CVE-2022-1365

A flaw was found in the cross-fetch library when fetching a remote URL with a cookie when it gets to the Location response header. This flaw allows an attacker to hijack the account as the cookie is leaked...

PyPDF2 安全漏洞

PyPDF2 is a free open source pure python PDF library . It can split, merge, crop and convert pages in PDF files. PyPDF2 has a security vulnerability that originated in versions prior to 1.27.5, which allows an attacker to create PDFs that will result in an infinite loop if PyPDF2 if the code trie...

GHSA-7GC6-QH9X-W6H8 Withdrawn Advisory: Incorrect Authorization in cross-fetch

Withdrawn Advisory This advisory has been withdrawn because the vulnerability originates from a dependency. For more information, see the Maintainer comments in https://huntr.com/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac. Original Description When fetching a remote url with Cookie if it get...

Withdrawn Advisory: Incorrect Authorization in cross-fetch

Withdrawn Advisory This advisory has been withdrawn because the vulnerability originates from a dependency. For more information, see the Maintainer comments in https://huntr.com/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac. Original Description When fetching a remote url with Cookie if it get...

CVE-2022-1365

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5...

cross-fetch 安全漏洞

cross-fetch is a generic WHATWG Fetch API for nodes, browsers, and React Native by Leonardo Quixada, an individual developer in the United States. A security vulnerability exists in cross-fetch that stems from exposing private personal information to unauthorized participants in the GitHub...

PT-2022-7286

Name of the Vulnerable Software and Affected Versions git versions prior to 1.11.0 Description The issue is related to Command Injection via git argument injection. When calling the fetchremote = 'origin', opts = function, the remote parameter is passed to the git fetch subcommand in a way that...

EvilSelenium - A Tool That Weaponizes Selenium To Attack Chromium Based Browsers

EvilSelenium is a new project that weaponizes Selenium to abuse Chromium-based browsers. The current features right now are: Steal stored credentials via autofill Steal cookies Take screenshots of websites Dump Gmail/O365 emails Dump WhatsApp messages Download & exfiltrate files Add SSH keys to...

AeroCMS 0.0.1 Shell Upload

AeroCMS-Unrestricted-File-Upload-POC Author: D4rkP0w4r Description = Upload web shell at Post Image in admin panel Step to Reproduct Login to admin panel - Posts - Add Posts - Post Image - upload malicious file shell.php - access /images/shell.php on url - shell.php page Exploit When upload succe...

The vulnerability of the software interface of the Background Fetch API in Google Chrome and Microsoft Edge browsers allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the Background Fetch API programming interface in Google Chrome and Microsoft Edge browsers is related to improperly implemented security checks for standard elements. Exploiting this vulnerability could allow a remote attacker to gain unauthorized access to protected...

Remote Code Execution

chromium is vulnerable to remote code execution. Lack of proper checking in the Background Fetch API component allows an attacker to upload and execute malicious code on the system under attack...

Odin - Central IoC Scanner Based On Loki

Odin is a central IoC scanner based on Loki General Info This application Loki latest version and download it on all machines using a powershell script and run it then this app receives the respose from all machines and parse the feed in CSV form. Requirements 1. Python +3.5 2. PyQT5 3. psutil 4...

Command injection

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover...

CVE-2022-24066

The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch attack vector. A similar use of the --upload-pack feature of git is also supported for git clone, which the prior fix didn't cover...

Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch API

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

KLA12495 Multiple vulnerabilities in Microsoft Browser

Multiple vulnerabilities were found in Microsoft Browser. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, gain privileges, spoof user interface. Below is a complete list of vulnerabilities: 1. Use after free vulnerability in Portals can be...

Google Chrome 安全特征问题漏洞

Google Chrome is a web browser from Google, Inc. and V8 is an open source JavaScript engine. Google Chrome suffers from a security signature issue vulnerability that is caused by an incorrect implementation of the Background Fetch API in Google Chrome. A remote attacker could create a specially...

Remote Code Execution (RCE)

ungit is vulnerable to remote code execution. An attacker can inject and execute malicious git options through the user-controlled values in the git fetch command when calling the /api/fetch endpoint...

Command Injection in ungit

The package ungit before 1.5.20 are vulnerable to Remote Code Execution RCE via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values remote and ref are passed to the git fetch command. By injecting some git options it was possible to get arbitrary...

GHSA-HF8C-XR89-VFM5 Command Injection in ungit

The package ungit before 1.5.20 are vulnerable to Remote Code Execution RCE via argument injection. The issue occurs when calling the /api/fetch endpoint. User controlled values remote and ref are passed to the git fetch command. By injecting some git options it was possible to get arbitrary...