159 matches found
Exposed Dangerous Method or Function
Overview Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the backend user interface functionality involving deep links. An attacker can manipulate the state-changing actions and delete items by sending a crafted URL to a logged-in user. Note: This is...
Exposed Dangerous Method or Function
Overview typo3/cms-form is a Form Library, Plugin and Editor Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the backend user interface functionality involving deep links. An attacker can manipulate or delete persisted form definitions by deceiving a...
Exposed Dangerous Method or Function
Overview Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the Backend User Module. An attacker can manipulate user actions by tricking a victim into visiting a malicious URL while logged into the backend. Note: This is only exploitable if...
Exposed Dangerous Method or Function
Overview Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the Log Module. An attacker can manipulate log entries by deceiving a user into interacting with a malicious URL while logged into the backend user interface. Note: This is only exploitable if...
Medium: apr
Issue Overview: Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APRUSESHMEMSHMGET=1 apr...
Apache Portable Runtime (APR): Unexpected lax shared memory permissions
...
Fedora 40 : apr (2024-b40491b84b)
The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-b40491b84b advisory. This update to the apr package fixes a security issue in the handling of shared memory permissions. SECURITY: CVE-2023-49582: Apache Portable Runtime APR:...
CVE-2024-6611
A nested iframe, triggering a cross-site navigation, could send SameSite=Strict or Lax cookies. This vulnerability affects Firefox 128 and Thunderbird 128...
CVE-2024-4499
A Cross-Site Request Forgery CSRF vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS...
LoLLMs Cross-Site Request Forgery Vulnerability
LoLLMs is a Web UI for a large language multimodal system by the individual developer Saifeddine ALOUI. A cross-site request forgery vulnerability exists in LoLLMs version 9.6 that stems from a lax CORS policy. An attacker could use this vulnerability to read arbitrary files on the system and wri...
PT-2024-31349 · Lollms +1 · Lollms +2
Name of the Vulnerable Software and Affected Versions: lollms version 9.6 Description: A Cross-Site Request Forgery CSRF vulnerability exists in the XTTS server due to a lax CORS policy, allowing attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage. This...
CasaOS Security Vulnerabilities
CasaOS is a simple, easy to use and elegant open source home cloud system. A security vulnerability exists in CasaOS-UserService versions prior to 0.4.6 that stems from lax filtering of URL paths, which allows an attacker to obtain any file on the system...
GHSA-CP68-QRHR-G9H8 MeshCentral cross-site websocket hijacking (CSWSH) vulnerability
We have identified a cross-site websocket hijacking CSWSH vulnerability within the control.ashx endpoint of MeshCentral. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. To demonstrate the impact of the vulnerability we developed a...
MeshCentral cross-site websocket hijacking (CSWSH) vulnerability
We have identified a cross-site websocket hijacking CSWSH vulnerability within the control.ashx endpoint of MeshCentral. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. To demonstrate the impact of the vulnerability we developed a...
Beetl Security Vulnerabilities
Beetl is a high-speed template engine by the individual developer Li Jiazhi xiandafu in China. A security vulnerability exists in Beetl v3.15.12 and earlier versions, which stems from lax blacklist filtering. The vulnerability can be exploited by an attacker to remotely execute code...
aiohttp Environment Issue Vulnerability
aiohttp is an open source asynchronous HTTP client/server framework for asyncio and Python. A vulnerability exists in aiohttp versions prior to 3.9.2, which stems from the HTTP parser's overly lax treatment of delimiters, which can help with request smuggling...
How Telegram Became a Terrifying Weapon in the Israel-Hamas War
Hamas posted gruesome images and videos that were designed to go viral. Sources argue that Telegram’s lax moderation ensured they were seen around the world...
Obl.ong Security Vulnerabilities
Obl.ong is a high-quality subdomain built with Rails from Obl.ong. A security vulnerability exists in versions of Obl.ong prior to 1.1.2 that stems from lax email OTP filtering, which allows an attacker to bypass authorization checks...
CSRF Token Reuse Vulnerability
A Cross-Site Request Forgery CSRF vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform...
Cross site request forgery (csrf)
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery CSRF vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to injec...