12 matches found
EUVD-2024-1586
Malicious code in bioql PyPI...
CVE-2025-49596 MCP Inspector proxy server lacks authentication between the Inspector client and proxy
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio...
CVE-2024-32980
Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use self requests without a specified URL authority can be induced to make requests to arbitrary hosts via the Host HTTP header...
CVE-2024-32980
CVE-2024-32980 affects Spin prior to 2.4.3. Specifically configured Spin applications that use self requests without a URL authority can be induced to make requests to arbitrary hosts via the Host header. Vulnerable conditions include: routing requests based on URL rather than Host while preservi...
Ecwid Ecommerce Shopping Cart < 6.12.4 - Missing Authorization on multiple functions
Description The plugin is vulnerable to unauthorized access of data and modification of data due to missing capability checks on multiple functions in all versions up to, and including, 6.12.3. This makes it possible for authenticated attackers to access developer tool pages...
Oracle SQL Developer 安全漏洞
Oracle SQL Developer is a free integrated development environment from Oracle Corporation that simplifies the development and management of Oracle databases. A security vulnerability exists in Oracle SQL Developer versions prior to 23.1.0. An attacker exploiting this vulnerability could take over...
Amr Shortcode Any Widget <= 4.0 - Contributor+ Stored XSS
The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. 1. Insert a...
Elastic: Synthetics Recorder: Code injection when recording website with malicious content
A vulnerability was discovered in the Synthetics Recorder tool, which allows attackers to inject arbitrary code into a recording session. The waitForNavigation event calls quote within the context of a multi-line comment, which can be escaped with a specially crafted URL. This can lead to code...
CVE-2022-24072
The devtools API in Whale browser before 3.12.129.18 allowed extension developers to inject arbitrary JavaScript into the extension store web page via devtools.inspectedWindow, leading to extensions downloading and uploading when users open the developer tool...
HM Multiple Roles < 1.3 - Arbitrary Role Change
The plugin does not have any access control to prevent low privilege users to set themselves as admin via their profile page As any authenticated user, go to your Profile page and Tick the Administrator Role checkbox. In v1.2, the checkboxes are disabled in the UI but can be tampered with by eith...
Unspecified Vulnerability in Bond Technology Management JetSelect
Bond Technology Management JetSelect is an application for managing IP and networks on board. An unspecified vulnerability exists in Bond Technology Management JetSelect. An attacker could exploit this vulnerability to obtain user credentials via the Developer tool or similar...
Microsoft Internet Explorer 9 "Iedvtool.dll"畸形HTML拒绝服务漏洞
BUGTRAQ ID: 49165 Microsoft Internet Explorer是微软公司推出的一款网页浏览器。 Microsoft Internet Explorer 9 Iedvtool.dll在处理畸形HTML的实现上存在空指针引用漏洞,远程攻击者可利用此漏洞使受影响浏览器崩溃,造成拒绝服务,也可能会破坏进程内存并执行任意代码 “Internet Explore 9 /Developer Tool F12”中存在远程空指针引用漏洞。 Microsoft Internet Explorer 9 厂商补丁: Microsoft ---------...