Code injection

Arvato Skillpipe 3.0 allows attackers to bypass intended print restrictions by deleting from the HTML source code...

CVE-2020-9013

CVE-2020-9013 affects Arvato Skillpipe 3.0. The vulnerability arises from the HTML source, where removing the element div id="watermark" bypasses print restrictions. This is described across multiple sources (NVD/Red Hat) as an ability to bypass intended controls by manipulating the HTML watermar...

U.S. Charges Huawei with Stealing Trade Secrets from 6 Companies

The US Department of Justice DoJ and the Federal Bureau of Investigation FBI charged Huawei with racketeering and conspiring to steal trade secrets from six US firms, in a significant escalation of a lawsuit against the Chinese telecom giant that began last year. Accusing Huawei and its affiliate...

App Used by Israel's Ruling Party Leaked Personal Data of All 6.5 Million Voters

An election campaigning website operated by Likud―the ruling political party of Israeli Prime Minister Benjamin Netanyahu―inadvertently exposed personal information of all 6.5 million eligible Israeli voters on the Internet, just three weeks before the country is going to have a legislative...

Docker Registries Expose Hundreds of Orgs to Malware, Data Theft

A slew of misconfigured Docker container registries has inadvertently exposed source code for 15,887 unique versions of applications owned by research institutes, retailers, news media organizations and technology companies. According to Palo Alto Networks’ Unit 42 division, the registries lacked...

2×4 Security

I had someone at the house recently, talking about physical security. We have all the usual stuff like alarms and CCTV, locks on the windows and doors but the aim of the exercise was to have someone who is familiar with attacks vectors physical security in this case, but the principal applies to...

Online Job Portal 1.0 Cross Site Request Forgery

Exploit Title: Online Job Portal 1.0 - Cross Site Request Forgery Add User Dork: N/A Date: 2020-02-06 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html Software Link:...

Online Job Portal 1.0 SQL Injection

Exploit Title: Online Job Portal 1.0 - 'useremail' SQL Injection Dork: N/A Date: 2020-02-06 Exploit Author: Ihsan Sencan Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html Software Link:...

Online Job Portal 1.0 - Cross Site Request Forgery (Add User) Vulnerability

Exploit for php platform in category web applications Exploit Title: Online Job Portal 1.0 - Cross Site Request Forgery Add User Exploit Author: Ihsan Sencan Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html Software Link:...

Engel & Völkers Technology GmbH BBP: Source Code Disclosure at http://service.engelvoelkers.com/alert/_backups/app

Summary: I found the source code of http://service.engelvoelkers.com/, compressed in the file app.gz, which can be downloaded at http://service.engelvoelkers.com/alert/backups/app. It contains the source code, some source code back ups and other sensitive information such as production server mys...

FreeBSD : Gitlab -- Multiple Vulnerabilities (c5bd9068-440f-11ea-9cdb-001b217b3468)

Gitlab reports : Path Traversal to Arbitrary File Read User Permissions Not Validated in ProjectExportWorker XSS Vulnerability in File API Package and File Disclosure through GitLab Workhorse XSS Vulnerability in Create Groups Issue and Merge Request Activity Counts Exposed Email Confirmation...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Path Traversal to Arbitrary File Read User Permissions Not Validated in ProjectExportWorker XSS Vulnerability in File API Package and File Disclosure through GitLab Workhorse XSS Vulnerability in Create Groups Issue and Merge Request Activity Counts Exposed Email Confirmation Bypa...

Obfuscapk - A Black-Box Obfuscation Tool For Android Apps

Obfuscapk is a modular Python tool for obfuscating Android apps without needing their source code, since apktool is used to decompile the original apk file and to build a new application, after applying some obfuscation techniques on the decompiled smali code, resources and manifest. The obfuscat...

ApplicationInspector - A Source Code Analyzer Built For Surfacing Features Of Interest And Other Characteristics To Answer The Question 'What'S In It' Using Static Analysis With A Json Based Rules Engine

Microsoft Application Inspector is a software source code analysis tool that helps identify and surface well-known features and other interesting characteristics of source code to aid in determining what the software is or what it does. Application Inspector is different from traditional static...

FreeBSD-SA-20:03.thrmisc

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-20:03.thrmisc Security Advisory The FreeBSD Project Topic: kernel stack data disclosure Category: core Module: kernel Announced: 2020-01-28 Credits: Ilja Van...

Remote Desktop Gateway - BlueGate Denial of Service (PoC)

Remote Desktop Gateway - BlueGate Denial of Service PoC include "BlueGate.h" / EDB Note: - Download Binary https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47964-1.exe - Download Source...

Remote Desktop Gateway - (BlueGate) Denial of Service Exploit

include "BlueGate.h" / EDB Note: - Download Binary https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47964-1.exe - Download Source https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47964-2.zip / void errorconst char msg printf"ERRO...

Remote Desktop Gateway - 'BlueGate' Denial of Service (PoC)

include "BlueGate.h" / EDB Note: - Download Binary https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47964-1.exe - Download Source https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47964-2.zip / void errorconst char msg printf"ERROR:...

Starbucks: Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/

@iampuky — thank you for reporting the original vulnerability and for confirming the resolution. While analyzing the Starbucks Korea mobile application, i noticed that it called an API at https://msr.istarbucks.co.kr:6443/appif/. It was found that the application running under that directory was...

Ruby: Source code disclosed via S3 Bucket

Summary The Ruby having an Amazon S3 bucked named http://rubyci.s3.amazonaws.com/ which lists some of their log files. Those logs having some informations to check the source code server side directories. Steps to Reproduce 1. direct to http://rubyci.s3.amazonaws.com/ which having READ Permission...