CVE-2021-41113

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as...

CVE-2021-41113

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as...

Cross site request forgery (csrf)

TYPO3 is an open source PHP based web content management system released under the GNU GPL. It has been discovered that the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface is vulnerable to cross-site-request-forgery. The impact is the same as...

CVE-2021-41113

CVE-2021-41113 — TYPO3 Backend CSRF : TYPO3’s v11 feature for creating/sharing deep links in the backend UI is vulnerable to cross-site request forgery. An unauthenticated attacker could exploit a logged-in victim’s session to perform actions, potentially creating an admin user account and taking...

UBUNTU-CVE-2021-39886

Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references...

PT-2021-23097 · Typo3 · Typo3

Name of the Vulnerable Software and Affected Versions: TYPO3 versions prior to 11.5.0 Description: A cross-site request forgery issue has been discovered in the new TYPO3 v11 feature that allows users to create and share deep links in the backend user interface. This issue can be exploited withou...

PT-2021-22732 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions 10.6 through 14.1.7 Description: The issue concerns permissions rules not being applied when moving issues between projects of the same group, allowing users to read confidential Epic references. Recommendations: For GitLab...

in netdisco/netdisco

Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes below link show...

GitLab 权限许可和访问控制问题漏洞

GitLab is a Ruby on Rails-developed, self-hosted, Git version control system project repository application from the American company GitLab. The program can be used to access a project's file contents, commit history, bug lists, and more. GitLab suffers from a Permission Permission and Access...

CVE-2021-37219

A flaw in Consul Raft RPC layer allows privilege escalation by allowing access to access server-only functionality from non-server agents with a valid certificate signed by the same CA...

in kcal-app/kcal

Description it can be possible to perform a clickjacking attack due to the lack of frame restrictions. The application does not set the response header X-Frame-Options: DENY. Proof of Concept Clickjack test page save the script as clickjacking .html and page will render in iframes...

CVE-2020-4803

IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189535...

CVE-2021-31845

A buffer overflow vulnerability in McAfee Data Loss Prevention DLP Discover prior to 11.6.100 allows an attacker in the same network as the DLP Discover to execute arbitrary code through placing carefully constructed Ami Pro .sam files onto a machine and having DLP Discover scan it, leading to...

Siemens SINEMA Remote Connect Server 访问控制错误漏洞

Siemens SINEMA Remote Connect Server is a remote network management platform from Siemens, Germany. The platform is used to remotely access, maintain, control and diagnose the underlying network. An access control error vulnerability exists in Siemens SINEMA Remote Connect Server versions prior t...

UBUNTU-CVE-2021-41072

squashfsopendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create th...

CVE-2020-27969

Yandex Browser for Android 20.8.4 allows remote attackers to perform SOP bypass and addresss bar spoofing...

Yandex Browser 访问控制错误漏洞

Yandex Browser is a desktop version of a web browser from the Russian company Yandex. A security vulnerability exists in Yandex Browser Android version 20.8.4, which allows remote attackers to perform SOP bypass and address bar spoofing...

UBUNTU-CVE-2021-37219

HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2...

Ghost CMS 4.3.2 - Cross-Origin Admin Takeover

Ghost is one of the most popular Node.js-based Content Management Systems CMS. According to the vendor, there are currently more than 2.5 million installs of it and the project has more than 38k stars on GitHub. During our research on open-source applications, we analyzed the code and found a...

CVE-2021-33886

An improper sanitization of input vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to gain user-level command-line access by passing a raw external string straight through to printf statements. The attacker is required to be on the same network as t...