EUVD-2017-9069

Malware in sbrugna...

EUVD-2024-1223

Malicious code in bioql PyPI...

CVE-2024-31985 XWiki Platform CSRF in the job scheduler

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in...

CVE-2024-31985 XWiki Platform CSRF in the job scheduler

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in...

XWiki Platform CSRF in the job scheduler

Impact It is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. To reproduce in an XWiki installation, open...

PT-2024-24335 · Xwiki · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 3.1 through 4.10.19 XWiki Platform versions 14.10.18 and earlier XWiki Platform versions 15.5.4 and earlier XWiki Platform version 15.10-rc-1 and earlier Description: The issue allows an attacker to schedule, trigger, ...

Information Disclosure

sylius/paypalplugin is vulnerable to information disclosure. An attacker is able to predict the URL to the payment done page, after checkout due to the use of autoincremented payment id in page creation.Prefilled credit card form shows customer's first and last name resulting in sensitive...

CVE-2021-41120

sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id /pay-with-paypal/id and therefore it was easy to predict. The problem is that the Credit card form has...

Design/Logic Flaw

sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id /pay-with-paypal/id and therefore it was easy to predict. The problem is that the Credit card form has...

PT-2021-23103 · Sylius · Syliud Paypal Plugin

Name of the Vulnerable Software and Affected Versions: Sylius/PayPalPlugin versions prior to 1.2.4 Sylius/PayPalPlugin versions prior to 1.3.1 Description: The URL to the payment page done after checkout was created with an autoincremented payment id /pay-with-paypal/id and therefore it was easy ...

CVE-2021-26908 and CVE-2021-26909: Automox Agent Information Disclosure (FIXED)

Rapid7 researcher Danny Jordan discovered two vulnerabilities in the Automox Agent for Windows and macOS, which could result in information disclosure issues involving the Automox infrastructure. CVE-2021-26908 describes a vulnerability where Automox Agent improperly logs sensitive information on...

CVE-2020-15958

An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL...

Design/Logic Flaw

An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL...

CVE-2020-15958

An issue was discovered in 1CRM System through 8.6.7. An insecure direct object reference to internally stored files allows a remote attacker to access various sensitive information via an unauthenticated request with a predictable URL...

devolo dLAN 550 duo+ 3.1.0-1 Starter Kit Cross-Site Request Forgery

devolo dLAN 550 duo+ Starter Kit Cross-Site Request Forgery Vendor: devolo AG Product web page: https://www.devolo.com Affected version: dLAN 500 AV Wireless+ 3.1.0-1 i386 Summary: Devolo dLANAr 550 duo+ Starter Kit is Powerlineadapter which is a cost-effective and helpful networking alternative...

devolo dLAN 550 duo+ Starter Kit - Cross-Site Request Forgery Vulnerability

Exploit for hardware platform in category web applications devolo dLAN 550 duo+ Starter Kit Cross-Site Request Forgery Vendor: devolo AG Product web page: https://www.devolo.com Affected version: dLAN 500 AV Wireless+ 3.1.0-1 i386 Summary: Devolo dLAN® 550 duo+ Starter Kit is Powerlineadapter whi...

CVE-2017-16924

Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data//collections//usermgmt.xml URL, as demonstrated by passwords and...

CVE-2017-16924

Affected product: ManageEngine Desktop Central MSP 10.0.137. The issue is an information disclosure vulnerability enabling access to unencrypted XML files containing configuration-policy data via a predictable URL pattern /client-data//collections/##/usermgmt.xml, potentially exposing passwords a...

CVE-2017-16924

Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data//collections//usermgmt.xml URL, as demonstrated by passwords and...

BlackHole Exploit Kit 2.0 released with more latest Exploits

According to release announcement on Pastebin by unknown developers in a Russian-language BlackHole Exploit Kit 2.0 released with more latest Exploits. BlackHole is one of the most dominant exploit toolkits currently available in the underground market. It enables attackers to exploit security...