The Clipr WordPress plugin through 1.2.3 does not sanitise and escape its API Key settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered ...

Continue Reading

May 20, 2022

Cilium is open source software for providing and securing network connectivity and loadbalancing between application workloads. Cilium prior to versions 1.9.16, 1.10.11, and 1.11.15 contains an incorr ...

Continue Reading

May 20, 2022

Openmoney API through 2020-06-29 uses the JavaScript Math.random function, which does not provide cryptographically secure random numbers. ...

Continue Reading

May 20, 2022

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the webpage to use 'NodeJs' features, an ...

Continue Reading

May 20, 2022

# Description There are some `api v2` doesn't check permission allow attackers to retrieve/edit information `ticket`,`account`,`group`,`department`,`team`,`ElasticSearch` # Proof of Concept *Get user ...

Continue Reading

May 20, 2022

# Description Attacker can register a user in spite of the `Allow User Registration` is disable by default. # Proof of Concept 1. Go to `/captcha`, get the captcha value and cookie. ![alt text](htt ...

Continue Reading

May 20, 2022

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., cr ...

Continue Reading

May 19, 2022

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated ...

Continue Reading

May 19, 2022