Cross-site Scripting (XSS) - Stored in snipe/snipe-it

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...

ZZCMS SQL Injection Vulnerability (CNVD-2021-99769)

zzcms is a multifunctional cms system that integrates front-end pages, custom templates, payments, etc., using a b/s structure of php mysql. The mvc model is used to facilitate quick system build. zzcms has a SQL vulnerability in versions 8.2 and 8.3, which is related to the affected version not...

Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5

Description The reflected XSS vulnerability occurs to a flaw in the cleanxsstags function called in memo.php of Gnuboard 5. This cleanxsstags is a Sanitizer that removes XSS-vulnerable tags and attributes. However, it can bypass Sanitizer by using a newline character. %0A, %0D, ETC Proof of Conce...

Cross-site Scripting (XSS) - Reflected in admidio/admidio

Description The Reflected XSS vulnerability occurs because redirect.php does not properly validate the value of the url parameter. Using javascript: throws an error in parsing the url. But I bypassed it using javascript://%0A. Proof of Concept txt 1. Open the...

PYSEC-2021-841

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...

CVE-2021-25967 CKAN - Stored Cross-Site Scripting (XSS) via SVG File Upload

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...

Open-xchange OX App Suite 安全特征问题特征问题漏洞

Open-xchange OX App Suite is a Web cloud desktop environment from Open-Xchange Open-xchange, a US-based company. The environment allows users to more intuitively manage email, tasks, files, etc. A cross-site scripting vulnerability exists in Open-xchange OX App Suite, which can be exploited by...

CRLF Injection in phpservermon/phpservermon

Description misconfig of nginx lead to crlf injection In nginx, $uri is url decoded, which will decode %0d%0a to CRLF. code: return 301 http://$uri; Proof of Concept A request to: http://www.test.com/%0d%0afakeheader:123%0d%0a%0d%0afakecontent Impact CRLF Injection allows an attacker to inject...

HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks

HTML smuggling, a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features, is increasingly used in email campaigns that deploy banking malware, remote access Trojans RATs, and other payloads related to targeted attacks. Notably, this technique was observe...

Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT

In October 2021, we observed threat actors targeting poorly configured servers with exposed Docker REST APIs by spinning up containers from images that execute malicious scripts...

Cross-site Scripting (XSS) - Stored in galette/galette

Description Hi, By reviewing your project I've found multiples stored cross-site scripting. From OWASP : Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web...

Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites Proof of Concept. // PoC.js Link --...

Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Proof of Concept 1-- Go Asset Metadata Class Definitions - Create another one or just edit aprevious one . 2 -- In the Name input Inject any XS...

Online Reviewer System 代码问题漏洞

Online Reviewer System is an application. Online Reviewer System version 1.0 contains a remote code execution vulnerability that could be exploited by attackers to bypass image upload filters and upload maliciously crafted PHP files...

CVE-2021-37915

An issue was discovered on the Grandstream HT801 Analog Telephone Adaptor before 1.0.29.8. From the limited configuration shell, it is possible to set the malicious gdbdebugserver variable. As a result, after a reboot, the device downloads and executes malicious scripts from an attacker-defined...

CVE-2021-37915

An issue was discovered on the Grandstream HT801 Analog Telephone Adaptor before 1.0.29.8. From the limited configuration shell, it is possible to set the malicious gdbdebugserver variable. As a result, after a reboot, the device downloads and executes malicious scripts from an attacker-defined...

Grandstream Ht801 安全漏洞

Grandstream Networks Grandstream Ht801 is a powerful analog telephone adapter from Grandstream Networks, USA. A security vulnerability exists in the Grandstream HT801 Analog Telephone Adaptor that stems from an issue found on the Grandstream HT801 Analog Telephone Adaptor. A malicious...

Cross-site Scripting (XSS)

Overview camaleoncms is a dynamic and advanced content management system based on Ruby on Rails as an alternative to Wordpress. Affected versions of this package are vulnerable to Cross-site Scripting XSS by allowing unprivileged application users to store malicious scripts in the comments sectio...

CVE-2021-25969

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment...

CVE-2021-25969

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment...