

Exrick XMall is a distributed e-commerce shopping mall based on SOA architecture. A security vulnerability exists in the Exrick XMall Admin Panel, which originates from a GET parameter in product-add.jsp...

Subrion CMS 跨站脚本漏洞

Subrion CMS is a PHP-based content management system CMS from the Subrion team. The system can be integrated into websites and supports multiple extension plugins, etc. A security vulnerability exists in Subrion CMS 4.2.1, which can be exploited by attackers via the q parameter in the Kickstart...

Jenkins GitLab Authentication Plugin User Redirection Vulnerability

Jenkins is a Jenkins open source application. An open source automation server, Jenkins provides hundreds of plugins to support building, deploying, and automating any project.A user redirection vulnerability exists in Jenkins GitLab Authentication Plugin 1.13 and earlier versions, which stems fr...

Open redirect

The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the returnurl query parameter...

CVE-2021-23495 Open Redirect

The package karma before 6.3.16 are vulnerable to Open Redirect due to missing validation of the returnurl query parameter...

Cross-site Scripting (XSS) - DOM in karma-runner/karma

Description DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is query parameter returnurl and sink is location.href. Proof of Concept 1 Start karma server and visit the following...

Nzedb 跨站脚本漏洞

Nzedb is a newsgroup indexer. A cross-site scripting vulnerability exists in NZEDb that stems from the exit function in the product www/pages/api.php file not effectively filtering input data. The vulnerability allows an attacker to print a $GETt message. The following products and versions are...

resteasy: Error message exposes endpoint class information

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The...

CVE-2021-41249

GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than [email protected] are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names,...

Path traversal

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...

CVE-2020-25872

A vulnerability exists within the FileManagerController.php function in FrogCMS 0.9.5 which allows an attacker to perform a directory traversal attack via a GET request urlencode parameter...

FrogCms 路径遍历漏洞

FrogCms is an HTTP server. A path traversal vulnerability exists in FrogCMS, which stems from a vulnerability in the FileManagerController.php function in FrogCMS version 0.9.5, which can be exploited to perform a directory traversal attack via the GET request urlencode parameter...