Dashbuilder: insecure handling of CSRF token

It has been reported that CSRF tokens are not properly handled in JBoss BPM suite dashbuilder. Old tokens generated during an active session can be used to bypass CSRF protection. In addition, the tokens are sent in query string so they can be exposed through the browser's history, referrers, web...

Discourse: Gaining access to private topics using quoting feature

Description Some topics have limited access to certain groups and users, and while there exists a validation for access on this topic, it can be bypassed by abusing a vulnerability in the "onebox" quoting feature. When pasting a link in a reply, if this link happens to be a link to another topic ...

Keybase: Difference in query string parameter processing between Hacker News and Keybase Chrome extension spawns chat to incorrect user

Hello! When using the Keybase Chrome extension and viewing a Hacker News profile page with an additional id parameter in the query string, Hacker News uses the username from the first id parameter, whereas the Keybase extension uses the username from the second id parameter. Example URL:...

CVE-2018-5715

phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string aka a $key variable...

Design/Logic Flaw

phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string aka a $key variable...

CVE-2018-5715

phprint.php in SugarCRM 3.5.1 has XSS via a parameter name in the query string aka a $key variable...

CVE-2018-5715

SugarCRM 3.5.1 is vulnerable to Cross-Site Scripting via phprint.php due to improper handling of the GET parameter name ($key) in the query string. The root cause is that the $key values are not encoded when constructing the query string, enabling injection of arbitrary JavaScript into the victim...

VulnCheck KEV: CVE-2012-2336

sapi/cgi/cgimain.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script aka php-cgi, does not properly handle query strings that lack an = equals sign character, which allows remote attackers to cause a denial of service resource consumption by placing...

DEBIAN-CVE-2017-7559

In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that als...

HackerOne: HTTP Parameter Pollution using semicolons in iframe element at hackerone.com/careers allows loading external Greenhouse forms

Summary: I noticed that HackerOne career pages loads it's application forms from Greenhouse.io via an iframe. The ghjid parameter value is taken into the iframe element for the token parameter in the iframe URL boards.greenhouse.io. Any html characters are escaped in order to avoid XSS and possib...

undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the...

undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the...

undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the...

CVE-2017-17059

XSS exists in the amtyThumb amty-thumb-recent-post aka amtyThumb posts or wp-thumb-post plugin 8.1.3 for WordPress via the query string to amtyThumbPostsAdminPg.php...

CVE-2017-16562

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the upautolog parameter in the QUERYSTRING to the default URI...

CVE-2017-16562

The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the upautolog parameter in the QUERYSTRING to the default URI...

WordPress UserPro Plugin Authentication Bypass Vulnerability

WordPress is a blogging platform developed by the WordPress Software Foundation using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.UserPro plugin for WordPress is a plugin for creating social platform sites using WordPress. The plugin has...

Avito: CSS injection in avito.ru via IE11

Hi Team Security @avito I discovered CSS Injection on avito.ru in form search via IE11 Description CSS injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to...

Zendesk: Secret API Key Leakage via Query String

See title...

ljharb's qs module input validation vulnerability

A web framework is a framework used to support the development of dynamic websites, web applications, and web services. qs module is a string query parsing module used by developers when building web frameworks. A denial of service vulnerability exists in ljharb's qs module. An attacker could...