EUVD-2022-34363

Malicious code in bioql PyPI...

Malicious users can exploit NameEncoder vulnerability to forge arbitrary names

Lines of code Vulnerability details Impact A malicious user can spoof NameEncoder.dnsEncodeName by forging a name to impersonate any other name, which can lead to faulty contract logic or even theft of someone else's name. Proof of Concept The function NameEncoder.dnsEncodeName is used to convert...

Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF

The plugin does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. PoC As admin, Import the following CSV...

ipa: Insufficient permission check in certprofile-mod

It was found that IdM's certprofile-mod command did not properly check the user's permissions while modifying certificate profiles. An authenticated, unprivileged attacker could use this flaw to modify profiles to issue certificates with arbitrary naming or key usage information and subsequently...

CVE-2014-2044

Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream ADS syntax in the filename...