Exploit for Cross-site Scripting in Atmail

AWAE/OSWE Preparation for coming AWAE Training. Work in progress... Atmail Mail Server Appliance: from XSS to RCE 6.4 CVE-2012-2593 - https://www.exploit-db.com/exploits/20009 - https://github.com/sourceincite/poc/blob/master/SRC-2016-0012.py ATutor Authentication Bypass and RCE 2.2.1 CVE-2016-25...

Regular Expression Denial Of Service (ReDoS)

bassmaster is vulnerable to regular expression denial of service ReDoS attacks. These attacks are possible because the regex which is used for checking pipelines for valid urls can be given an extremely large string to make the application hang...

GHSA-5J3G-JFQ3-7JWX Arbitrary JavaScript Execution in bassmaster

A vulnerability exists in bassmaster = 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval. Recommendation Update to bassmaster version 1.5.2 or greater...

starcount-common (>=0.0.1 <=0.0.7) potentially affected by CVE-2014-7205 via bassmaster (=0.0.2)

bassmaster NPM version =0.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on bassmaster and may be impacted: - starcount-common =0.0.1, =0.0.7 Source cves: CVE-2014-7205 Source advisory: OSV:GHSA-5J3G-JFQ3-7JWX...

Arbitrary JavaScript Execution in bassmaster

A vulnerability exists in bassmaster = 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval. Recommendation Update to bassmaster version 1.5.2 or greater...

Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution (CVE-2014-7205)

An un-authenticated code injection vulnerability exists in the Bassmaster Nodejs plugin for Hapi. The vulnerability is due to improper input validation within the batch endpoint. Successful exploitation could allow an attacker to execute arbitrary code...

Bassmaster 1.5.1 - Batch Arbitrary JavaScript Injection Remote Code Execution (Metasploit)

require 'msf/core' class MetasploitModule 'Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution', 'Description' = %q This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and...

Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution

require 'msf/core' class MetasploitModule 'Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution', 'Description' = %q This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and...

Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution Exploit

This module exploits an un-authenticated code injection vulnerability in the bassmaster nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an attacker to dynamically execute JavaScript code on the server side using an eval. Note that the code uses a '\x2f' character...

bassmaster.com XSS vulnerability

Vulnerable URL: https://www.bassmaster.com/?query="-alert'OPENBUGBOUNTY'-" Details: Description| Value ---|--- Patched:| No Latest check for patch:| 27.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 50847 VIP website status:| No Check bassmaster.com SSL...

Arbitrary JavaScript Execution

Overview A vulnerability exists in bassmaster = 1.5.1 that allows for an attacker to provide arbitrary JavaScript that is then executed server side via eval. Recommendation Update to bassmaster version 1.5.2 or greater. References - Commit b751602 - GitHub Advisory...

CVE-2014-7205

The Bassmaster Node.js plugin for the Hapi server contains CVE-2014-7205: an eval-based injection in the internals.batch function (lib/batch.js) before version 1.5.2, enabling remote arbitrary JavaScript execution. Documents show affected version range is bassmaster

CVE-2014-7205

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors...