PT-2019-10264 · Atlassian · Jira

Name of the Vulnerable Software and Affected Versions: Jira versions prior to 7.12.3 Description: The issue is related to a missing authorization check in the inline-create rest resource, allowing authenticated remote attackers to set the reporter in issues. Recommendations: For versions prior to...

PostgresSQL -- TYPE in pg_temp execute arbitrary SQL during `SECURITY DEFINER` execution

The PostgreSQL project reports: Versions Affected: 9.4 - 11 Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact...

Vulnerability in core server (CVE-2019-10208)

TYPE in pgtemp executes arbitrary SQL during SECURITY DEFINER execution Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call havi...

kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c

A vulnerability was found in Linux kernel's implementation of overlayfs. An attacker with local access can create a denial of service situation via NULL pointer dereference in ovlposixaclcreate function in fs/overlayfs/dir.c. This can allow attackers with ability to create directories on overlayf...

CVE-2019-14696

Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/index.php?r=students/guardians/create id parameter...

CVE-2019-14696

CVE-2019-14696 affects Open-School 3.0 and Community Edition 2.3, exposing a Cross-Site Scripting (XSS) flaw. The vulnerability occurs in the GET parameter osv/index.php?r=students/guardians/create id, allowing injection of arbitrary JavaScript in the victim’s browser. This could enable session h...

Cross-site Scripting (XSS)

grumpydictator/firefly-iii is vulnerable to cross-site scripting XSS. The attack is possible because it does not escape the user provided data increate-from-bill name field, allowing an attacker to inject malicious script...

CVE-2016-10771

CVE-2016-10771 affects cPanel before 60.0.25, allowing file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165). The issue resides in the ModSecurity audit logfile processing path, enabling unauthorized changes to filesystem state. Multiple connected sources cor...

CVE-2017-18421

cPanel before 66.0.2 allows demo accounts to create databases and users SEC-271...

CVE-2018-20919

cPanel before 70.0.23 allows stored XSS via a WHM Create Account action SEC-373...

CVE-2018-20919

cPanel before 70.0.23 allows stored XSS via a WHM Create Account action SEC-373...

Cross site scripting

cPanel before 70.0.23 allows stored XSS via a WHM Create Account action SEC-373...

CVE-2018-20919

cPanel before 70.0.23 allows stored XSS via a WHM Create Account action SEC-373...

CVE-2018-20919

cPanel before 70.0.23 is affected by a stored XSS in the WHM Create Account action (SEC-373). Root cause reported as insufficient validation of client-side data in the web application; exploitation could lead to execution of client-side code. Remediation: upgrade to 70.0.23 or later (per CVE cont...

CVE-2018-20874

cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface SEC-428...

Design/Logic Flaw

cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface SEC-428...

CVE-2018-20874

cPanel before 74.0.8 allows self XSS in the WHM "Create a New Account" interface SEC-428...

penetration

This repository contains a collection of exploit code and proof-of-concept PoC attacks targeting various web applications, including CMS platforms. The exploits are categorized by the affected product or service, and the vulnerability class or vector is identified. The exploits are: 1. 0day &...

CVE-2019-14329

An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript code...

CVE-2019-14329

An issue was discovered in EspoCRM before 5.6.6. There is stored XSS due to lack of filtration of user-supplied data in Create Task. A malicious attacker can modify the parameter name to contain JavaScript code...