1556 matches found
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Impact This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Patches Will be patched in 14.3.1 and 15.0.0. Workarounds...
CVE-2024-47819
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the...
CVE-2024-47819 Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the...
CVE-2024-47819
CVE-2024-47819 – Umbraco XSS (Dictionary section) Affected: Umbraco CMS (.NET) versions 14.0.0 up to, but not including, 14.3.1 and 15.0.0.Root cause: cross-site scripting vulnerability in the Dictionary section that can be triggered by an admin-privileged user to execute injected scripts.Impact:...
CVE-2024-47819 Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the...
PT-2024-32830 · Umbraco · Umbraco
Name of the Vulnerable Software and Affected Versions: Umbraco versions 14.0.0 through 14.3.0 Umbraco versions prior to 15.0.0 Description: The issue allows for cross-site scripting, which can be leveraged to gain access to higher-privilege endpoints. If a user with admin privileges runs the code...
How Hybrid Password Attacks Work and How to Defend Against Them
Threat actors constantly change tactics to bypass cybersecurity measures, developing innovative methods to steal user credentials. Hybrid password attacks merge multiple cracking techniques to amplify their effectiveness. These combined approaches exploit the strengths of various methods,...
Security Bulletin:IBM Asset Data Dictionary Component uses aircompressor-0.21.jar which is vulnerable to CVE-2024-36114
Summary IBM Asset Data Dictionary Component uses aircompressor-0.21.jar which is vulnerable to CVE-2024-36114. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2024-36114 DESCRIPTION: airlift aircompressor could allow a local attacker...
CIRCUTOR Q-SMT 安全漏洞
CIRCUTOR Q-SMT is an industrial hardware device from CIRCUTOR, Inc. A security vulnerability exists in CIRCUTOR Q-SMT version 1.0.4, which stems from an attacker's ability to construct a dictionary of potential users and inspect server responses without knowing the current user in the web...
CVE-2024-45833 Mobile password gets saved in dictionary under conditions
Mattermost Mobile Apps versions =2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a...
CVE-2024-45833 Mobile password gets saved in dictionary under conditions
Mattermost Mobile Apps versions =2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a...
CVE-2024-45312 Arbitrary language parameter can passed to `aspell` executable via spelling requests in overleaf
Overleaf is a web-based collaborative LaTeX editor. Overleaf Community Edition and Server Pro prior to version 5.0.7 or 4.2.7 for the 4.x series contain a vulnerability that allows an arbitrary language parameter in client spelling requests to be passed to the aspell executable running on the...
CVE-2024-7871
SQL Injection in online dictionary function of Easytest Online Test Platform ver.24E01 and earlier allow remote authenticated users to execute arbitrary SQL commands via the word parameter...
CVE-2024-7871
SQL Injection in online dictionary function of Easytest Online Test Platform ver.24E01 and earlier allow remote authenticated users to execute arbitrary SQL commands via the word parameter...
CVE-2024-7871
CVE-2024-7871: SQL Injection in the online dictionary function of Easytest Online Test Platform (versions 24E01 and earlier). Root cause: vulnerable handling of the word parameter enables arbitrary SQL execution by remote authenticated users. Impact notes (from CVSS): high confidentiality, integr...
PT-2024-31564 · Overleaf · Overleaf Server Pro +1
Name of the Vulnerable Software and Affected Versions: Overleaf Community Edition and Server Pro versions prior to 5.0.7 Overleaf Community Edition and Server Pro versions 4.x prior to 4.2.7 Description: Overleaf is a web-based collaborative LaTeX editor. The issue allows an arbitrary language...
Overleaf 安全漏洞
Overleaf is an open source online real-time collaborative LaTeX editor from Overleaf Open Source. A security vulnerability exists in Overleaf. An attacker can exploit the vulnerability to load a dictionary file with an arbitrary filename...
IBM WebSphere MQ Channel Name Bruteforce
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'IBM WebSphere MQ Channel Name Bruteforce', 'Description' = 'This module uses a dictionary to bruteforce MQ channel names. For all identified...
PT-2024-38648 · Unknown · Easytest Online Test Platform
Name of the Vulnerable Software and Affected Versions: Easytest Online Test Platform versions 24E01 and earlier Description: The issue allows remote authenticated users to execute arbitrary SQL commands via the word parameter in the online dictionary function. This can potentially lead to...
IBM Lotus Notes Sametime Room Name Bruteforce
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'enumerable' class MetasploitModule 'IBM Lotus Notes Sametime Room Name Bruteforce', 'Description' = %q This module bruteforces Sametime meeting room names via t...