Security
Headlines
HeadlinesLatestCVEs

Headline

Yellowfin Cross Site Scripting / Insecure Direct Object Reference

Yellowfin versions prior to 9.6.1 suffer from persistent cross site scripting and insecure direct object reference vulnerabilities.

Packet Storm

Related news

CVE-2021-36387: Yellowfin-Multiple-Vulnerabilities/README.md at main · cyberaz0r/Yellowfin-Multiple-Vulnerabilities

In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".

CVE-2021-36388: Yellowfin-Multiple-Vulnerabilities/README.md at main · cyberaz0r/Yellowfin-Multiple-Vulnerabilities

In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".

CVE-2021-36389: Yellowfin Cross Site Scripting / Insecure Direct Object Reference ≈ Packet Storm

In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".

CVE-2021-42228: There is a csrf vulnerability in kindeditor - 4.1.* · Issue #337 · kindsoft/kindeditor

A Cross Site Request Forgery (CSRF) vulnerability exists in KindEditor 4.1.x, as demonstrated by examples/uploadbutton.html.

CVE-2021-41565: TWCERT/CC台灣電腦網路危機處理暨協調中心-Tad TadTools - Reflected XSS

TadTools special page parameter does not properly restrict the input of specific characters, thus remote attackers can inject JavaScript syntax without logging in, and further perform reflective XSS attacks.

CVE-2021-36872: wordpress-popular-posts/changelog.md at master · cabrerahector/wordpress-popular-posts

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress Popular Posts plugin (versions <= 5.3.3). Vulnerable at &widget-wpp[2][post_type].

CVE-2021-40346: Repositories - haproxy.git/summary

An integer overflow exists in HAProxy 2.0 through 2.5 in htx_add_header that can be exploited to perform an HTTP request smuggling attack, allowing an attacker to bypass all configured http-request HAProxy ACLs and possibly other ACLs.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution