Kimai 1.14 - CSV Injection

Exploit Title: Kimai 1.14 - CSV Injection Date: 26/04/2021 Exploit Author: Mohammed Aloraimi Vendor Homepage: https://www.kimai.org/ Software Link: https://github.com/kevinpapst/kimai2 Version: 1.14 Payload: @SUM1+9cmd|' /C calc'!A0 Tested on: Win10x64 Proof Of Concept: CSV Injection aka Excel...

Security Bulletin: Multiple vulnerabilities affect the IBM Spectrum Scale GUI

Summary Vulnerabilities exist in all levels of IBM Spectrum Scale GUI. A fix for this vulnerability is available. Vulnerability Details CVEID: CVE-2021-29667 DESCRIPTION: IBM Spectrum Scale is potentially vulnerable to CSV Injection. A remote attacker could execute arbitrary commands on the syste...

WordPress: PII of users can be downloaded from export pages

Sensitive personally identifiable information PII of users, including their name, email, phone number, role, and organization, was exposed on the https://doaction.org/ website. The PII was found in CSV files that could be downloaded from various endpoints on the website, which could be enumerated...

CVE-2021-28829

The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabri...

CVE-2021-28829

The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabri...

Design/Logic Flaw

The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabri...

CVE-2021-28829 TIBCO Administrator CSV injection vulnerability

The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabri...

CVE-2021-28829

The CVE-2021-28829 issue affects TIBCO Administrator – Enterprise Edition and related distributions for Silver Fabric and z/Linux, specifically the Administration GUI component. The root cause is a CSV injection vulnerability that an attacker with network access can exploit to execute a persisten...

Tibco Software TIBCO Administrator and Tibco Software TIBCO Runtime Agent 跨站脚本漏洞

Tibco Software TIBCO Administrator and Tibco Software TIBCO Runtime Agent are both products of Tibco Software, Inc.Tibco Software TIBCO Administrator is an application. Tibco Software TIBCO Administrator is an application used to manage users, monitor computers, and deploy applications that use...

TIBCO Security Advisory: April 20, 2021 - TIBCO Administrator - Enterprise Edition -2021-28829

TIBCO Administrator CSV injection vulnerability Original release date: April 20,2021 Last revised: CVE-2021-28829 Source: TIBCO Software Inc. Products Affected TIBCO Administrator - Enterprise Edition versions 5.10.2 and below TIBCO Administrator - Enterprise Edition versions 5.11.0 and 5.11.1...

TIBCO Security Advisory: April 20, 2021 - TIBCO Administrator - Enterprise Edition -2021-28829

TIBCO Administrator CSV injection vulnerability Original release date: April 20,2021 Last revised: CVE-2021-28829 Source: TIBCO Software Inc. Products Affected TIBCO Administrator - Enterprise Edition versions 5.10.2 and below TIBCO Administrator - Enterprise Edition versions 5.11.0 and 5.11.1...

Denial Of Service (DoS)

mongo-express is vulnerable to denial of service. An attacker is able to crash the application through an unhandled exception by exporting a CSV file containing an empty collection...

CVE-2021-23372

All versions of package mongo-express are vulnerable to Denial of Service DoS when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash...

Design/Logic Flaw

All versions of package mongo-express are vulnerable to Denial of Service DoS when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash...

CVE-2021-23372 Denial of Service (DoS)

All versions of package mongo-express are vulnerable to Denial of Service DoS when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash...

CVE-2021-23372

All versions of package mongo-express are vulnerable to Denial of Service DoS when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash...

Business Directory Plugin < 5.11.1 - Authenticated PHP4 Upload to RCE

The plugin did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE Create a php4 file with PHP code in it, zip it and import it via the plugin import feature...

College Publisher Import <= 0.1 - Arbitrary File Upload to RCE

The plugin does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack. The issue has been escalated to WordPress on April 12th, 2021 Po...

Business Directory Plugin < 5.11 - Arbitrary File Upload to RCE

The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. Note WPScanTeam: CSRF check and some file validation were added in v5.11, however a blacklist...

CVE-2021-1474 Cisco Umbrella Link and CSV Formula Injection Vulnerabilities

Multiple vulnerabilities in the Admin audit log export feature and Scheduled Reports feature of Cisco Umbrella could allow an authenticated, remote attacker to perform formula and link injection attacks on an affected device. For more information about these vulnerabilities, see the Details secti...