NewStart CGSL CORE 5.05 / MAIN 5.05 : docker-ce Multiple Vulnerabilities (NS-SA-2021-0138)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has docker-ce packages installed that are affected by multiple vulnerabilities: - Lack of content verification in Docker-CE Also known as Moby versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2,...

UBUNTU-CVE-2021-38614

Polipo through 1.1.1, when NDEBUG is used, allows a heap-based buffer overflow during parsing of a Range header. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

PT-2021-22246 · Polipo · Polipo

Name of the Vulnerable Software and Affected Versions: Polipo versions 1.1.1 and earlier Description: The issue allows a heap-based buffer overflow during parsing of a Range header when NDEBUG is used. This only affects products that are no longer supported by the maintainer. Recommendations: For...

Polipo 缓冲区错误漏洞

Polipo is a small proxy server software. Polipo suffers from a buffer error vulnerability that stems from a heap-based buffer overflow allowed during parsing of Range headers when NDEBUG is used. Note: This vulnerability only affects products that are no longer supported by the maintainer...

GHSA-34FR-FHQR-7235 Information Disclosure in User Authentication

Meta CVSS: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C 4.9 Problem It has been discovered that user credentials have been logged as plaintext when explicitly using log level debug, which is not the default configuration. Solution Update to TYPO3 versions 7.6.52 ELTS, 8.7.41 ELTS, 9.5.28,...

Vulnerabilities fixed in Typo3

The developers of Typo3 have fixed vulnerabilities in Typo3 Core. The vulnerabilities allow a malicious party to perform Perform cross-site scripting XSS attacks. Such attacks can lead to the execution of arbitrary script code in the context of the victim's browser. In order to perform such an...

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10) Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

...

CVE-2021-32525 QSAN Storage Manager - Use of Hard-coded Password-2

The same hard-coded password in QSAN Storage Manager's in the firmware allows remote attackers to access the control interface with the administrator’s credential, entering the hard-coded password of the debug mode to execute the restricted system instructions. The referred vulnerability has been...

CVE-2021-32525

The CVE-2021-32525 issue affects QSAN Storage Manager (QSAN NAS OS) with hard-coded credentials in firmware up to version 3.3.1 (build 202101041800). The root cause is a hard-coded administrator credential in the debug mode password, allowing remote actors to access the control interface and exec...

CVE-2021-35973

NETGEAR WAC104 devices before 1.0.4.15 are affected by an authentication bypass vulnerability in /usr/sbin/minihttpd, allowing an unauthenticated attacker to invoke any action by adding the &currentsetting.htm substring to the HTTP query, a related issue to CVE-2020-27866. This directly allows th...

Authentication flaw

NETGEAR WAC104 devices before 1.0.4.15 are affected by an authentication bypass vulnerability in /usr/sbin/minihttpd, allowing an unauthenticated attacker to invoke any action by adding the &currentsetting.htm substring to the HTTP query, a related issue to CVE-2020-27866. This directly allows th...

CVE-2021-35973

NETGEAR WAC104 devices before 1.0.4.15 are affected by an authentication bypass vulnerability in /usr/sbin/minihttpd, allowing an unauthenticated attacker to invoke any action by adding the &currentsetting.htm substring to the HTTP query, a related issue to CVE-2020-27866. This directly allows th...

writeup

This is a Python script for exploiting a vulnerability in the "Aegis" binary. The script is designed to be used with the "pwn" library, which is a Python library for exploitation. The script starts by setting a debug flag to 1, which means that the script will run in debug mode. If the debug flag...

pki-server: Dogtag installer "pkispawn" logs admin credentials into a world-readable log file

A flaw was found in the PKI-server, where the spkispawn command, when run in debug mode, stores admin credentials in the installation log file. This flaw allows a local attacker to retrieve the file to obtain the admin password and gain admin privileges to the Dogtag CA manager. The highest threa...

Ignition 2.5.1 Remote Code Execution Exploit

Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents and fileputcontents. This is exploitable on sites using debug mode with Laravel versions prior to 8.4.2. Exploit...

Ignition 2.5.1 Remote Code Execution

Exploit Title: Laravel debug mode Remote Code Execution Ignition = 2.5.1 Date: 05/04/2021 Exploit Author: Tobias Marcotto Tested on: Kali Linux x64 Version: 2.5.1 Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrar...

Unauthenticated remote code execution in Ignition

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents and fileputcontents. This is exploitable on sites using debug mode with Laravel before 8.4.2...

KZTech / JatonTec / Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution Vulnerability

Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution Exploit Author: LiquidWorm Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page:...

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Remote Code Execution

KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 Remote Code Execution Backdoors Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd. Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk http://www.jatontec.com/products/show.php?itemid=258...

Mail.ru: Debug Mode Leak Critical Information [ AWS Keys , SMTP , Database , Django Secret Key ( RCE ) , Dodoc , Telegram , Twilio .. ]

Debug mode was enabled in legium-back.corp.mail.ru leaking some potenitially sensitive information Debug mode was enabled in legium-back.corp.mail.ru leaking some potenitially sensitive information...