GitLab Access Control Error Vulnerability (CNVD-2020-19599)

GitLab is a Ruby on Rails-developed, self-hosted, Git version control system project repository application from the American company GitLab. The program can be used to access a project's file contents, commit history, bug lists, and more. A security vulnerability exists in GitLab versions prior ...

Horde CSV import arbitrary PHP code execution

The HordeData module version 2.1.4 and before present in Horde Groupware version 5.2.22 allows authenticated users to inject arbitrary PHP code thus achieving RCE on the server hosting the web application. This module requires Metasploit: https://metasploit.com/download Current source:...

Friday Squid Blogging: New Report on Squid Markets

This report costs $2,000. Please don't buy it for me. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here...

CVE-2020-10081

GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user...

UBUNTU-CVE-2020-10081

GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user...

Design/Logic Flaw

GitLab before 12.8.2 has Incorrect Access Control. It was internally discovered that the LFS import process could potentially be used to incorrectly access LFS objects not owned by the user...

Chadha PHPKB Cross-Site Scripting Vulnerability (CNVD-2020-17217)

Chadha PHPKB is a knowledge base software that keeps information organized, accessible and manageable for internal teams and external clients. A reflected cross-site scripting vulnerability exists in admin/import-csv.php in Chadha PHPKB Standard Multilingual Version 9. The vulnerability stems fro...

PT-2020-11906 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions prior to 12.8.2 Description: The issue is related to incorrect access control in the LFS import process, potentially allowing access to LFS objects not owned by the user. This was internally discovered. Recommendations: For...

Chadha PHPKB Cross-Site Scripting Vulnerability (CNVD-2020-17216)

Chadha PHPKB is a knowledge base software that keeps information organized, accessible and manageable for internal teams and external clients. A reflected cross-site scripting vulnerability exists in admin/import-html.php in Chadha PHPKB Standard Multilingual Version 9. The vulnerability stems fr...

CVE-2020-10413

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/import-html.php by adding a question mark ? followed by the payload...

CVE-2020-10412

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/import-csv.php by adding a question mark ? followed by the payload...

CVE-2020-10413

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/import-html.php by adding a question mark ? followed by the payload...

CVE-2020-10412

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/import-csv.php by adding a question mark ? followed by the payload...

Cross site scripting

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/import-html.php by adding a question mark ? followed by the payload...

CVE-2020-10413

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/import-html.php by adding a question mark ? followed by the payload...

CVE-2020-10412

The way URIs are handled in admin/header.php in Chadha PHPKB Standard Multi-Language 9 allows Reflected XSS injecting arbitrary web script or HTML in admin/import-csv.php by adding a question mark ? followed by the payload...

PT-2020-12082 · Chadha · Phpkb Standard Multi-Language

Name of the Vulnerable Software and Affected Versions: Chadha PHPKB Standard Multi-Language version 9 Description: The issue concerns the handling of URIs in admin/header.php, which allows for Reflected XSS in admin/import-csv.php. This can be achieved by adding a question mark ? followed by the...

WordPress Product Import Export for WooCommerce plugin <= 1.7.4 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability discovered by WordFence in WordPress Product Import Export for WooCommerce plugin versions = 1.7.4. Solution Update the WordPress Product Import Export for WooCommerce plugin to the latest available version at least 1.7.5...

CVE-2020-6813

When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy. This vulnerability affects Firefox 74...

Import Export WordPress Users < 1.3.9 - Authenticated Arbitrary User Creation

"The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users" providing subscriber-level users and above with the ability to escalate their privileges. POST /wp-admin/admin-ajax.php?importpage=wordpresshfusercsv&step=3...