31 matches found
CVE-2024-10491
The CVE-2024-10491 entry concerns the Express framework: the response.links function mishandles sanitization of Link header values, enabling arbitrary resource injection via certain characters (e.g., , ; ). Public-connected docs (GHSA, OSV, Debian OSV entries) reiterate the same issue and describ...
CVE-2024-10491 Preload arbitrary resources by injecting additional `Link` headers
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and to...
CVE-2024-10491
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and to...
CVE-2024-10491 Preload arbitrary resources by injecting additional `Link` headers
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in Link header values, which can allow a combination of characters like ,, ;, and to...
CVE-2023-26060
An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult t...
NounsDAOLogicV2's state() and proposals() will use initial dynamic params for all V1 proposals
Lines of code Vulnerability details state and proposals call quorumVotesid that utilize initial dynamic params for all V1 proposals by misusing 0 as a proposal creation block. I.e. new field is referenced while it is zero for all V1 proposals. This way all V1 proposals will use the same initial s...
SnipCommand 0.1.0 Cross Site Scripting / Code Execution
Exploit Title: SnipCommand 0.1.0 XSS to RCE Exploit Author: TaurusOmar Twitter:@TaurusOmar HomePage:taurusomar.com Date: May 4th, 2021 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Risk: High 8.8 Vendor Homepage: https://github.com/gurayyarar/SnipCommand Version: 0.1.0 Tested on: Windows, Linux,...
SnipCommand 0.1.0 - XSS to Remote Command Execution Vulnerability
Exploit Title: SnipCommand 0.1.0 - XSS to RCE Exploit Author: TaurusOmar CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Risk: High 8.8 Vendor Homepage: https://github.com/gurayyarar/SnipCommand Version: 0.1.0 Tested on: Windows, Linux, MacOs Software Description: Open source command snippets manage...
SnipCommand 0.1.0 - Persistent Cross-Site Scripting
Exploit Title: SnipCommand 0.1.0 - XSS to RCE Exploit Author: TaurusOmar Date: 04/05/2021 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Risk: High 8.8 Vendor Homepage: https://github.com/gurayyarar/SnipCommand Version: 0.1.0 Tested on: Windows, Linux, MacOs Software Description: Open source comman...
BlackWidow - A Python Based Web Application Scanner To Gather OSINT And Fuzz For OWASP Vulnerabilities On A Target Website
BlackWidow is a python based web application spider to gather subdomains, URL's, dynamic parameters, email addresses and phone numbers from a target website. This project also includes Inject-X fuzzer to scan dynamic URL's for common OWASP vulnerabilities. DEMO VIDEO: FEATURES: Automatically...
Web Application Spider: BlackWidow
BlackWidow is a python based web application spider to gather subdomains, URL’s, dynamic parameters, email addresses and phone numbers from a target website. This project also includes Inject-X fuzzer to scan dynamic URL’s for common OWASP vulnerabilities. Features: Automatically collect all URL’...