|
The service offers a survey to check the compliance of an organization with the GDPR (General Data Protection... |
The main goal of the tool is to provide a simple and quick tool for cyber risk self-assessment. The tool requires two... |
The service analyzes a DNS request log and detects if there are domain names which can be generated by a Domain... |
This service collects data related to public available exploits. The database is updated daily through the official... |
| Published | Description | |
|---|---|---|
| CVE-2020-25533 |
15-01-2021 22:15:00 |
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct a situation where the same PID is used for running two different programs at different times, by leveraging a race condition during crafted use of posix_spawn. |
| CVE-2021-3162 |
15-01-2021 22:15:00 |
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation. |
| CVE-2021-21246 |
15-01-2021 21:15:00 |
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/{id}` endpoint there are no security checks enforced so it is possible to retrieve arbitrary user details including their Access Tokens! These access tokens can be used to access the API or clone code in the build spec via the HTTP(S) protocol. It has permissions to all projects accessible by the user account. This issue may lead to `Sensitive data leak` and leak the Access Token which can be used to impersonate the administrator or any other users. This issue was addressed in 4.0.3 by removing user info from restful api. |
| CVE-2021-21248 |
15-01-2021 21:15:00 |
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability involving the build endpoint parameters. InputSpec is used to define parameters of a Build spec. It does so by using dynamically generated Groovy classes. A user able to control job parameters can run arbitrary code on OneDev's server by injecting arbitrary Groovy code. The ultimate result is in the injection of a static constructor that will run arbitrary code. For a full example refer to the referenced GHSA. This issue was addressed in 4.0.3 by escaping special characters such as quote from user input. |
| CVE-2021-21242 |
15-01-2021 21:15:00 |
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or authorization checks. This issue may lead to pre-auth remote code execution. This issue was fixed in 4.0.3 by removing AttachmentUploadServlet and not using deserialization |
| Date | Title | Platform | Author |
|---|---|---|---|
|
15-01-2021 |
Online Hotel Reservation System 1.0 - 'description' Stored Cross-site Scripting | php | Mesut Cetin |
|
15-01-2021 |
WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS) | php | Rahul Ramakant Singh |
|
15-01-2021 |
Alumni Management System 1.0 - _Last Name field in Registration page_ Stored XSS | php | Siva Rajendran |
|
15-01-2021 |
PHP-Fusion CMS 9.03.90 - Cross-Site Request Forgery (Delete admin shoutbox message) | php | Mohamed Oosman |
|
15-01-2021 |
EyesOfNetwork 5.3 - File Upload Remote Code Execution | multiple | Audencia Business SCHOOL Red Team |
Italiano
English