Hardcoded credentials

An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. An attacker can download a copy of the installer, decompile it, and discover a hardcoded IV used to encrypt the username and userid in the comment POST request. Additionally, the attacker can decrypt the encrypted...

Cross site scripting

An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. The comment posting functionality allows an attacker to add an XSS payload to the JSON request that will execute when users visit the page with the comment...

CVE-2021-33484

OnyakTech Comments Pro 3.8 is affected in its CommentsService.ashx. An attacker can decompile the installer to find a hardcoded IV used to encrypt usernames and user IDs in the comment POST request, and can decrypt the encryption key by setting the encrypted value as the username, revealing the d...

CVE-2021-33483

An issue was discovered in CommentsService.ashx in OnyakTech Comments Pro 3.8. The comment posting functionality allows an attacker to add an XSS payload to the JSON request that will execute when users visit the page with the comment...

OnyakTech Comments Pro 跨站脚本漏洞

OnyakTech Comments Pro has been building DNN modules since 2003. A cross-site scripting vulnerability exists in OnyakTech Comments Pro, which stems from the comment function in the product's CommentsService.ashx page not securely validating json requests. The vulnerability can be exploited to...