CVE-2021-20430

IBM i2 Analyst's Notebook Premium IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196341...

CVE-2021-20430

CVE-2021-20430 affects IBM i2 Analyst’s Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, 4.3.2). A remote attacker could obtain sensitive information when a detailed technical error message is returned in the browser, enabling information disclosure. Affected products and versions are IBM i2 Analyz...

Project Status <= 1.6 - Reflected Cross-Site Scripting (XSS)

The pspinduplicatepostsaveasnewpost function of the plugin does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue PoC Open the below URL as any authenticated user...

Code injection

UCMS 1.5.0 was discovered to contain a physical path leakage via an error message returned by the adminchannelscache function in top.php...

CVE-2021-25809

UCMS 1.5.0 was discovered to contain a physical path leakage via an error message returned by the adminchannelscache function in top.php...

Design/Logic Flaw

Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.4, a non admin user can get access to many class/field values through GroupBy Dashlet error message. This issue is fixed in versions 2.7.4 and 3.0.0...

Shopify: Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link)

When we invite customers at the wholesale store there is a feature to "Send invite" and "Get invite link" the get invite link feature displays the customner invitation link and can only be used once, but when the customer has accepted the invitation and actived their account already have access t...

CVE-2021-20523

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 198660...

Information disclosure

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 197973...

CVE-2021-20523

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 198660...

CVE-2021-20499

IBM Security Verify Access Docker 10.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 197973...

Preventing path disclosure in file upload functionality and Page export for security purposes

h3. Issue Summary While performing the file upload vulnerability test in confluence application, we are able to identify the sensitive path disclosure in following cases. • When we attached some malicious file and tried to downloading all attachments. • When we uploaded malicious file and tried t...

Preventing path disclosure in file upload functionality and Page export for security purposes

h3. Issue Summary While performing the file upload vulnerability test in confluence application, we are able to identify the sensitive path disclosure in following cases. • When we attached some malicious file and tried to downloading all attachments. • When we uploaded malicious file and tried t...

CVE-2021-20424

IBM Cloud Pak for Applications 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. X-Force ID: 196309...

Information disclosure

IBM Cloud Pak for Applications 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. X-Force ID: 196309...

Siemens Teamcenter Active Workspace

1. EXECUTIVE SUMMARY CVSS v3 6.1 ATTENTION : Exploitable remotely/low attack complexity Vendor : Siemens Equipment : Teamcenter Active Workspace Vulnerabilities : Generation of Error Message Containing Sensitive Information, Cross-site Scripting, Exposure of Sensitive Information to an...

Information disclosure

IBM Guardium Data Encryption GDE 4.0.0.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196219...

CVE-2021-20417

IBM Guardium Data Encryption GDE 4.0.0.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196219...

index check should use AND condition, not OR

Handle pauliax Vulnerability details Impact The condition should be AND, not OR and err msg looks weird here: function distributeStrategyGainLossuint256 gain, uint256 loss external override uint256 index = vaultIndexesmsg.sender; requireindex 0 || index = NCOINS + 1, "!VaultAdaptor"; Now basicall...

Atlassian Jira 8.14.x < 8.15.1 Multiple Vulnerabilities (1/2)

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 8.5.12, 8.6.x 8.13.4 or 8.14.x 8.15.1. It is, therefore, affected by multiple vulnerabilities: - A DOM based Cross-Site Scripting XSS vulnerability caused by parameter...