Mattermost Security Vulnerabilities

Mattermost is an open source collaboration platform from US-based Mattermost. A security vulnerability exists in Mattermost version 5.5.0 and prior versions, which stems from an inability to properly validate a regular expression constructed based on the path to a server URL, resulting in a denia...

CVE-2023-39000

A reflected cross-site scripting XSS vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path...

CVE-2023-39000

A reflected cross-site scripting XSS vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path...

CVE-2023-39000

A reflected cross-site scripting XSS vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path...

CVE-2023-39000

A reflected cross-site scripting XSS vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path...

OpenTelemetry Instrumentation for Java Information Disclosure Vulnerability

OpenTelemetry Instrumentation for Java is an OpenTelemetry open source Java agent JAR. An information disclosure vulnerability exists in OpenTelemetry Instrumentation for Java prior to version 1.28.0, which stems from the fact that when detecting a SES POST request, the request's query parameter ...

Social-Commerce 3.1.6 Cross Site Scripting

Exploit Title: Social-Commerce 3.1.6 - Reflected XSS Exploit Author: CraCkEr Date: 28/07/2023 Vendor: mooSocial Vendor Homepage: https://moosocial.com/ Software Link: https://social-commerce.moosocial.com/ Tested on: Windows 10 Pro Impact: Manipulate the content of the site CVE: CVE-2023-4174...

CVE-2023-36255

An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL...

CVE-2023-36255

An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL...

U.S. Dept Of Defense: Adobe ColdFusion Access Control Bypass - CVE-2023-38205

A vulnerability in Adobe ColdFusion was discovered that allowed bypassing access controls by using malicious path traversal in URLs targeting the /CFIDE/wizards/common/utils.cfc endpoint. This enabled attackers to reach endpoints that should have been restricted. The issue affected Adobe ColdFusi...

Gira KNX/IP-Router 路径遍历漏洞

The Gira KNX/IP-Router is a secure router for public buildings from Gira. A security vulnerability exists in Gira KNX/IP-Router versions 3.1.3683.0 and 3.3.8.0, which stems from a vulnerability that allows an attacker to read sensitive files via a directory traversal sequence in a URL...

URL Restriction Bypass

Description In attempting to fix a previous issue, the PATTERNUSERINFO regular expression was changed. This change introduced another way to bypass the URL allowlist by introducing non-alphanumeric characters into the user information part of the URL. Proof of Concept Run PlantUML with...

CVE-2023-29837

Cross Site Scripting vulnerability found in Exelysis Unified Communication Solution EUCS v.1.0 allows a remote attacker to gain privileges via the URL path of the eucsAdmin login web page...

Cross site scripting

Cross Site Scripting vulnerability found in Exelysis Unified Communication Solution EUCS v.1.0 allows a remote attacker to gain privileges via the URL path of the eucsAdmin login web page...

CVE-2023-29837

Cross Site Scripting vulnerability found in Exelysis Unified Communication Solution EUCS v.1.0 allows a remote attacker to gain privileges via the URL path of the eucsAdmin login web page...

CVE-2023-29837

The CVE describes a Cross-Site Scripting (XSS) vulnerability in Exelysis Unified Communication Solution (EUCS) v1.0. The issue affects the eucsAdmin login web page, where an attacker can craft a URL path to execute scripts, potentially enabling remote privilege gain. The NVD/CVE metadata indicate...

Directorist < 7.5.4 - Admin+ LFI

The plugin is vulnerable to Local File Inclusion as it does not validate the file parameter when importing CSV files. This PoC will work on Linux systems. 1. Navigate to the URL path: /wp-admin/edit.php?posttype=atbizdir&page=tools&step=2&file=/etc/passwd&delimiter=; 2.. You will be presented wit...

NewStart CGSL CORE 5.05 / MAIN 5.05 : python Multiple Vulnerabilities (NS-SA-2023-0008)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has python packages installed that are affected by multiple vulnerabilities: - http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker...

K6924: Insertion of special characters in URL path circumvents Accessibility Scope and Access Control Lists

Security Advisory Description Note : Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F...

CVE-2023-26265

The Borg theme before 1.1.19 for Backdrop CMS does not sufficiently sanitize path arguments that are passed in via a URL. The function borgpreprocesspage in the file template.php does not properly sanitize incoming path arguments before using them...