PT-2026-28531

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description The objects/playlistsVideos.json.php endpoint does not enforce authentication or authorization checks, allowing access to the full video contents of any playlist by its ID. While private...

PT-2026-7690

MSN Password Recovery 1.30 contains an XML external entity injection vulnerability that allows attackers to read local system files through crafted XML input. Attackers can exploit the 'Favorites' tab by injecting a malicious XML file that references external entities to retrieve sensitive system...

GHSA-496G-MMPW-J9X3 misskey.js's export data contains private post data

Summary After adding private posts followers, direct that you do not have permission to view to your favorites or clips, you can export them to view the contents of the private posts. PoC 1. Create an account X for testing and an account Y for private posts on the same server. 2. Send appropriate...

misskey.js's export data contains private post data

Summary After adding private posts followers, direct that you do not have permission to view to your favorites or clips, you can export them to view the contents of the private posts. PoC 1. Create an account X for testing and an account Y for private posts on the same server. 2. Send appropriate...

Top security talks from KubeCon Europe 2024

KubeCon Europe is the largest open source community conference in Europe with hundreds of talks, many of them about security. All the sessions are available online; in this blog, we’ll discuss our favorites...

OroPlatform 安全漏洞

OroPlatform is a PHP Business Application Platform BAP designed to make the development of custom business applications easier and faster. A security vulnerability exists in OroPlatform that stems from the fact that the navigation history, most viewed and favorite navigation items are returned to...

SUSE CVE-2010-2536

Multiple cross-site scripting XSS vulnerabilities in rekonq 0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via 1 a URL associated with a nonexistent domain name, related to webpage.cpp, aka a "universal XSS" issue; 2 unspecified vectors related to webview.cpp; and t...

SUSE CVE-2014-4348

Multiple cross-site scripting XSS vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted 1 database name or 2 table name that is improperly handled after presence in a the favorite list or b recent tables...

WordPress MainWP Favorites Extension Plugin <= 4.0.10 is vulnerable to Broken Access Control

Software MainWP Favorites Extension Type Plugin Vulnerable versions = 4.0.10 Fixed in 4.0.11 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-23740 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID a17e6c2ed312 Credits Dave Jong...

CVE-2022-34322

Multiple XSS issues were discovered in Sage Enterprise Intelligence 2021 R1.1 that allow an attacker to execute JavaScript code in the context of users' browsers. The attacker needs to be authenticated to reach the vulnerable features. An issue is present in the Notify Users About Modification me...

Cross-Site Request Forgery (CSRF) in aimeos/ai-client-html

✍️ Description Attacker able to add any product in favorites with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only...

Cross-Site Request Forgery (CSRF) in myvesta/vesta

✍️ Description Attacker is able to add an element to favorite. this vulnerability happens on some sections. for example on “Firewall” tab list/firewall/ 🕵️‍♂️ Proof of Concept 1.when you logged in open this POC.html in a browser 2.you can check unintentionally first record saves as favorite...

CVE-2021-26024

Technical details about CVE-2021-26024 are not publicly provided in the supplied documents. Monitor for updates.

CVE-2021-26024

The Favorites component before 1.0.2 for Nagios XI 5.8.0 is vulnerable to Insecure Direct Object Reference: it is possible to create favorites for any other user account...

CVE-2018-7681

Micro Focus Solutions Business Manager versions prior to 11.4 allows JavaScript to be embedded in URLs placed in "Favorites" folder. If the user has certain administrative privileges then this vulnerability can impact other users in the system...

CVE-2017-1000243

Jenkins Favorite Plugin 2.1.4 and older does not perform permission checks when changing favorite status, allowing any user to set any other user's favorites...

Pornhub: Add a video to favourite list of any user [via YouPorn API / FrontEnd]

Researcher was able to modify the 'userid' value when adding favorites via the YouPorn mobile API in order to add videos to other users' favorites...

FTPShell Client 5.24 - Add to Favorites Buffer Overflow

FTPShell Client 5.24 - Add to Favorites Buffer Overflow Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow Google Dork: N/A Date: 2015-01-04 Exploit Author: INSECT.B Twitter : @INSECT.B Facebook : https://www.facebook.com/B.INSECT00 Blog : http://binsect00.tistory.com Vendor...

FTPShell Client 5.24 - &#039;Add to Favorites&#039; Buffer Overflow

Exploit Title: FTPShell Client 5.24 - Add to Favorites Buffer Overflow Google Dork: N/A Date: 2015-01-04 Exploit Author: INSECT.B Twitter : @INSECT.B Facebook : https://www.facebook.com/B.INSECT00 Blog : http://binsect00.tistory.com Vendor Homepage: www.ftpshell.com Software Link:...

CVE-2014-4312

Multiple cross-site scripting XSS vulnerabilities in Epicor Enterprise 7.4 before FS74SP6HotfixTL054181 allow remote attackers to inject arbitrary web script or HTML via the 1 Notes section to Order details; 2 Description section to "Order to consume"; 3 Favorites name section to Favorites; 4...