CVE-2024-6861

A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API. Mitigation To mitigate this...

MTN Group: Unauthenticated phpinfo()files could lead to ability file read at █████████

The remote web server contained a PHP script that exposed sensitive information about the server's configuration through the phpinfo function. This information could have been used by an attacker to conduct further attacks against the system...

CVE-2024-45398

Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does...

CVE-2024-45398 Remote command execution through file upload in contao/core-bundle

Contao is an Open Source CMS. In affected versions a back end user with access to the file manager can upload malicious files and execute them on the server. Users are advised to update to Contao 4.13.49, 5.3.15 or 5.4.3. Users unable to update are advised to configure their web server so it does...

CVE-2024-45398

Contao CMS vulnerability: a back-end user with file-manager access can upload and execute malicious files on the server, enabling remote command execution. Affected range includes Contao 4.x up to 4.13.48, 5.x up to 5.4.2. Remediation recommended by advisories is to upgrade to Contao 4.13.49, 5.3...

Remote command execution through file uploads

Date : 2024-09-17 CVE ID : CVE-2024-45398 Back end users with access to the file manager can upload malicious files and execute them on the server. Affected versions Contao 4.0 Contao 4.1 Contao 4.2 Contao 4.3 Contao 4.4 Contao 4.5 Contao 4.6 Contao 4.7 Contao 4.8 Contao 4.9 Contao 4.10 Contao 4....

CVE-2024-31415

The Eaton Foreseer software provides the feasibility for the user to configure external servers for multiple purposes such as network management, user management, etc. The software uses encryption to store these configurations securely on the host machine. However, the keys used for this encrypti...

CVE-2024-45399 Indico has a Cross-Site-Scripting during account creation

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the...

Indico has a Cross-Site-Scripting during account creation

Impact There is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created. Exploitation requires the user to initiate the account creation process with a maliciously crafted link, and then finalize the signup process. Because of...

CVE-2024-45314 Flask-AppBuilder login form allows browser to cache sensitive fields

Flask-AppBuilder is an application development framework. Prior to version 4.5.1, the auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. Version 4.5.1 contains a patch for this issue. If...

ZZCMS 跨站脚本漏洞

ZZCMS is a content management system CMS by the ZZCMS team in China. A cross-site scripting vulnerability exists in ZZCMS v.2023 and prior versions, which stems from a phpinfo function that discloses detailed information about the PHP environment, including server configuration, loaded modules, a...

CVE-2024-44820

CVE-2024-44820 affects ZZCMS v.2023 and earlier. The vulnerability resides in the eginfo.php file located at /3/E_bak5.1/upload/ and is triggered when phome=ShowPHPInfo is supplied, executing phpinfo() and exposing detailed PHP environment information (server config, loaded modules, variables). T...

Nuuo Central Management Server Authenticated Arbitrary File Download

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Nuuo Central Management Server Authenticated Arbitrary File Download', 'Description' = %q The Nuuo Central Management Server allows an...

GO-2022-0838 Exposure of server configuration in github.com/go-vela/server in github.com/go-vela/compiler

Exposure of server configuration in github.com/go-vela/server in github.com/go-vela/compiler...

CVE-2024-37382

An issue discovered in import host feature in Ab Initio Metadata Hub and Authorization Gateway before 4.3.1.1 allows attackers to run arbitrary code via crafted modification of server configuration...

CVE-2024-37382

An issue discovered in import host feature in Ab Initio Metadata Hub and Authorization Gateway before 4.3.1.1 allows attackers to run arbitrary code via crafted modification of server configuration...

undertow: LearningPushHandler can lead to remote memory DoS attacks

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the...

CVE-2024-37382

An issue discovered in import host feature in Ab Initio Metadata Hub and Authorization Gateway before 4.3.1.1 allows attackers to run arbitrary code via crafted modification of server configuration...

Ab Initio Metadata Hub和Ab Initio Authorization Gateway 安全漏洞

Ab Initio Metadata Hub and Ab Initio Authorization Gateway are both products of Ab Initio, Inc. of the U.S. Ab Initio Metadata Hub is a metadata system.Ab Initio Authorization Gateway is an authorization gateway. A security vulnerability exists in Ab Initio Metadata Hub and Ab Initio Authorizatio...

CVE-2024-37382

Affected products: Ab Initio Metadata Hub and Ab Initio Authorization Gateway, prior to version 4.3.1.1. Root cause: in the import host feature, crafted server configuration changes allow remote code execution. Impact: arbitrary code execution with high confidentiality, integrity, and availabilit...