CVE-2020-7232

Evoko Home devices 1.31 through 1.37 allow remote attackers to obtain sensitive information such as usernames and password hashes via a WebSocket request, as demonstrated by the sockjs/224/uf1psgff/websocket URI at a wss:// URL...

EUVD-2020-0552

Malware in sbrugna...

EUVD-2022-5749

Malicious code in bioql PyPI...

CVE-2020-16839

On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request...

CVE-2018-21036

Sails.js before v1.0.0-46 allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request...

CVE-2024-10948

A vulnerability in the upload function of binary-husky/gptacademic allows any user to read arbitrary files on the system, including sensitive files such as config.py. This issue affects the latest version of the product. An attacker can exploit this vulnerability by intercepting the websocket...

CVE-2024-10948 Arbitrary File Read via Upload Function in binary-husky/gpt_academic

A vulnerability in the upload function of binary-husky/gptacademic allows any user to read arbitrary files on the system, including sensitive files such as config.py. This issue affects the latest version of the product. An attacker can exploit this vulnerability by intercepting the websocket...

CVE-2024-10948

CVE-2024-10948 concerns binary-husky/gpt_academic. The vulnerability is in the upload function: an attacker can intercept the websocket during file upload and replace the target path with the path of a file they want to read. The server copies the requested file to a private_upload directory and ...

CVE-2022-24595

Automotive Grade Linux Kooky Koi 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, and 11.0.5 is affected by Incorrect Access Control in usr/bin/afb-daemon. To exploit the vulnerability, an attacker should send a well-crafted HTTP or WebSocket request to the socket listened by the afb-daemon process. No...

CVE-2020-16839

On Crestron DM-NVX-DIR, DM-NVX-DIR80, and DM-NVX-ENT devices before the DM-XIO/1-0-3-802 patch, the password can be changed by sending an unauthenticated WebSocket request...

GHSA-F7F4-HQP2-7PRC Improper Input Validation in sails-hook-sockets

Sails.js before v1.0.0-46 allows attackers to cause a denial of service with a single request because there is no error handler in sails-hook-sockets to handle an empty pathname in a WebSocket request...

Cross site scripting

Droppy versions 3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious user could add a new admin account under hi...