359 matches found
Server side request forgery (ssrf)
A security issue was discovered in Z-BlogPHP = 1.7.2. A Server-Side Request Forgery SSRF vulnerability in the zbusers/plugin/UEditor/php/actioncrawler.php file allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter...
CVE-2022-38931
A Server-Side Request Forgery SSRF in fetchnetfileupload function of baijiacmsV4 v4.1.4 allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the url parameter...
CVE-2022-40357
A security issue was discovered in Z-BlogPHP = 1.7.2. A Server-Side Request Forgery SSRF vulnerability in the zbusers/plugin/UEditor/php/actioncrawler.php file allows remote attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the source parameter...
PT-2022-24620 · Unknown · Baijiacmsv4
Name of the Vulnerable Software and Affected Versions: baijiacmsV4 version 4.1.4 Description: A Server-Side Request Forgery SSRF issue exists in the fetch net file upload function, allowing remote attackers to force the application to make arbitrary requests by injecting arbitrary URLs into the u...
U.S. Dept Of Defense: stored cross site scripting in https://███████
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q13787 payload: %22%27%3e%3csvg%2fonload%3dconfirm666%3e Impact Cookie Stealing - A...
U.S. Dept Of Defense: stored cross site scripting in https://████
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q13794 payload: %22%27%3e%3csvg%2fonload%3dconfirm666%3e Impact Cookie Stealing - A...
U.S. Dept Of Defense: stored cross site scripting in https://██████████
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q13779 payload: %22%27%3e%3csvg%2fonload%3dconfirm666%3e Impact Cookie Stealing - A...
U.S. Dept Of Defense: stored cross site scripting in https://████████.edu
A stored cross-site scripting XSS vulnerability was discovered in the ████████.edu website. This vulnerability allowed an attacker to inject and execute malicious scripts on a victim's browser, potentially leading to cookie theft, arbitrary requests, malware downloads, or website defacement...
Showmax: Reflected XSS at https://stories.showmax.com/wp-content/themes/theme-internal_ss/blocks/ajax/a.php via `ss_country_filter` param
Summary: A Reflected XSS issue at https://stories.showmax.com/. Description: This issue was found at https://stories.showmax.com/wp-content/themes/theme-internalss/blocks/ajax/b.php page. But, as I understand the last part of pathname a.php can be different. For example b.php also working. Maybe ...
U.S. Dept Of Defense: stored cross site scripting in https://███
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21675 Impact Cookie Stealing - A malicious user can steal cookies and use them to gai...
U.S. Dept Of Defense: stored cross site scripting in https://█████████
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21677 Impact Cookie Stealing - A malicious user can steal cookies and use them to gai...
U.S. Dept Of Defense: stored cross site scripting in https://███
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21655 Impact Cookie Stealing - A malicious user can steal cookies and use them to gai...
U.S. Dept Of Defense: stored cross site scripting in https://██████████
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21671= Impact Cookie Stealing - A malicious user can steal cookies and use them to ga...
U.S. Dept Of Defense: stored cross site scripting in https://███
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 Impact Cookie Stealing - A malicious user can steal cookies and use them to gain acces...
U.S. Dept Of Defense: stored cross site scripting in https://███
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 Year Group Military Only Impact Cookie Stealing - A malicious user can steal cookies a...
Siemens SIMATIC eaSie Authentication Error Vulnerability
SIMATIC eaSie, the digital assistant for automation and process control technology in the Siemens Automation Concept "Total Integrated Automation", is vulnerable to an authentication error that could be exploited by a remote, unauthenticated attacker to send arbitrary messages to the service,...
U.S. Dept Of Defense: Reflected cross site scripting in https://███████
It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. request.txt attacked poc attached Impact Cookie Stealing - A malicious user can steal cookies and use them to gain access to the...
Default configuration
A vulnerability has been identified in SIMATIC eaSie Core Package All versions V22.00. The underlying MQTT service of affected systems does not perform authentication in the default configuration. This could allow an unauthenticated remote attacker to send arbitrary messages to the service and...
Server-Side Request Forgery in link-preview-js
The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery SSRF which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection...
CVE-2022-31386
A Server-Side Request Forgery SSRF in the getFileBinary function of nbnbk cms 3 allows attackers to force the application to make arbitrary requests via injection of arbitrary URLs into the URL parameter...