CVE-2021-40260

Multiple Cross Site Scripting XSS vulnerabilities exist in SourceCodester Tailor Management 1.0 via the 1 eid parameter in a partedit.php and b customeredit.php, the 2 id parameter in a editmeasurement.php and b addpayment.php, and the 3 error parameter in index.php...

Microsoft Fended Off a Record 2.4 Tbps DDoS Attack Targeting Azure Customers

Microsoft on Monday revealed that its Azure cloud platform mitigated a 2.4 Tbps distributed denial-of-service DDoS attack in the last week of August targeting an unnamed customer in Europe, surpassing a 2.3 Tbps attack stopped by Amazon Web Services in February 2020. "This is 140 percent higher...

Talos Takes Ep. #71 (NCSAM edition): Reflecting on ransomware in 2021

By Jon Munshaw. The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page. We are from the first or last people to say this, but 2021 is the year of ransomware. It’s by far the biggest story... Thi...

CVE-2021-41555

In ARCHIBUS Web Central 21.3.3.815 a version from 2014, XSS occurs in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr because the data received as input from clients is re-included within the HTTP response returned by the application without adequate validation. In this way, if HTML cod...

Rails Unsafe Reflection

Ruby On Rails is a popular framework used to build web applications based on the Model-View-Controller MVC architectural pattern. Ruby On Rails provides a method called constantize which allows developers to dynamically find a constant by using a string. The most common usage of this method is to...

Forcepoint NGFW Engine 安全漏洞

Forcepoint NGFW Engine is a next-generation firewall solution from Forcepoint Corporation. A security vulnerability exists in Forcepoint NGFW Engine that originates from a TCP reflection amplification vulnerability in the affected software if the user configures HTTP User Response...

Maian Script World Maian Affiliate 代码注入漏洞

Maian Script World Maian Affiliate is a free, simple but powerful php referral system system written in PHP by Maian Script World, UK. MaianAffiliate suffers from a code injection vulnerability that stems from the injected payload being reflected on the affiliate site homepage for all authenticat...

Default CORS config allows any origin with credentials

Impact Origin reflection attack The default CORS configuration is vulnerable to an origin reflection attack. Take the following http4s app app, using the default CORS config, running at https://vulnerable.example.com: scala val routes: HttpRoutesF = HttpRoutes.of case req if req.pathInfo ===...

GHSA-52CF-226F-RHR6 Default CORS config allows any origin with credentials

Impact Origin reflection attack The default CORS configuration is vulnerable to an origin reflection attack. Take the following http4s app app, using the default CORS config, running at https://vulnerable.example.com: scala val routes: HttpRoutesF = HttpRoutes.of case req if req.pathInfo ===...

CVE-2021-39185

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

CVE-2021-39185

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

Design/Logic Flaw

Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null...

CVE-2021-39185

Http4s is affected by a vulnerability in the default CORS configuration that enables origin reflection and a Null Origin Attack for versions 0.21.26 and prior, 0.22.0–0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24. The issue stems from the default CORS settings allowing credentialed acces...

Http4s访问控制错误漏洞

http4s is an open source streaming HTTP server for Scala. An access control error vulnerability exists in Http4s that stems from the default CORS configuration being vulnerable to source reflection attacks. The following products and versions are affected: 0.21.26 and earlier, 0.22.0 through...

Indexhibit Cross-Site Scripting Vulnerability (CNVD-2021-67909)

Indexhibit is a web-based content management system. A reflection-based cross-site scripting vulnerability exists in the /plugin/ajax.php component of Indexhibit version 2.1.5. An attacker could use this vulnerability to execute arbitrary web script or HTML...

Indexhibit 跨站脚本漏洞

Indexhibit is a web-based content management system. A reflection-based cross-site scripting vulnerability exists in the /plugin/ajax.php component of Indexhibit version 2.1.5. An attacker could use this vulnerability to execute arbitrary web script or HTML...

Web Censorship Systems Can Facilitate Massive DDoS Attacks

Researchers are warning internet censorship systems are ripe for abuse by a new type of distributed denial of service DDoS attack. The potential for abuse is concerning, researchers say, because attacks would take advantage of a type of reflection and amplification, which would be “extremely...

Exploit for Cross-site Scripting in Chikitsa Patient_Management_System

CVE-2021-38149 Chikitsa Patient Management System 2.0.0 Stored...

CVE-2021-37833

A reflected cross-site scripting XSS vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid application that allows for arbitrary execution of JavaScript commands...

CVE-2021-27495

Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,he Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint...