Cross site request forgery (csrf)

Metinfo 5.3.18 is affected by: Cross Site Request Forgery CSRF. The impact is: Information Disclosure remote. The component is: admin/index.php. The attack vector is: The administrator clicks on the malicious link in the login state...

CVE-2017-12761

http://codecanyon.net/user/Endober WebFile Explorer 1.0 is affected by: SQL Injection. The impact is: Arbitrary File Download remote. The component is: $file = $GET'id' in download.php. The attack vector is:...

Arbitrary File Deletion Vulnerability in Acme CMS

Acme CMS is a full-featured, PHP + Mysql architecture, multi-language, responsive display, suitable for personal website construction CMS building system. Acme CMS has an arbitrary file deletion vulnerability, attackers can construct packets sent to the server, so as to delete arbitrary files,...

Amazon Linux AMI : python34 (ALAS-2019-1202)

Python is affected by improper Handling of Unicode Encoding with an incorrect netloc during NFKC normalization. The impact is information disclosure credentials, cookies, etc. that are cached against a given hostname. The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack...

Denial Of Service (DoS)

libtiff is vulnerable to heap-based buffer overflow vulnerability. Remote attackers can cause a denial of service out-of-bounds write or execute arbitrary code via a crafted TIFF image with zero tiles. loadImage function in tiffcrop.c. loadImage will read the numbers of tiles by calling...

[20190501] - Core - XSS in com_users ACL debug views

The debug views of comusers do not properly escape user supplied data, which leads to a potential XSS attack vector...

CVE-2019-9669

The documents describe CVE-2019-9669 as affecting Wordfence WordPress plugin version 7.2.3, indicating a potential XSS via a unique attack vector. The root discussion notes that firewall rules are hosted separately and pushed to the plugin, and that bypassing a WAF rule may not constitute a softw...

UBUNTU-CVE-2019-11391

DISPUTED An issue was discovered in OWASP ModSecurity Core Rule Set CRS through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with $a at the beginning and nested repetition operators. NOTE: t...

WPA Authorization Issues Vulnerabilities

WPA is a set of Wi-Fi access protection schemes from the Wi-Fi Alliance USA, including security protocols and security authentication procedures. There is a security vulnerability in the implementation of WPA. An attacker can exploit the vulnerability to gain access to sensitive information...

. NET advanced code audit of the nine classes BinaryFormatter deserialization vulnerability-vulnerability warning-the black bar safety net

The BinaryFormatter and SoapFormatter two classes the difference between the data streams of different formats, other features on both about the same, the BinaryFormatter is located in the namespace System. Runtime. Serialization. Formatters. Binary it is the direct use of binary the way the obje...

. NET advanced code audit of the first six classes DataContractSerializer deserialization vulnerability-vulnerability warning-the black bar safety net

DataContractSerializer class is used for serialization and de-serialization in Windows Communication Foundation WCF message to send the data for the CLR data type is serialized into an XML stream, which is located in the namespace System. Runtime. Serialization, and inherits from the System...

CVE-2018-19589

Incorrect Access Controls of Security Officer SO in PKCS11 R2 provider that ships with the Utimaco CryptoServer HSM product package allows an SO authenticated to a slot to retrieve attributes of keys marked as private keys in external key storage, and also delete keys marked as private keys in...

PT-2019-11695 · Jenkins · Jenkins Kmap Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Kmap Plugin affected versions not specified Description: A missing permission check in the KmapJenkinsBuilder.DescriptorImpl form validation methods of the Jenkins Kmap Plugin allows attackers with Overall/Read permission to initiate ...

PT-2019-11381 · Jenkins · Jenkins Soasta Cloudtest Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins SOASTA CloudTest Plugin affected versions not specified Description: A missing permission check in the CloudTestServer.DescriptorImpldoValidate form validation method allows attackers with Overall/Read permission to initiate a...

Mobile-First Phishing Kit Targets Verizon Customers

As people increasingly go mobile-first in their work and personal lives, cybercrime is keeping up: The latest is a phishing kit that specifically targets Verizon Wireless customers in the U.S. According to Jeremy Richards, a researcher at Lookout Security, the kit pushes phishing links to users v...

EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1149)

According to the version of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding with an incorrect netloc during NFKC...

Google Warns of Growing Android Attack Vector: Backdoored SDKs and Pre-Installed Apps

Google is reporting an uptick in efforts by bad actors to plant potentially harmful applications PHAs on Android devices via pre-installed apps and by bundling them with system updates delivered over the air. The technique is especially troubling, Google said, because PHAs are often malicious and...

Design/Logic Flaw

Cobham Satcom Sailor 250 and 500 devices before 1.25 contained an unauthenticated password reset vulnerability. This could allow modification of any user account's password including the default "admin" account, without prior knowledge of their password. All that is required is knowledge of the...

CVE-2018-19392

Cobham Satcom Sailor 250 and 500 devices before 1.25 contained an unauthenticated password reset vulnerability. This could allow modification of any user account's password including the default "admin" account, without prior knowledge of their password. All that is required is knowledge of the...

SAP J2EE Engine Cross-Site Scripting Vulnerability (CNVD-2019-07213)

SAP J2EE Engine is a set of runtime environments for J2EE applications. A cross-site scripting vulnerability exists in SAP J2EE Engine. An attacker can exploit the vulnerability to conduct a cross-site scripting attack...