70 matches found
GHSA-Q257-VV4P-FG92 Header Forgery in http-signature
Affected versions of http-signature contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. This problem occurs because vulnerable versions of http-signature sign the...
HackerOne: Can read features from any user
Summary: An attacker can read feature notifications from any user. Just need to change me to userusername:"filedescriptor" in your request to get the features. Steps To Reproduce POST /graphql HTTP/1.1 Host: hackerone.com "query":"query Newfeature \n query \n id,\n ...F0\n \n\nfragment F0 on Quer...
Authorization Bypass
TeamPass is vulnerable to authorization bypass. The application does not properly check if a user has the proper permissions to access an item, allowing a malicious user to modify or delete multiple attributes of an item by modifying requests sent to the application...
Cross site request forgery (csrf)
Cross-site request forgery CSRF vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to mgadmin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely...
CVE-2017-4012
Privilege Escalation vulnerability in the server in McAfee Network Data Loss Prevention NDLP 9.3.x allows remote authenticated users to view confidential information via modification of the HTTP request...
Session fixation
Session Side jacking vulnerability in the server in McAfee Network Data Loss Prevention NDLP 9.3.x allows remote authenticated users to view, add, and remove users via modification of the HTTP request...
Slack: Eavesdropping on private Slack calls
A vulnerability exists in Slack's call functionality that allows a team member to eavesdrop on private ongoing Slack calls by inviting themselves into the conversation without the permission from either participant. By doing so they can eavesdrop on co-workers' private conversations as well as...
Microsoft Internet Explorer 7 request modification
Headers manipulation and invalid chunked encoding processing allow response splitting...
CVE-2001-0995
PHProjekt before 2.4a allows remote attackers to perform actions as other PHProjekt users by modifying the ID number in an HTTP request to PHProjekt CGI programs...
CVE-2001-1234
Bharat Mediratta Gallery PHP script before 1.2.1 allows remote attackers to execute arbitrary code by including files from remote web sites via an HTTP request that modifies the includedir variable...