GHSA-63WH-P5FX-H4VC BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver

Summary Due to unsafe URL handling, bbot's gitclone.py can be made to leak a user's github.com API key to an attacker-controlled webserver. Impact A user who has placed their github.com API key in the configuration for any of the following modules: githubcodesearch githubworkflows gitlab gitclone...

BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver

Summary Due to unsafe URL handling, bbot's gitclone.py can be made to leak a user's github.com API key to an attacker-controlled webserver. Impact A user who has placed their github.com API key in the configuration for any of the following modules: githubcodesearch githubworkflows gitlab gitclone...

EUVD-2017-4431

Malware in sbrugna...

PT-2022-7786 · Unknown · Yuna Scatari Tbdev

Name of the Vulnerable Software and Affected Versions: Yuna Scatari TBDev versions up to 2.1.17 Description: A vulnerability has been found in Yuna Scatari TBDev, classified as problematic. The issue affects the function get user icons of the file usersearch.php. The manipulation of the argument...

Improper Authentication in Pivotal Spring-LDAP

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting...

GHSA-PJQH-2JCC-5J84 Improper Authentication in Pivotal Spring-LDAP

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting...

Authentication flaw

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting...

CVE-2017-8028

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting...

CVE-2017-8028

In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some LDAP servers, when no additional attributes are bound, and when using LDAP BindAuthenticator with org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy as the authentication strategy, and setting...

Debian DLA-1180-1 : libspring-ldap-java security update

Tobias Schneider discovered that Spring-LDAP would allow authentication with an arbitrary password when the username is correct, no additional attributes are bound and when using LDAP BindAuthenticator with DefaultTlsDirContextAuthenticationStrategy as the authentication strategy and setting...

CVE-2017-8028

A vulnerability was found in spring-ldap that allows an attacker to authenticate with an arbitrary password. When spring-ldap connected to some LDAP servers, when no additional attributes are bound, when using LDAP BindAuthenticator with...

Authentication Bypass

spring-ldap-core is vulnerable to authentication bypass. If no additional attributes are bound when connecting to a LDAP server which uses BindAuthenticator with the DefaultTlsDirContextAuthenticationStrategy strategy, an attacker can set userSearch and pass a valid username with an arbitrary...

CVE-2017-12907

Cross-Site Scripting XSS exists in NexusPHP version v1.5 via the url path to usersearch.php...

Cross site scripting

Cross-Site Scripting XSS exists in NexusPHP version v1.5 via the url path to usersearch.php...

CVE-2017-12777

Cross-Site Scripting XSS exists in NexusPHP version v1.5 via some parameter to usersearch.php...

CVE-2011-1404

Mahara before 1.3.6 does not properly restrict the data in responses to AJAX calls, which allows remote authenticated users to obtain sensitive information via a request associated with 1 blocktype/myfriends/myfriends.json.php, 2 json/usersearch.php, 3 group/membersearchresults.json.php, or 4...

CVE-2007-5403

Multiple cross-site scripting XSS vulnerabilities in Layton HelpBox 3.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the 1 Forename, 2 Surname, 3 Telephone, and 4 Fax fields to writeenduserenduser.asp; the 5 Filter field to statsrequestypereport.asp; and the 6...