Customer Relationship Management (CRM) System 1.0 Shell Upload

Exploit Title: Customer Relationship Management CRM Unrestricted File Upload unauthenticated Date: 11/05/2021 Exploit Author: Richard Jones Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html Software Link:...

DSGVO All in one for WP < 4.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

The dsgvoaiowritelog AJAX action of the plugin did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard wp-admin/admin.php?page=dsgvoaiofree-show-log. This could allow unauthenticated attackers to gain unauthorised access by...

Arbitrary Code Injection

Overview In xmlhttprequest-ssl before 1.6.2 when requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run. Recommendation Upgrade to version 1.6.2 or later References CVE GitHub Advisory...

1tp (>=0.0.1 <=0.11.2), 2d-json-schema-editor-visual (>=1.0.2 <=1.0.7) +2806 more potentially affected by CVE-2020-28502 via xmlhttprequest-ssl (>=1.5.1 <=1.5.5)

xmlhttprequest-ssl NPM version =1.5.1, =0.0.1, =1.0.2, =1.0.1, =4.11.25, =0.1.3, =0.0.15, =8.25.29, =1.0.0, =0.0.4, =1.0.9, =1.0.15 and more Source cves: CVE-2020-28502 Source advisory: OSV:GHSA-H4J5-C7CJ-74XG...

GHSA-H4J5-C7CJ-74XG xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

317-project (=0.0.0), 4pm-cli (>=0.0.1 <=0.0.5) +1889 more potentially affected by CVE-2020-28502 via xmlhttprequest (>=1.2.2 <=1.6.0)

xmlhttprequest NPM version =1.2.2, =0.0.1, =0.1.16, =1.1.1, =0.0.4, =0.0.53, =0.0.42, =1.0.399-main, =0.1.0, =0.1.2, =0.1.3 and more Source cves: CVE-2020-28502 Source advisory: OSV:GHSA-H4J5-C7CJ-74XG...

xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

GetSimple CMS Custom JS 0.1 CSRF / XSS / Code Execution

Exploit Title: GetSimple CMS Custom JS v0.1 - CSRF to XSS to RCE Exploit Author: Bobby Cooke boku & Abhishek Joshi Date: April 30th, 2021 Vendor Homepage: http://get-simple.info Software Link: http://get-simple.info/download/ & http://get-simple.info/extend/plugin/custom-js/1267/ Vendor: 4Enzo...

Certificate Validation Bypass

xmlhttprequest-ssl is vulnerable to certificate validation bypass. The vulnerability exists because rejectUnauthorized is set to false by default, leading to bypass of certificate validation in the https.request function of Node.js...

CVE-2021-31597

A flaw was found in xmlhttprequest-ssl for Node.js. SSL certificate validation is disabled by default, due to rejectUnauthorized when the property exists but is undefined being considered to be false within the https.request function of Node.js thus, no certificate is ever rejected. The highest...

AZL-45213 CVE-2021-31597 affecting package js-jquery 3.5.0-4

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...

CVE-2021-31597

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...

CVE-2021-31597

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...

Input validation

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...

UBUNTU-CVE-2021-31597

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...

CVE-2021-31597

The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized when the property exists but is undefined is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected...

CVE-2021-31597

The CVE-2021-31597 entry concerns the xmlhttprequest-ssl package for Node.js before version 1.6.1, which disables SSL certificate validation by default because rejectUnauthorized is treated as false when undefined. This allows potential MITM-style exposure since certificates are not rejected. Aff...

Dan DeFelippi node-XMLHttpRequest 信任管理问题漏洞

Dan DeFelippi node-XMLHttpRequest is Dan DeFelippi an open source application . Used to simulate the browser XMLHttpRequest object . A trust management issue vulnerability exists in Node.js xmlhttprequest-ssl package versions prior to 1.6.1, which stems from the fact that no certificate will be...

Burpsuite-Copy-As-XMLHttpRequest - Copy As XMLHttpRequest BurpSuite Extension

The extension adds a context menu to BurpSuite that allows you to copy multiple requests as Javascript's XmlHttpRequest, which simplifies PoC development when exploiting XSS. Installation download the latest JAR from releases or build manually add JAR to burpsuite using tabs: "Extender" -...

CVE-2021-24167

When visiting a site running Web-Stat 1.4.0, the "wtswebstatloadinit" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookupWPaccount...