GO-2022-0411 Insufficient randomness in github.com/Masterminds/goutils

Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by...

Incorrect Authorization in Dolibarr

core/getmenudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter...

GHSA-4X63-3P7Q-XMH7 Jenkins HTML Publisher Plugin path traversal vulnerability

A path traversal vulnerability exists in Jenkins HTML Publisher Plugin 1.15 and older in HtmlPublisherTarget.java that allows attackers able to configure the HTML Publisher build step to override arbitrary files on the Jenkins master. In version 1.16, non-alphanumeric characters in report names a...

Advanced Comment System 1.0 - Remote Command Execution (RCE)

Exploit Title: Advanced Comment System 1.0 - Remote Command Execution RCE Date: November 30, 2021 Exploit Author: Nicole Daniella Murillo Mejias Version: Advanced Comment System 1.0 Tested on: Linux !/usr/bin/env python3 DESCRIPTION: Commands are Base64 encoded and sent via POST requests to the...

Advanced Comment System 1.0 - Remote Command Execution Exploit

Exploit Title: Advanced Comment System 1.0 - Remote Command Execution RCE Exploit Author: Nicole Daniella Murillo Mejias Version: Advanced Comment System 1.0 Tested on: Linux !/usr/bin/env python3 DESCRIPTION: Commands are Base64 encoded and sent via POST requests to the vulnerable application, t...

rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse

oooooooq reports: The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, CGI::Cookie.parse no longer decodes cookie names...

Lark Technologies: Able to steal private files by manipulating response using Auto Reply function of Lark

A IDOR Insecure Direct Object Reference vulnerability was found within the "AutoReply" functions of Lark. This vulnerability could have allowed malicious users to fetch the files of other users if they knew the specific file ID which was an alphanumeric value. We thank @imrannisar for reporting...

Session Fixation in Subrion CMS

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie...

GHSA-QPXW-6473-PPWW Session Fixation in Subrion CMS

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie...

CVE-2020-28898

In QED ResourceXpress through 4.9k, a large numeric or alphanumeric value submitted in specific URL parameters causes a server error in script execution due to insufficient input validation...

Security update for hawk2 (important)

openSUSE Security Update: Security update for hawk2 Announcement ID: openSUSE-SU-2021:0473-1 Rating: important References: 1179999 1182165 1182166 Cross-References: CVE-2020-35459 CVE-2021-25314 CVSS scores: CVE-2020-35459 NVD : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2020-35459 SUSE...

SUSE-SU-2021:0943-1 Security update for hawk2

This update for hawk2 fixes the following issues: - Update to version 2.6.3: Remove hawkinvoke and use capture3 instead of runas bsc1179999CVE-2020-35459 Remove unnecessary chmod bsc1182166CVE-2021-25314 Sanitize filename to contains whitelist of alphanumeric bsc1182165...

CVE-2021-25138

creationtimestamp| type| source ---|---|--- 2021-01-29 23:25:23+00:00| seen| https://t.me/cibsecurity/22867...

Lark Technologies: IDOR Allows Viewer to Delete Bin's Files

An IDOR Insecure Direct Object Reference vulnerability was found where if a user with only view permissions knew the alphanumeric token of a folder, they could permanently delete it from an admin's bin. We thank @snapsec for reporting this to our team...

Basecrack - Best Decoder Tool For Base Encoding Schemes

BaseCrack is a tool written in Python that can decode all alphanumeric base encoding schemes. This tool can accept single user input, multiple inputs from a file, input from argument, multi-encoded bases and decode them incredibly fast. Decode Base16, Base32, Base36, Base58, Base62, Base64,...

CVE-2020-12669

core/getmenudiv.php in Dolibarr before 11.0.4 allows remote authenticated attackers to bypass intended access restrictions via a non-alphanumeric menu parameter...

CVE-2020-12467

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie...

Session fixation

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie...

CVE-2020-12467

Subrion CMS 4.2.1 allows session fixation via an alphanumeric value in a session cookie...

Design/Logic Flaw

React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alphanumeric IDs, which might make it easier for remote attackers to interfere with COVID-19 contact tracing by using many IDs. NOTE: the vendor disputes the relevance of this report because the recipient of an F1 alert will know it...