Malicious code in url-encode-decode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37ce07aaa237eff3cc95c7bb560f4096191d2d5328de45f176f3f8662ca7cd34 The package url-encode-decode was found to contain malicious code. Source: ghsa-malware...

MAL-2025-190940 Malicious code in url-encode-decode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 37ce07aaa237eff3cc95c7bb560f4096191d2d5328de45f176f3f8662ca7cd34 The package url-encode-decode was found to contain malicious code. Source: ghsa-malware...

123cli-guessing-game (=1.0.0), @slatwall/cra-template-ultra-commerce-storefront (>=0.2.0 <=0.3.3) +5 more potentially affected by unknown CVE via url-encode-decode (=1.0.0)

url-encode-decode NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on url-encode-decode and may be impacted: - 123cli-guessing-game =1.0.0 - @slatwall/cra-template-ultra-commerce-storefront =0.2.0, =0.6.0, =1.0.0, =1.0.1, =0.1.0, =0.3.2...

123cli-guessing-game (=1.0.0), @slatwall/cra-template-ultra-commerce-storefront (>=0.2.0 <=0.3.3) +5 more potentially affected by unknown CVE via url-encode-decode (=1.0.0)

url-encode-decode NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on url-encode-decode and may be impacted: - 123cli-guessing-game =1.0.0 - @slatwall/cra-template-ultra-commerce-storefront =0.2.0, =0.6.0, =1.0.0, =1.0.1, =0.1.0, =0.3.2...

All in One B2B for WooCommerce <= 1.0.3 - Multiple CSRF

Description The plugin does not properly check nonce values in several actions, allowing an attacker to perform CSRF attacks. This CSRF attack will reject a Quote in the database. 1. Go to All In One Quote Quotes 2. Click "Add quote", fill in the title, and save. 3. Find the Quote ID, convert it ...

EasyNas 1.1.0 Command Injection

Exploit Title: EasyNas 1.1.0 - OS Command Injection Date: 2023-02-9 Exploit Author: Ivan Spiridonov [email protected] Author Blog: https://xbz0n.medium.com Version: 1.0.0 Vendor home page : https://www.easynas.org Authentication Required: Yes CVE : CVE-2023-0830 !/usr/bin/python3 import...

httparty has multipart/form-data request tampering vulnerability

Impact I found "multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty. httparty/lib/httparty/request body.rb def generatemultipart...

Server-side Request Forgery (SSRF)

cxf-core is vulnerable to Server-side Request Forgery SSRF. The vulnerability exists due to the lack of URL encode in MTOM content-id, which allows an attacker to perform SSRF-style attacks on web services that take at least one parameter of any type through the href attribute of XOP:Include...

Exploit for Code Injection in Vmware Identity_Manager

VMware-CVE-2022-22954-Command-Injector Proof of Concept for e...

Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated)

Exploit Title: Wing FTP Server - Authenticated RCE Date: 02/06/2022 Exploit Author: notcos Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes. Vendor Homepage: https://www.wftpserver.com/ Software Link: https://www.wftpserver.com/download/WingFtpServer.exe Version: " %...

Wing FTP Server 4.3.8 - Remote Code Execution (Authenticated) Exploit

Exploit Title: Wing FTP Server 4.3.8 - Remote Code Execution RCE Authenticated Exploit Author: notcos Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes. Vendor Homepage: https://www.wftpserver.com/ Software Link: https://www.wftpserver.com/download/WingFtpServer.exe...

CLSA-2020-1605798462 Fix of 227 CVE

Fix bug 69720: Null pointer dereference in phargetfpoffset - Fix bug 70728: Type Confusion Vulnerability in PHPtoXMLRPCworker - Fix bug 70661: Use After Free Vulnerability in WDDX Packet Deserialization - Fix bug 70741: Session WDDX Packet Deserialization Type Confusion Vulnerability - Fix bug...

Ruby on Rails: The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes

When performcsrftokens is set to true, each form should protected against CSRF with a unique token that is not predictable by an attacker. Theperformcsrftoken is generated using a HMAC SHA-256 using a key that is exposed in a reversed authenticitytoken. The authenticitytoken is a Base64 encoding ...

Tulpar - Web Vulnerability Scanner

Tulpar is a open source web vulnerability scanner for written to make web penetration testing automated. Features Sql Injection GET Method XSS GET Method Crawl E-mail Disclosure Credit Card Disclosure Whois Command Injection GET Method Directory Traversal GET Method File Include GET Method Server...

Informatica: [doc.rt.informaticacloud.com] Arbitrary File Reading via Double URL Encode

Hi. Attacker can read arbitrary file in system via next query: http://doc.rt.informaticacloud.com/infocenter/ActiveVOS/v92/topic/com.activee.bpep.doc/images/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd You can see the response here: F188500 root:x:0:0:root:/root:/bin/bash...

php: Integer overflow in php_raw_url_encode

Integer overflow in the phprawurlencode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service application crash via a long string to the rawurlencode function. NOTE: the vendor says "Not sure if this...

Nextcloud: Content Spoofing

Hi i got content spoofing vulnerability . Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. POC Link :- https://nextcloud.com/.htacess%20THIS%20IS%20CONTENT%20SPOOFING...

Internet Bug Bounty: Integer Overflow in php_raw_url_encode

https://bugs.php.net/bug.php?id=71798...

Zendesk: Content Spoofing

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. It display the same as its entered. The crafted Thing will make the user to access or capy paste the malacious site and...

HackerOne: Content Spoofing - External Link Warning Page

Here is example link: Click Here Raw Data: Click Here Issue: In External link warning page, this link shown as plain text and no forced URL encoded, leading an attacker to frame sentences and trick users. In given example, attacker can trick user to click 'Proceed' button saying it will redirect...