Lucene search
K

84 matches found

CVE
CVE
added 2021/10/27 8:30 p.m.55 views

CVE-2021-41191

Summary of CVE-2021-41191 Roblox-Purchasing-Hub (open-source) had a vulnerability in versions 1.0.1 and earlier allowing someone who has another user’s API URL to obtain product files without an API key. The issue has been fixed in version 1.0.2. A workaround mentioned in the sources is to add an...

7.5CVSS7.3AI score0.01327EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2021/03/30 12:0 a.m.6 views

Jonathan Carter gistpad 安全漏洞

Jonathan Carter gistpad is an application open-sourced by Jonathan Carter. A Visual Studio Code extension that makes it easy to edit GitHub Gist and repositories from your favorite editor. A security vulnerability exists in GistPad before 0.2.7 that allows a crafted workspace folder to change the...

5.3CVSS5.8AI score0.00944EPSS
Exploits0References3
Hacker One
Hacker One
added 2020/06/03 4:59 p.m.102 views

h1-ctf: [H1-2006 2020] "Swiss Cheese" design style leads to helping Mårten Mickos pay poor hackers

Summary: Several vulnerabilities in the bountypay application leads to unauthorised access, information disclosure, SSRF and other fun stuff. Steps To Reproduce: This is how I helped Mårten Mickos pay the poor hackers who had been waiting so long for their bounties. First part: Web I started by...

6.5AI score
Exploits0
Prion
Prion
added 2020/06/03 1:15 p.m.16 views

Code injection

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure...

4CVSS6.3AI score0.00798EPSS
Exploits0References2Affected Software1
AlpineLinux
AlpineLinux
added 2020/06/03 12:40 p.m.27 views

CVE-2020-2198

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure...

6.5CVSS3.1AI score0.00798EPSS
Exploits0References2
NVD
NVD
added 2019/12/27 7:15 p.m.14 views

CVE-2014-4558

Cross-site scripting XSS vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the apiurl parameter...

6.1CVSS6.1AI score0.04055EPSS
Exploits2References1
Prion
Prion
added 2019/12/27 7:15 p.m.10 views

Cross site scripting

Cross-site scripting XSS vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the apiurl parameter...

4.3CVSS6.3AI score0.04055EPSS
Exploits2References1Affected Software1
NVD
NVD
added 2019/12/27 2:15 p.m.13 views

CVE-2014-4559

Multiple cross-site scripting XSS vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 apikey, 2 paymentpageurl, 3 merchantid, 4 apiurl, or 5 currency parameter...

6.1CVSS6.2AI score0.01163EPSS
Exploits2References1
Cvelist
Cvelist
added 2019/12/27 1:56 p.m.16 views

CVE-2014-4559

Multiple cross-site scripting XSS vulnerabilities in test-plugin.php in the Swipe Checkout for WP e-Commerce plugin 3.1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 apikey, 2 paymentpageurl, 3 merchantid, 4 apiurl, or 5 currency parameter...

6.2AI score0.01163EPSS
Exploits2References1
NVD
NVD
added 2019/04/11 3:29 p.m.12 views

CVE-2019-3916

Information disclosure vulnerability in Verizon Fios Quantum Gateway G1100 firmware version 02.01.00.05 allows an remote, unauthenticated attacker to retrieve the value of the password salt by simply requesting an API URL in a web browser e.g. /api...

7.5CVSS7.5AI score0.02057EPSS
Exploits0References1
Cvelist
Cvelist
added 2019/04/11 2:12 p.m.11 views

CVE-2019-3916

Information disclosure vulnerability in Verizon Fios Quantum Gateway G1100 firmware version 02.01.00.05 allows an remote, unauthenticated attacker to retrieve the value of the password salt by simply requesting an API URL in a web browser e.g. /api...

7.5AI score0.02057EPSS
Exploits0References1
CVE
CVE
added 2019/04/11 2:12 p.m.52 views

CVE-2019-3916

The CVE-2019-3916 information-disclosure flaw affects Verizon Fios Quantum Gateway (G1100) with firmware 02.01.00.05, allowing an unauthenticated remote attacker to retrieve the password salt via a simple API URL request (e.g., /api). Documents corroborate that this salt could enable offline pass...

7.5CVSS7.4AI score0.02057EPSS
Exploits0References1Affected Software1
Prion
Prion
added 2019/03/25 7:29 p.m.20 views

Authentication flaw

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dirlogin.asp and use an API URL /goform/form2userconfig.cgi to edit the system account without authentication...

5CVSS9.3AI score0.01514EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2019/03/25 6:3 p.m.32 views

CVE-2019-10040

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dirlogin.asp and use a hidden API URL /goform/SystemCommand to execute a system command without authentication...

9.7AI score0.02522EPSS
Exploits1References1
Cvelist
Cvelist
added 2019/03/25 6:3 p.m.21 views

CVE-2019-10039

The D-Link DIR-816 A2 1.11 router only checks the random token when authorizing a goform request. An attacker can get this token from dirlogin.asp and use an API URL /goform/setSysAdm to edit the web or system account without authentication...

9.4AI score0.01868EPSS
Exploits1References1
Prion
Prion
added 2018/08/24 7:29 p.m.14 views

Hardcoded credentials

An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password "admin:password" is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission...

10CVSS9.2AI score0.01455EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2018/08/24 7:0 p.m.25 views

CVE-2017-12577

An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password "admin:password" is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission...

9.5AI score0.01455EPSS
Exploits1References1
CVE
CVE
added 2018/08/24 7:0 p.m.56 views

CVE-2017-12577

CVE-2017-12577 affects PLANEX CS-QR20 (version 1.30). The Android app ships a hardcoded credential (admin:password) that can be used to access a hidden API URL /goform/SystemCommand, enabling an attacker to execute arbitrary commands with root privileges. This is tied to the Web UI component and ...

10CVSS9.3AI score0.01455EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2017/10/04 1:0 a.m.18 views

CVE-2017-1000091

GitHub Branch Source Plugin connects to a user-specified GitHub API URL e.g. GitHub Enterprise as part of form validation and completion e.g. to verify Scan Credentials are correct. This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect...

6.4AI score0.00641EPSS
Exploits0References1
Openbugbounty
Openbugbounty
added 2017/07/05 5:17 a.m.8 views

tour-ethno.com XSS vulnerability

Vulnerable URL: https://www.tour-ethno.com/modules/api/prise.php?page="--!" Details: Description| Value ---|--- Patched:| No Latest check for patch:| 16.08.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 1742119 VIP website status:| No Check tour-ethno.com SSL...

6.3AI score
Exploits0
Rows per page
Query Builder