EUVD-2026-24485

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

WWBN AVideo 跨站请求伪造漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the objects/configurationUpdate.json.php file, which protected the endpoint through...

CVE-2025-43803

Insecure direct object reference IDOR vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows...

ROS-2-274

2.274 Notification on update of the Red OS OPERATION SYSTEM MIS RU.29926343.02.01-01-24 RED SOFT LLC notifies about the completion of the testing procedure and release of the updated RED OS 7.3 distribution. In order to update your copy of RED OS to the current state, you need to perform a standa...

WordPress PZ Frontend Manager 1.0.5 Cross Site Request Forgery

Exploit Title: pz-frontend-manager = 1.0.5 - CSRF change user profile picture Date: 2024-07-01 Exploit Author: Vuln Seeker Cybersecurity Team Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/ Version: = 1.0.5 Tested on: Firefox Contact me: [email protected] The plugin does no...

CVE-2023-51725

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Contact Email Address parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the...

CVE-2023-51725 Stored Cross Site Scripting Vulnerability in Skyworth Router

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Contact Email Address parameter at its web interface. A remote attacker could exploit this vulnerability by supplying specially crafted input to the parameter at the...

CISA Issues BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces

Today, CISA issued Binding Operational Directive BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces, requiring Federal Civilian Executive Branch FCEB agencies to reduce risks posed by internet-exposed networked management interfaces on federal information systems. This...

CVE-2022-37309

OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name...

WordPress GetYourGuide Ticketing 1.0.1 Cross Site Scripting Vulnerability

Exploit Title: WordPress Plugin ‘GetYourGuide Ticketing’ - Stored Cross-Site Scripting Exploit Author: Mariam Tariq - HunterSherlock Vendor Homepage: https://wordpress.org/plugins/search/GetYourGuide+Ticketing/ Version: 1.0.1 Tested on: Firefox Contact me: email protected Vulnerable code: " POC: ...

in chatwoot/chatwoot

I'll explain it briefly: A contact is created with the email address "[email protected]" and we are writing about sensitive information. userIdentifer is required to be validated with hmac. Now a human, on the other side of the world, comes into the chat and is asked by the bot for his email...

Does Your Organization Have a Security.txt File?

It happens all the time: Organizations get hacked because there isnt an obvious way for security researchers to let them know about security vulnerabilities or data leaks. Or maybe it isnt entirely clear who should get the report when remote access to an organizations internal network is being so...

Ability to switch customer email address on account detail page and stay verified

Impact The user may register in a shop by email [email protected], verify it, change it to the mail [email protected] and stay verified and enabled. This may lead to having accounts addressed to totally different emails, that were verified. Note, that this way one is not able to take over any...

GHSA-2Q4G-W47C-4674 Unpreventable top-level navigation

Impact The will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. Patches 11.0.0-beta.1 10.0.1 9.3.0 8.5.1 Workarounds Sandbox all your iframes using the...

ClearPass Policy Manager Unauthenticated Remote Command Execution Exploit

!/usr/bin/env bash ClearPass Policy Manager Unauthenticated Remote Command Execution in the WebUI CVE-2020-7115 For best results use OpenSSL/libcrypto shipped with RHEL/CentOS 7.x. Questions? Contact email protected. if "$" -ne 4 ; then echo "Usage: basename $0 remote host remote port local host...

Tripbuddy Travel, Locations, And Events 1.0 Cross Site Scripting

Exploit Title: Tripbuddy - Travel, Locations and Events Web App - xss Google Dork: N/A Date: 2017/28/12 Exploit Author: ShanoWeb Author Mail : MrdotNet2NetatGmaildotcom Vendor Homepage: https://tripbuddy-app.com/ Software Buy:...

Online Hotel Booking System Pro 1.3 Cross Site Scripting Vulnerability

Online Hotel Booking System Pro version 1.3 suffers from a cross site scripting vulnerability. Exploit Title: Online Hotel Booking System Pro 1.3 - Cross Site Scripting Google Dork: N/A Date: 2017/08/12 Exploit Author: ShanoWeb Author Mail : MrdotNet2NetatGmaildotcom Vendor Homepage:...

BeeLogger - Generate Emailing Keyloggers to Windows on Linux

Generate gmail emailing keyloggers to windows on linux, powered by python and compiled by pyinstaller. Features Send logs each 120 seconds. Send logs when chars 50. Send logs with gmail. Some Phishing methods are included. Multiple Session disabled. Bypass UAC. Prerequisites apt wine wget Linux...

Insanity-Framework - Generate Payloads and control Remote Machines

With the dynamics of persuasion that prove effective in a pentest, several painstaking means of making a payload has emerged, Insanity Framework provides speed and effectiveness in a single tool to help you work. Features Bypass most AV and Sandboxes. Remote Control. Payload Generation. Some...

NO-IP DUC 4.1.1 Privilege Escalation

===================================================== NO-IP DUC v4.1.1 - Unquoted Service Path Privilege Escalation ===================================================== Vendor Homepage: http://noip.com Date: 14 Oct 2016 Software Link : http://www.noip.com/client/DUCSetupv411.exe Version : 4.1.1...