Security
Headlines
HeadlinesLatestCVEs

Tag

#debian

CVE-2022-28109: CSRF and DNS-rebinding to RCE in Selenium Server (Grid)

Selenium Selenium Grid (formerly Selenium Standalone Server) Fixed in 4.0.0-alpha-7 is affected by: DNS rebinding. The impact is: execute arbitrary code (remote). The component is: WebDriver endpoint of Selenium Grid / Selenium Standalone Server. The attack vector is: Triggered by browsing to to a malicious remote web server. The WebDriver endpoint of Selenium Server (Grid) is vulnerable to DNS rebinding. This can be used to execute arbitrary code on the machine.

CVE
Open in Source
#csrf#vulnerability#web#mac#debian#js#java
CVE-2021-40422: TALOS-2021-1431 || Cisco Talos Intelligence Group

An authentication bypass vulnerability exists in the device password generation functionality of Swift Sensors Gateway SG3-1010. A specially-crafted network request can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

CVE-2021-43286: Releases - Version notes | GoCD

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code.

CVE-2015-20107: [CVE-2015-20107] mailcap.findmatch: document shell command Injection danger in filename parameter · Issue #68966 · python/cpython

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

CVE-2022-27263: GitHub - strapi/strapi: 🚀 Open source Node.js Headless CMS to easily build customisable APIs

An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.

CVE-2021-43517: Full disclosure: 0day vulnerability (backdoor) in firmware for Xiaongmai-based DVRs, NVRs and IP cameras

FOSCAM Camera FI9805E with firmware V4.02.R12.00018510.10012.143900.00000 contains a backdoor that opens Telnet port when special command is sent on port 9530.

CVE-2022-26982: 0days/Exploit.txt at main · sartlabs/0days

SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

CVE-2022-27920: Release 10.1.0 · Issue #728 · kiwix/libkiwix

libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver functionality via the search suggestions URL parameter. This is fixed in 10.1.0.

CVE-2021-39491: [SECURITY] - Stored Cross-site Scripting while deleting a scan engine in the Scan Engine deletion confirmation modal box! · Issue #460 · yogeshojha/rengine

A Cross Site Scripting (XSS) vulnerability exists in Yogesh Ojha reNgine v1.0 via the Scan Engine name file in the Scan Engine deletion confirmation modal box . .

CVE-2022-26285: Multiple-SQLi-in-Simple-Subscription-Company/apply_sqli.py at main · Dir0x/Multiple-SQLi-in-Simple-Subscription-Company

Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the apply endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP requests.