CVE-2019-16301

An issue was discovered in Open Network Operating System ONOS 1.14. In the virtual tenant network application org.onosproject.vtn, the host event listener does not handle the following event types: HOSTMOVED. In combination with other applications, this could lead to the absence of intended code...

U.S. Dept Of Defense: POST XSS - data[account][id] parameter

A Cross-Site Scripting XSS vulnerability was discovered in the POST method through the "dataaccountid" parameter. The vulnerability allowed the injection of malicious scripts that could be executed. The affected system was located on a system host. The vulnerability was not assigned a CVE number...

U.S. Dept Of Defense: DoD workstation exposed to internet via TinyPilot KVM with no authentication

The DoD workstation was exposed to the internet via a TinyPilot KVM device without any authentication. The TinyPilot KVM device was connected to the workstation and allowed remote access to the system over the internet...

U.S. Dept Of Defense: Email Takeover leads to permanent account deletion

The security vulnerability found allowed an attacker to change the email address of a victim's account, leading to the permanent deletion of the victim's account. The vulnerability was caused by improper authentication on the change email functionality...

SimpleSAMLphp Information Disclosure vulnerability

Background SimpleSAMLphp 1.17 includes a preview of the new user interface to be included in the future version 2.0. This new user interface can be enabled by setting the usenewui configuration option to true, and it includes a new admin interface in a module called admin, which can be disabled...

[SECURITY] Fedora 38 Update: golang-gvisor-20240408.0-1.20240418git9e5a99b.fc38

gVisor is an open-source, OCI-compatible sandbox runtime that provides a virtualized container environment. It runs containers with a new user-space kernel, delivering a low overhead container security solution for high-density applications. gVisor integrates with Docker, containerd and Kubernete...

U.S. Dept Of Defense: Parâmetro XSS: Nome de usuário - █████████

The report describes a cross-site scripting XSS vulnerability in the username parameter of an application. The vulnerability was demonstrated using Burp Suite, where the attacker was able to inject malicious JavaScript code into the username field. No further details were provided about the...

U.S. Dept Of Defense: ███ leaking PII of tour visitors (names, email addresses, phone numbers) via misconfigured record permissions

The ████████ portal was found to be leaking sensitive personal information, including full names, email addresses, and phone numbers of its users. The issue was caused by a misconfiguration that allowed registered users to access records of other users, potentially exposing the data of hundreds o...

U.S. Dept Of Defense: Unauthorized access to Argo dashboard on █████

The Argo deployment on █████ was found to be vulnerable to unauthorized access, allowing manipulation of workflows and sensors. This could lead to compromise of sensitive data. Urgent mitigation is advised...

U.S. Dept Of Defense: Elasticsearch is currently open without authentication on https://██████l

An Elasticsearch instance accessible at https://██████l was found to be open without authentication, exposing data to unauthorized access. The vulnerability allowed listing and extraction of sensitive data stored in the Elasticsearch indexes. To mitigate, authentication and authorization controls...

U.S. Dept Of Defense: IDOR to delete profile images in https:███████

A vulnerability was discovered in which profile images could be deleted through a GET request by supplying a user ID. This allowed unauthorized deletion of user profile images...

U.S. Dept Of Defense: Unauthenticated Jenkins instance exposed information related to █████

Vulnerability description not provided...

U.S. Dept Of Defense: Adobe ColdFusion Access Control Bypass - CVE-2023-38205

A vulnerability in Adobe ColdFusion was discovered that allowed bypassing access controls by using malicious path traversal in URLs targeting the /CFIDE/wizards/common/utils.cfc endpoint. This enabled attackers to reach endpoints that should have been restricted. The issue affected Adobe ColdFusi...

U.S. Dept Of Defense: Reflected XSS in ██████████

A reflected XSS vulnerability was found on one of the subdomains of a website. The vulnerability was present in the "militarybranch" parameter of the "NextRequestAccount.action" page. An attacker could exploit this vulnerability to execute XSS attacks and steal user's cookies, launch phishing...

U.S. Dept Of Defense: Reflected XSS in ██████

A reflected XSS vulnerability was found on one of the subdomains of a system. The vulnerability was located in the emailbody parameter of the PreviewLetterhead.aspx page. An attacker could exploit this vulnerability to execute malicious scripts and steal user's cookies, launch phishing attacks, a...

U.S. Dept Of Defense: reflected xss in www.████████.gov

A reflected XSS vulnerability was discovered in a government website, allowing an attacker to execute malicious scripts on a victim's browser. The vulnerability could lead to cookie stealing, arbitrary requests, malware download, and defacement of the website. The vulnerability was triggered by...

U.S. Dept Of Defense: XSS via Client Side Template Injection on www.███/News/Speeches

Dear DoD - Team, I am able to execute javascript code on www.███████/News/Speeches. This endpoint has a search functionality with the parameter Search. The supplied value to this parameter gets embedded into the website. Furthermore the frontend of the website is presumably created with a templat...

U.S. Dept Of Defense: External service interaction ( DNS and HTTP ) in www.████████

An External Service Interaction vulnerability was found in www.█████████, allowing an attacker to induce the application to interact with arbitrary external services such as DNS and HTTP. This could lead to various attacks, including DDoS, OS Command Injection, DOS, and Code Manipulation...

U.S. Dept Of Defense: stored cross site scripting in https://████████.edu

A stored cross-site scripting XSS vulnerability was discovered in the ████████.edu website. This vulnerability allowed an attacker to inject and execute malicious scripts on a victim's browser, potentially leading to cookie theft, arbitrary requests, malware downloads, or website defacement...

U.S. Dept Of Defense: stored cross site scripting in https://███

It was observed that the application is vulnerable to cross-site scripting XSS. XSS is a type of attack that involves running a malicious scripts on a victim’s browser. poc attached another parameter at 1636345 q21675 Impact Cookie Stealing - A malicious user can steal cookies and use them to gai...