19 matches found
CVE-2026-41141 EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity Contact, Lead, Account, or User without performing an ACL check. An authenticated user with...
CVE-2026-41141
EspoCRM prior to 9.3.5 is vulnerable via POST /api/v1/EmailTemplate/:id/prepare where providing an emailAddress lets an authenticated user with EmailTemplate read permission resolve the owning entity (Contact/Lead/Account/User) without ACL checks, leaking all field values and bypassing read: own/...
IP 跨站脚本漏洞
IP is an open-source IP address query and display tool developed by th30d4y. Versions of IP from 1.0.1 to 2.0.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient cleaning of user input, which could lead to cross-site scripting attacks based on DOM...
Malicious code in amplitude-ma-ts (npm)
npm stealer. Hardcoded Discord webhook id 1497047226428690432 in postinstall Folder/bin/S.js. Exfils hostname, whoami, pwd, publicip api.ipify.org, /etc/hosts via Discord embed. v1.0.21 empty placeholder, v1.0.22 shipped payload — name-squat-then-poison. Typosquats @amplitude/ analytics scope...
UBUNTU-CVE-2022-50240
In the Linux kernel, the following vulnerability has been resolved: android: binder: stop saving a pointer to the VMA Do not record a pointer to a VMA outside of the mmaplock for later use. This is unsafe and there are a number of failure paths after the recorded VMA pointer may be freed during...
peda
This repository is an offensive tool for exploit development. It is a Python Exploit Development Assistance for GDB PED A, which is a script that helps speed up the exploit development process on Linux/Unix. The tool is designed to work with GDB 7.x and Python 2.6+. The tool has various features,...
DEBIAN-CVE-2023-4813
A flaw has been identified in glibc. In an uncommon situation, the gaihinet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with...
SUSE CVE-2020-14354
A possible use-after-free and double-free in c-ares lib version 1.16.0 if aresdestroy is called prior to aresgetaddrinfo completing. This flaw possibly allows an attacker to crash the service that uses c-ares lib. The highest threat from this vulnerability is to this service availability...
Malicious code in fc-address-lookup (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5feb9e0be7037fdbecf7bb66bc86bef489c699497fb662d27506efc7f03889ca Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2023-330 Malicious code in fc-address-lookup (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5feb9e0be7037fdbecf7bb66bc86bef489c699497fb662d27506efc7f03889ca Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CWA for Android: We were unable to tunnel through the proxy
Viewer of CWA for Android fail to establish connection to VDA with below given error message We were unable to connect through the proxy. Error - 0 Logs show following error logs 02-10 05:44:55.989 1117 28821 W System.err: Caused by: android.system.GaiException: androidgetaddrinfo failed: EAINODA...
OESA-2021-1291 nodejs security update
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...
Command Injection
Overview macfromip is a module that gets a MAC address from a LAN IP address Affected versions of this package are vulnerable to Command Injection. The injection points are located in lines 66 and 96 in macfromip.js. PoC var a = require"macfromip"; a.getMacInLinux"& touch JHU", function;...
ip-address-lookup-v4.com XSS vulnerability
Open Bug Bounty ID: OBB-385141 Description| Value ---|--- Affected Website:| ip-address-lookup-v4.com Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Remediation Guide:| OWASP XSS Preventio...
CentOS 6 : glibc (CESA-2015:0016)
Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are...
MGASA-2013-0228 Updated squid packages fix security vulnerabilities
Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger a buffer overflow in Squid, resulting in a termination of the Squid...
CVE-2006-7122
Cross-site scripting XSS vulnerability in the IP Address Lookup functionality in BSQ Sitestats component for Joomla 1.8.0, and possibly other versions before 2.2.1, allows remote attackers to inject arbitrary web script and HTML via the ip parameter...
CVE-2006-7122
CVE-2006-7122 is a cross-site scripting (XSS) issue in the IP Address Lookup of BSQ Sitestats for Joomla. Affects 1.8.0 and possibly earlier versions; vulnerable parameter: ip. Exploitation could inject arbitrary script/HTML. Remediation: upgrade to a version containing the fix (2.2.1) or apply t...
CVE-2006-7122
Cross-site scripting XSS vulnerability in the IP Address Lookup functionality in BSQ Sitestats component for Joomla 1.8.0, and possibly other versions before 2.2.1, allows remote attackers to inject arbitrary web script and HTML via the ip parameter...