Monthly Archive: May 2022

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions. Date published : 2022-05-23 https://github.com/mastodon/mastodon/pull/17909 https://github.com/mastodon/mastodon/releases/tag/v3.5.0

Rescue Dispatch Management System 1.0 suffers from Stored XSS, leading to admin account takeover via cookie stealing. Date published : 2022-05-23 https://github.com/offsecin/bugsdisclose/blob/main/stored-xss https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Rescue Dispatch Management System 1.0 is vulnerable to Incorrect Access Control via http://localhost/rdms/admin/?page=system_info. Date published : 2022-05-23 https://github.com/offsecin/bugsdisclose/blob/main/access-control https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

In Simple Food Website 1.0, a moderation can put the Cross Site Scripting Payload in any of the fields on http://127.0.0.1:1234/food/admin/all_users.php like Full Username, etc .This causes stored xss. Date published : 2022-05-23 https://github.com/offsecin/bugsdisclose/blob/main/xss...

Lumidek Associates Simple Food Website 1.0 is vulnerable to Cross Site Request Forgery (CSRF) which allows anyone to takeover admin/moderater account. Date published : 2022-05-23 http://lumidek.com http://simple.com

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. Date published : 2022-05-23 https://github.com/apache/maven-shared-utils/pull/40 https://issues.apache.org/jira/browse/MSHARED-297

Totolink A3600R V4.1.2cu.5182_B20201102 was discovered to contain a stacker overflow in the fread function at infostat.cgi. This vulnerability allows attackers to cause a Denial of Service (DoS) via the parameter CONTENT_LENGTH. Date published :...

Xampp for Windows v8.1.4 and below was discovered to contain insecure permissions for its install directory, allowing attackers to execute arbitrary code via overwriting binaries located in the directory. Date published : 2022-05-23 https://github.com/ycdxsb/Vuln/blob/main/Xampp-Install-Dir-Incorrect-Default-Permission/Xampp-Install-Dir-Incorrect-Default-Permission.md

mysiteforme v2.2.1 was discovered to contain a Server-Side Request Forgery. Date published : 2022-05-23 https://github.com/wangl1989/mysiteforme/issues/43

imgurl v2.31 was discovered to contain a Blind SQL injection vulnerability via /upload/localhost. Date published : 2022-05-23 https://github.com/helloxz/imgurl/issues/75

Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname...

Diary Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name parameter in search-result.php. Date published : 2022-05-23 http://phpgurukul.com https://github.com/sudoninja-noob/CVE-2022-29004/blob/main/CVE-2022-29004.txt

A Cross-Site Request Forgery (CSRF) in XXL-Job v2.3.0 allows attackers to arbitrarily create administrator accounts via the component /gaia-job-admin/user/add. Date published : 2022-05-23 https://github.com/xuxueli/xxl-job/issues/2821

Insecure permissions in the install directories and binaries of Dev-CPP v4.9.9.2 allows attackers to execute arbitrary code via overwriting the binary devcpp.exe. Date published : 2022-05-23 https://github.com/ycdxsb/Vuln/blob/main/Dev-Cpp-BloodShed-Incorrect-Install-Permission