EUVD-2013-4368

Malware in sbrugna...

EUVD-2022-25101

Malicious code in bioql PyPI...

CVE-2022-1825

Cross-site Scripting XSS - Reflected in GitHub repository collectiveaccess/providence prior to 1.8...

CVE-2013-4507

Cross-site scripting XSS vulnerability in CollectiveAccess Providence and Pawtucket before 1.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

CVE-2022-1825

Cross-site Scripting XSS - Reflected in GitHub repository collectiveaccess/providence prior to 1.8...

CVE-2022-1825

Cross-site Scripting XSS - Reflected in GitHub repository collectiveaccess/providence prior to 1.8...

CVE-2022-1825 Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence

Cross-site Scripting XSS - Reflected in GitHub repository collectiveaccess/providence prior to 1.8...

CVE-2022-1825 Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence

Cross-site Scripting XSS - Reflected in GitHub repository collectiveaccess/providence prior to 1.8...

CVE-2022-1825

CVE-2022-1825: Reflected XSS in Providence (CollectiveAccess) before version 1.8. Exploitation occurs via reflected user input; impact is limited to confidentiality/integrity with MEDIUM severity (CVSS 3.1: 5.4). No explicit exploit details provided in the supplied documents. Affected product is ...

Providence 跨站脚本漏洞

Providence is the "back-end" component of CollectiveAccess, a set of web-based applications from the CollectiveAccess community in the United States. A security vulnerability exists in Providence versions prior to 1.8, which stems from a cross-site scripting vulnerability...

Open Redirect in collectiveaccess/providence

Description I found a new way to bypass the Open Redirect with the "redirect" parameter on the login page. Vulnerable parameter redirect Payload https://demo.collectiveaccess.org.example.com Proof of Concept Send users the following login link...

Improper Authorization in collectiveaccess/pawtucket2

Description Users without any readaccess to a lightbox can still view its contents via incrementing the id Proof of Concept ... http://10.0.2.15/pawtucket/index.php/Lightbox/Present/setid/1 http://10.0.2.15/pawtucket/index.php/Lightbox/Present/setid/2...

in collectiveaccess/pawtucket2

Description With ref to this report: https://www.huntr.dev/bounties/9708c444-2cf2-4aed-8188-1dc7def05ba1/, should replicate over proper cache-control Proof of Concept Example of sensitive 1 Login to application dashboard 2 Go to lightbox page 3 Click logout. 4 Click go back button to see group...

Cross-Site Request Forgery (CSRF) in collectiveaccess/pawtucket2

Description The following endpoints are vulnerable to CSRF attacks via GET requests even though they use AJAX: 1: Delete lightbox 2: Delete comments 3: Create comments 4: Create comments on objects 5: Add items into lightbox 6: Delete items from lightbox Proof of Concept Copy and paste the...

Improper Access Control in collectiveaccess/pawtucket2

Description After the previous patch fix, users can join the Root group by specifying http://PAWTUCKET-URL/pawtucket/index.php/LoginReg/joinGroup/groupcode/ Proof of Concept http://PAWTUCKET-URL/pawtucket/index.php/LoginReg/joinGroup/groupcode/ Impact Attackers can join the Root group without bei...

in collectiveaccess/providence

Description Sensitive Data can be exposed even after logouting the application due to ui wrong action Proof of Concept 1 login to the application dashboard https://demo.collectiveaccess.org 2 Goto Any pages dashboard,administrations etc 3 Click logout 4 Click browser back button Impact Any other...

Server-Side Request Forgery (SSRF) in collectiveaccess/providence

Description Authenticated, blind SSRF vulnerability exists in CollectiveAccess. Requires edit access tested with default cataloguer account Proof of Concept As the 'cataloguer', user: Step 1. Create a new object with the title: Step 2. After submitting this object, browse for objects in...

Cross-site Scripting (XSS) - Stored in collectiveaccess/providence

Description stored xss via event name Proof of Concept Plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1iMDosuZYYmFyJEVxXo7KB09TghKPs-7/view?usp=sharing \ Here i uses bellow xss payload xss2"'onmouseover=prompt;// Impact Stored xss...

Cross-site Scripting (XSS) - Reflected in collectiveaccess/providence

Description Reflected XSS in form Search Proof of Concept // PoC.js POST /find/QuickSearch/Index HTTP/1.1 Host: demo.collectiveaccess.org Cookie: cademo=5b9d06b7-3860-477d-9d53-85e6b2b1ae99; CAcademouilocale=enUS User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93.0 Gecko/20100101...

Open Redirect in collectiveaccess/providence

Description Open Redirect on Login with parameter ?redirect= Proof of Concept // PoC.request POST /system/Auth/DoLogin HTTP/1.1 Host: demo.collectiveaccess.org Cookie: cademo=ea7632ab-0ad8-4b0f-939f-9e292f232ff6; CAcademouilocale=enUS User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:93...