PYSEC-2020-32

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility of an XSS attack...

USN-4381-1 python-django vulnerabilities

Dan Palmer discovered that Django incorrectly validated memcached cache keys. A remote attacker could possibly use this issue to cause a denial of service and obtain sensitive information. CVE-2020-13254 Jon Dufresne discovered that Django incorrectly encoded query parameters for the admin...

PT-2020-5464 · Django +3 · Django +3

Name of the Vulnerable Software and Affected Versions: Django versions 2.2 before 2.2.13 Django versions 3.0 before 3.0.7 Description: An issue in the Django admin ForeignKeyRawIdWidget allows for a possibility of an XSS attack due to query parameters not being properly URL encoded. This could...

CVE-2020-11928

In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the taxquery, metaquery, or datequery parameter in mlagallery via an admin...

CVE-2020-1760

A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input. Mitigation Mitigation provided by DigitalOcean: Mitigation relies on the HAProx...

CVE-2019-11292

Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...

Authentication flaw

Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...

CVE-2019-11292

CVE-2019-11292 affects Pivotal Ops Manager: versions 2.4.x before 2.4.27, 2.5.x before 2.5.24, 2.6.x before 2.6.16, and 2.7.x before 2.7.5 log all query parameters to Tomcat’s access log; if params serve authentication, credentials may be logged. Root cause: parameter logging leakage into logs. I...

CVE-2019-11292 Pivotal Ops Manager logs query parameters in tomcat access file

Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2.5.24, 2.6.x prior to 2.6.16, and 2.7.x prior to 2.7.5, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...

CVE-2019-11293

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

CVE-2019-11293

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

Authentication flaw

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

CVE-2019-11293 UAA logs all query parameters with debug logging level

Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs clientsecret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters...

CVE-2019-11290 Cloud Foundry UAA logs query parameters in tomcat access file

Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, then they will be logged as well...

CVE-2019-11290: UAA logs query parameters in tomcat access file | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Description Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query parameters to tomcat’s access file. If the query parameters are used to provide authentication, ie. credentials, they will be logged as well. Affected Cloud Foundry...

Arbitrary Variants Via Query Parameters

Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters. If an application treats variants as trusted, this can lead to potential vulnerabilities like SQL injection or cross-site scripting XSS. For instance: landingpage = fieldtest:landingpage Page.where"key =...

SQL Injection

Overview All versions of untitled-model re vulnerable to SQL Injection. Query parameters are not properly sanitized allowing attackers to inject SQL statements and execute arbitrary SQL queries. Recommendation No fix is currently available. Consider using an alternative package until a fix is mad...

SQL Injection

resquel is vulnerable to SQL injection. A remote attacker is able to inject and execute arbitrary SQL statements in the application due to the lack of query parameters sanitization...

CVE-2019-7409

Multiple cross-site scripting XSS vulnerabilities in ProfileDesign CMS v6.0.2.5 allows remote attackers to inject arbitrary web script or HTML via the 1 page, 2 gbs, 3 side, 4 id, 5 imgid, 6 cat, or 7 orderby parameter...

Cross-site scripting vulnerability in VIVOTEK Network Camera series products (CNVD-2019-00683)

VIVOTEK Network Camera Series is a series of network camera products from China VIVOTEK. A cross-site scripting vulnerability exists in the eventscript.js file in the VIVOTEK Network Camera Series using firmware versions 0x06x to 0x08x. The vulnerability can be exploited by a remote attacker to...