1779 matches found
Prototype Pollution in indlekofer/object_set
Description Prototype Pollution in @indlekofer/objectset Proof of Concept 1. Create the following PoC file: // poc.js var objectSet = require"@indlekofer/objectset" var obj = console.log"Before : " + .polluted; objectSet.defaultobj,"proto","polluted","Yes! Its Polluted"; console.log"After : " +...
Prototype Pollution in quernest/arr-flatten-unflatten
Description arr-flatten-unflatten is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var arrFlattenUnflatten = require"arr-flatten-unflatten" console.log"Before : " + .polluted; arrFlattenUnflatten.unflatten'protopolluted': 'Yes! Its Polluted';...
CVE-2020-29385
GNOME gdk-pixbuf aka GdkPixbuf before 2.42.2 allows a denial of service infinite loop in lzw.c in the function writeindexes. if c-selfcode equals 10, self-codetable10.extends will assign the value 11 to c. The next execution in the loop will assign self-codetable11.extends to c, which will give t...
CVE-2020-35585
In Solstice Pod before 3.3.0 or Open4.3, the screen key can be enumerated using brute-force attacks via the /lookin/info Solstice Open Control API because there are only 1.7 million possibilities...
kernel security and bug fix update
3.10.0-1160.11.1.OL7 - Oracle Linux certificates Ilya Okomin - Oracle Linux RHCK Module Signing Key was compiled into kernel [email protected] - Update x509.genkey Orabug: 24817676 - Conflict with shim-ia32 and shim-x64 slotsret under spinlockirq protection Rafael...
CVE-2020-26979
When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what...
UBUNTU-CVE-2020-17527
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this...
curl: Abusing URL Parsers by long schema name
Summary: There is known technique to exploit inconsistency of URL parser and URL requester logic to perform Server Side Request Forgery attack. Firstly it was presented by Orange Tsai at A New Era Of SSRF Exploiting URL Parser. Firstly I found the familiar issue at old versions of curl, but explo...
Shopify: Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store!
Please Note: I found this bug on a website made using Shopify I tried doing the same with my Shopify store but I was not able to buy anything as it was required to add credit card details which I don't have : THE LINKS GIVEN AS THE EXAMPLE ARE NOT VALID LINKS BUT THE BUG WORKS ON EVERY SHOPIFY...
Exploit for Out-of-bounds Write in Php
CVE-2019-11043 PHP-FPM Remote Code Execution Screencast: htt...
SUSE-SU-2020:3330-1 Security update for kernel-firmware
This update for kernel-firmware fixes the following issue: - CVE-2020-12321: Updated the Intel Bluetooth firmware for buffer overflow security bugs bsc1178671...
opensc security, bug fix, and enhancement update
0.20.0-2 - Unbreak different CardOS 5 configurations supporting raw RSA 1830856 0.20.0-1 - Rebase to current upstream release 1810660...
SUSE-SU-2020:3230-1 Security update for the Linux Kernel
The SUSE Linux Enterprise 15 SP2 kernel RT was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-25212: Fixed getxattr kernel panic and memory overflow bsc1176381. - CVE-2020-25643: Added range checks in pppcpparsecr bsc1177206. - CVE-2020-25641:...
Moderate: Red Hat Security Advisory: idm:DL1 and idm:client security, bug fix, and enhancement update
An update for the idm:DL1 and idm:client modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...
freerdp: Out-of-bounds read in security_fips_decrypt in libfreerdp/core/security.c
An issue was discovered in FreeRDP before 2.1.1. An out-of-bounds OOB read vulnerability has been detected in securityfipsdecrypt in libfreerdp/core/security.c due to an uninitialized value...
freerdp: out-of-bounds read in ntlm_read_AuthenticateMessage
In FreeRDP less than or equal to 2.0.0, there is an out-of-bound read in ntlmreadAuthenticateMessage. This has been fixed in 2.1.0...
Moderate: gnupg2 security, bug fix, and enhancement update
The GNU Privacy Guard GnuPG or GPG is a tool for encrypting data and creating digital signatures, compliant with OpenPGP and S/MIME standards. The following packages have been upgraded to a later upstream version: gnupg2 2.2.20. BZ1663944 Security Fixes: GnuPG: interaction between the sks-keyserv...
Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE
UPDATE A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution RCE, researchers said. The flaw CVE-2020-5135 is a stack-based buffer overflow in the SonicWall...
CVE-2020-0423
In binderreleasework of binder.c, there is a possible use-after-free due to improper locking. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android...
Open-Xchange: XSS - Calendar - Unescaped common name of appointment participant
There is this function to get participant's name: javascript // frontend/ui/apps/io.ox/participants/chronos-views.js getDisplayName: function model, options options = options || ; var dn = model.get'contact' ? contactsUtil.getFullNamemodel.get'contact', options.asHtml : model.get'cn'; // 'email...