GHSA-GFC2-9QMW-W7VH Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS

Summary The Glances web server exposes a REST API /api/4/ that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy Access-Control-Allow-Origin: . This allows a malicious website to read sensitive system information from a running...

EUVD-2000-0701

Malware in sbrugna...

Server-side Request Forgery (SSRF)

Overview hackmd-mcp is an A Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the hackmdApiUrl parameter in HTTP transport mode. An attacker can access internal...

CVE-2025-52572 Hikka vulnerable to RCE through dangling web interface

Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web...

CVE-2025-25250

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability CWE-200 in FortiOS version 7.6.0, version 7.4.7 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions SSL-VPN web-mode may allow an authenticated user to access full SSL-VPN settings via crafted URL...

CVE-2021-26103

An insufficient verification of data authenticity vulnerability CWE-345 in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-sit...

CVE-2021-26103

An insufficient verification of data authenticity vulnerability CWE-345 in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-sit...

Cross site request forgery (csrf)

An insufficient verification of data authenticity vulnerability CWE-345 in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-sit...

CVE-2021-26103

An insufficient verification of data authenticity vulnerability CWE-345 in the user interface of FortiProxy verison 2.0.3 and below, 1.2.11 and below and FortiGate verison 7.0.0, 6.4.6 and below, 6.2.9 and below of SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-sit...

Protect

An insufficient verification of data authenticity vulnerability CWE-345 in the user interface of FortiProxy and FortiGate SSL VPN portal may allow a remote, unauthenticated attacker to conduct a cross-site request forgery CSRF attack . Only SSL VPN in web mode or full mode are impacted by this...

Protect

A heap buffer overflow vulnerability in the FortiOS SSL VPN web portal may cause the SSL VPN web service termination for logged in users or potential remote code execution on FortiOS; this happens when an authenticated user visits a specifically crafted proxy-ed webpage, and this is due to a...

CVE-2000-0705

ntop running in web mode allows remote attackers to read arbitrary files via a .. dot dot attack...

CVE-2000-0706

Buffer overflows in ntop running in web mode allows remote attackers to execute arbitrary commands...

CVE-2000-0705

ntop running in web mode allows remote attackers to read arbitrary files via a .. dot dot attack...

CVE-2000-0705

CVE-2000-0705 : ntop running in web mode is vulnerable to a directory-traversal attack using ".." that enables remote attackers to read arbitrary files. The described impact is partial confidentiality, with no available details on exploitation status or a confirmed fix in the provided documents. ...

CVE-2000-0706

CVE-2000-0706: Public documents confirm a buffer overflow in ntop when running in web mode that enables remote arbitrary commands. The provided materials do not specify affected versions, root cause details, exploits, or any patch/workaround. Information on remediation is not available in the inc...

[SECURITY] New version of ntop released

Package : ntop Problem type : remote exploit Debian-specific: no The updated version of ntop 1.2a7-10 that was released on August 5 was found to still be insecure: it was still exploitable using buffer overflows. Using this technique it was possible to run arbitrary code as the user who ran ntop ...

[SECURITY] New version of ntop released

------------------------------------------------------------------------ Debian Security Advisory [email protected] http://www.debian.org/security/ Wichert Akkerman August 30, 2000 - ------------------------------------------------------------------------ Package : ntop Problem type : remote...

[ Hackerslab bug_paper ] ntop web mode vulnerabliity

================================================================================ Hackerslab bugpaper ntop web mode vulnerabliity ================================================================================ Command : /sbin/ntop -w port SYSTEM : N/A INFO : ntop - display top network users -w...