Monthly Archive: February 2022

Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name field. Date published : 2022-02-28 https://github.com/andreapollastri/cipi/releases https://www.exploit-db.com/exploits/50788

qrcp through 0.8.4, in receive mode, allows ../ Directory Traversal via the file name specified by the uploader. Date published : 2022-02-28 https://github.com/claudiodangelis/qrcp/issues/223

Dropbox Lepton v1.2.1-185-g2a08b77 was discovered to contain a heap-buffer-overflow in the function aligned_dealloc():src/lepton/bitops.cc:108. Date published : 2022-02-28 https://drive.google.com/file/d/1bJlHozO37c5NZ1wI0NBWh0yHHyTcfaQL/view?usp=sharing https://github.com/dropbox/lepton

An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. It accepts and reflects arbitrary domains supplied via a client-controlled Host header. Injection of a malicious URL in the Host:...

An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. The ASP.NET_Sessionid cookie is not protected by the Secure flag. This makes it prone to interception by an attacker if...

An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. Injection of a malicious payload within the RelayState= parameter of the HTTP request body results in the hijacking of the...

An issue was discovered in the web application in Cherwell Service Management (CSM) 10.2.3. XSS can occur via a payload in the SAMLResponse parameter of the HTTP request body. Date published : 2022-02-28 https://github.com/l00neyhacker/CVE-2022-26155...

Obyte (formerly Byteball) Wallet before 3.4.1 allows XSS. A crafted chat message can lead to remote code execution. Date published : 2022-02-28 https://github.com/byteball/obyte-gui-wallet/releases/tag/v3.4.1 https://obyte.org/faq

Maxsite CMS v108 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the parameter f_tags at /admin/page_edit/3. Date published : 2022-02-28 https://github.com/maxsite/cms/issues/484

Maxsite CMS v180 was discovered to contain multiple arbitrary file deletion vulnerabilities in /admin_page/all-files-update-ajax.php via the dir and deletefile parameters. Date published : 2022-02-28 https://github.com/maxsite/cms/issues/486

A Remote Code Execution (RCE) vulnerability at /admin/options in Maxsite CMS v180 allows attackers to execute arbitrary code via a crafted PHP file. Date published : 2022-02-28 https://github.com/maxsite/cms/issues/487

Maxsite CMS v180 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the parameter f_file_description at /admin/files. Date published : 2022-02-28 https://github.com/maxsite/cms/issues/485

Hospital Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the demail parameter at /admin-panel1.php. Date published : 2022-02-28 https://github.com/kishan0725/Hospital-Management-System/issues/20

Hospital Management System v1.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the dpassword parameter at /admin-panel1.php. Date published : 2022-02-28 https://github.com/kishan0725/Hospital-Management-System/issues/22