PT-2022-3894 · Totolink · Totolink A3100R

Name of the Vulnerable Software and Affected Versions: TOTOLink A3100R version 4.1.2cu.5050 B20200504 Description: The issue is related to a command injection vulnerability in the "Main" function, which is caused by a lack of input data sanitization. This allows attackers to execute arbitrary...

PT-2022-3896 · Totolink · Totolink A3600R

Name of the Vulnerable Software and Affected Versions: TOTOLink A3600R version 4.1.2cu.5182 B20201102 Description: The issue is related to a command injection vulnerability in the "Main" function of the TOTOLink A3600R router's firmware. This vulnerability is caused by the lack of input data...

GHSA-V9P9-535W-4285 Prototype Pollution in litespeed.js and appwrite/server-ce

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution...

Prototype Pollution in litespeed.js and appwrite/server-ce

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution...

CVE-2021-23682

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution...

CVE-2021-23682 Prototype Pollution

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution...

CVE-2021-23682

Prototype pollution vulnerability in litespeed.js (

litespeed.js 安全漏洞

litespeed.js is a lean and fast micro JavaScript framework. A security vulnerability exists in litespeed.js prior to version 0.3.12, which stems from a Prototype Pollution vulnerability when parsing a query string in the getJsonFromUrl function, where keys set in the result object are not properl...

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

This affects the package litespeed.js before 0.3.12; the package appwrite/server-ce from 0.12.0 and before 0.12.2, before 0.11.1. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leading to a Prototype Pollution...

CVE-2021-24878

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue...

CVE-2021-45742

TOTOLINK A720R v4.1.5cu.470B20200911 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERYSTRING parameter...

TotoLink A720R 命令注入漏洞

TOTOLINK A720R is a router device. An input validation vulnerability exists in TOTOLINK A720R Main's handling of QUERYSTRING, which can be exploited by a remote attacker to submit a special request that can be used to execute arbitrary commands in the application context...

GHSA-6QJ8-C27W-RP33 Cross-site scripting in Apache Syncome EndUser

It was found that the Apache Syncope EndUser UI login page prio to 2.0.15 and 2.1.6 reflects the successMessage parameters. By this mean, a user accessing the Enduser UI could execute javascript code from URL query string...

VulnCheck KEV: CVE-2021-24878

The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the wpsccreateticket shortcode embed, leading to a Reflected Cross-Site Scripting issue...

Brave Software: New XSS vector in ReaderMode with %READER-TITLE-NONCE%

A new XSS vulnerability was discovered in Brave iOS 1.31.1 and higher, which allowed attackers to execute malicious scripts on ReaderMode pages. The vulnerability was caused by a relaxation of the CSP rule, which allowed scripts with nonce-%READER-TITLE-NONCE% to be executed. Attackers could...

CVE-2021-23228

DIAEnergie Version 1.7.5 and prior is vulnerable to a reflected cross-site scripting attack through error pages that are returned by “.NET Request.QueryString”...

Delta Electronics DIAEnergie 跨站脚本漏洞

Delta Electronics DIAEnergie is an industrial energy management system used to monitor and analyze energy consumption in real time, calculate energy consumption and load characteristics, optimize equipment performance, improve production processes, and maximize energy efficiency.A cross-site...

undertow: special character in query results in server errors

A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability...

Backdoor.Win32.VB.afu Insecure Transit

Discovery / credits: Malvuln - malvuln.com c 2021 Original source: https://malvuln.com/advisory/c6ba7fcb9eb9bdd7e081e2e84e784dcbB.txt Contact: [email protected] Media: twitter.com/malvuln Threat: Backdoor.Win32.VB.afu Vulnerability: Insecure Transit Password Disclosure Description: The malware...

Wordlistgen - Quickly Generate Context-Specific Wordlists For Content Discovery From Lists Of URLs Or Paths

wordlistgen is a tool to pass a list of URLs and get back a list of relevant words for your wordlists. Wordlists are much more effective when you take the application's context into consideration. wordlistgen pulls out URL components, such as subdomain names, paths, query strings, etc. and spits...