Cross site request forgery (csrf)

The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack...

Information disclosure

The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure...

CVE-2020-29004

The API in the Push extension for MediaWiki through 1.35 did not require an edit token in ApiPushBase.php and therefore facilitated a CSRF attack...

CVE-2020-29004

The CVE-2020-29004 issue affects MediaWiki’s Push extension (up to v1.35). Root cause: ApiPushBase.php did not require an edit token, enabling CSRF attacks. Impact: Cross-site request forgery affecting operations through the Push API. Connected sources note the fix involves enforcing an edit toke...

CVE-2020-29005

The API in the Push extension for MediaWiki through 1.35 used cleartext for ApiPush credentials, allowing for potential information disclosure...

CVE-2020-29005

CVE-2020-29005 concerns the MediaWiki Push extension up to version 1.35, where the ApiPush credentials were transmitted in cleartext, enabling potential information disclosure. Affected component: Push extension API in MediaWiki. Root cause: credentials for ApiPush exposed via plaintext communica...

MediaWiki 跨站请求伪造漏洞

MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. It can be used to deploy in-house knowledge management and content management systems. A cross-site request forgery vulnerability exists in MediaWiki 1.35 and earlier versions, which stems from...

MediaWiki 信息泄露漏洞

MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. It can be used to deploy in-house knowledge management and content management systems. An information disclosure vulnerability exists in the Push extension for MediaWiki 1.35 and prior versions...

Shopify: Github access token exposure

While dissecting an application made by one of your employees I found his GitHub Personal Access Token PAT, he's a member of the org with pull and push access to all of your repositories. As a proof I can tell you that on the repo github.com/Shopify/shopify at commit hash cea9c273391d the sha512 ...

Apache Traffic Control 安全漏洞

Apache Traffic Control is the United States Apache Apache Foundation's set of distributed , scalable content delivery solutions. The product is mainly used to build large-scale content delivery network. A security vulnerability exists in Apache Traffic Control 3.0.0 to 3.1.0 and 4.0.0 to 4.1.0,...

CVE-2020-23653

An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution...

PT-2021-10922 · Unknown · Thinkadmin

Name of the Vulnerable Software and Affected Versions: ThinkAdmin versions 4.x through 6.x Description: An insecure unserialize vulnerability was discovered in ThinkAdmin, which may lead to arbitrary remote code execution. The issue is located in files such as "app/admin/controller/api/Update.php...

SearchDimension search hijackers: An overview of developments

Background information on SearchDimension SearchDimension is the name of a family of browser hijackers that makes money from ad clicks and search engine revenues. The family was named after the domain searchdimension.com that popped up in 2017, and they still sometimes use the letter combo SD in...

File Upload Vulnerability in Laiku Push E-commerce System (CNVD-2021-01290)

Laike Push www.laiketui.com is a mall system and mall website construction provider for enterprise-level businesses to provide retail mall, B2B2C multi-user mall system, community group-buying mall system, micro letter distribution system, small program mall, micro distribution system and other...

File-sharing and cloud storage sites: How safe are they?

There it is again—that annoying message that pops up when your email client informs you that a file is too big to attach. Those of us that are confronted with this problem on a regular basis—and those of us that want to attach files that could get picked up by anti-malware scanners along the...

GitLab: Exposure of a valid Gitlab-Workhorse JWT leading to various bad things

Summary Using the State Uploading API we could potentially do a bad thing: - Bypass Gitlab::Workhorse.verifyapirequest! This was due to the fact that Workhorse clean the URL before passing it to Rails, this is elaborated in 923027. and State Api read request.body to append it as a file!...

Teler - Real-time HTTP Intrusion Detection

teler is an real-time intrusion detection and threat alert based on web log that runs in a terminal with resources that we collect and provide by the community. Features Real-time : Analyze logs and identify suspicious activity in real-time. Alerting : teler provides alerting when a threat is...

Be Very Sparing in Allowing Site Notifications

An increasing number of websites are asking visitors to approve "notifications," browser modifications that periodically display messages on the users mobile or desktop device. In many cases these notifications are benign, but several dodgy firms are paying site owners to install their notificati...

CVE-2020-25204

The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to the player. However, the...

CVE-2020-25204

The God Kings application 0.60.1 for Android exposes a broadcast receiver to other apps called com.innogames.core.frontend.notifications.receivers.LocalNotificationBroadcastReceiver. The purpose of this broadcast receiver is to show an in-game push notification to the player. However, the...