1035 matches found
Design/Logic Flaw
ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using thes...
WordPress MailerLite – Signup forms plugin <= 1.5.3 - Reflected Cross-Site Scripting (XSS) vulnerability
Reflected Cross-Site Scripting XSS vulnerability discovered by Utkarsh Agrawal in WordPress MailerLite – Signup forms plugin versions = 1.5.3. Solution Update the WordPress MailerLite – Signup forms plugin to the latest available version at least 1.5.4...
CVE-2022-1718
CVE-2022-1718 affects Trudesk prior to 1.2.2, where the Full Name field on signup accepts unusually large characters, enabling DoS via crafted HTTP requests. Affected: polonel/trudesk (pre-1.2.2). Impact: Denial of Service with HIGH overall severity (NVD CVSS v3.1 base 7.5; local/remote factors v...
CVE-2022-1718 The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in polonel/trudesk
The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service DoS via a crafted HTTP request in GitHub repository polonel/trudesk prior to 1.2.2. This can lead to Denial of service...
PT-2022-14070 · Trudesk · Trudesk
Name of the Vulnerable Software and Affected Versions: trudesk versions prior to 1.2.2 Description: The trudesk application has an issue where large characters can be inserted into the Full Name input field on the signup page, allowing attackers to cause a Denial of Service DoS via a crafted HTTP...
The trudesk application allows large characters to insert in the input field "Full Name" on the signup field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
POC: 1. go to signup form: http://127.0.0.1:8118/signup 2. Fill the Full Name input field with huge charactersmore than lakhs or crores 3. After created the account, check the admin panel: http://127.0.0.1:8118/accounts, go to Accounts -- customers 4. The admin panel will be flooded with our...
GHSA-RR6R-P7RW-369C Session Fixation in Jenkins
A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account...
CVE-2022-29727
Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting XSS vulnerability in the Signup parameter...
CVE-2022-29727
Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting XSS vulnerability in the Signup parameter...
Cross site scripting
Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting XSS vulnerability in the Signup parameter...
CVE-2022-29727
Survey Sparrow Enterprise Survey Software 2022 has a Stored cross-site scripting XSS vulnerability in the Signup parameter...
CVE-2022-29727
CVE-2022-29727 affects Survey Sparrow Enterprise Survey Software 2022. Vulnerable component: the Signup parameter, due to missing input validation, enabling stored XSS. Documented impact: client-side JavaScript execution. CVSS scores: v3.1 base 5.4 (MEDIUM), vector NETWORK/AV:N/AC:L/PR:L/UI:R/S:C...
Survey Sparrow Enterprise Survey Software 跨站脚本漏洞
Survey Sparrow Enterprise Survey Software is an enterprise survey software from Survey Sparrow, Inc. A cross-site scripting vulnerability exists in Survey Sparrow Enterprise Survey Software version 2022, which stems from a lack of data validation filtering in the Signup parameter is missing a dat...
Cross-Site Scripting (XSS)
auth0-lock is vulnerable to cross-site scripting. The vulnerability exists in signUp function in actions.js due to lack of sanitization in the additional sign-up fields which allows an attacker to inject and execute arbitrary javascript...
Design/Logic Flaw
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields� feature is configured, a malicious actor can inject invalidated HTML co...
CVE-2022-29172 HTML injection with additional signup fields
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code...
CVE-2022-29172
Auth0 Lock (auth0-lock) vulnerability CVE-2022-29172 affects versions before 11.33.0 where the “additional signup fields” feature allows HTML injection into the fields, storing invalid HTML in the user metadata payload (name property). This can cause a crafted link to render HTML in the recipient...
CVE-2022-29172 HTML injection with additional signup fields
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code...
PT-2022-2605 · Auth0 · Auth0
Name of the Vulnerable Software and Affected Versions: Auth0 versions prior to 11.33.0 Description: The issue is related to the "additional signup fields" feature in Auth0, where a malicious actor can inject invalidated HTML code into these fields, which is then stored in the service user metdata...
Cross site scripting
A vulnerability, which was classified as problematic, was found in Emlog Pro up to 1.2.2. This affects the POST parameter handling of articles. The manipulation with the input alert1; leads to cross site scripting. It is possible to initiate the attack remotely but it requires a signup and login ...