This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-11976 - Apache wicket LFI / markup file read vulnerability, coming soon. | |
------------------------------------------ | |
Mariusz Popłwski / AFINE.com team |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2019-19129 - Remote Stored XSS in attachment’s name | |
------------------------------------------ | |
Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name. | |
Afterlogic blog post: | |
https://auroramail.wordpress.com/2019/11/25/vulnerability-closed-in-webmail-and-aurora-remote-stored-xss-in-attachments-name/ | |
Mariusz Popłwski / AFINE.com team |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-13443 | |
https://gist.github.com/mariuszpoplawski/703586aa068bdad21f2c098f396ce04f | |
------------------------------------------ | |
[Suggested description] | |
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via | |
Compose Msg, Add attachment, and Save As Draft actions. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-13700 | |
https://gist.github.com/mariuszpoplawski/b5fc9fdbf5469ed139e114a913dcf3ba | |
------------------------------------------ | |
[Suggested description] | |
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. | |
It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-13484 | |
https://gist.github.com/mariuszpoplawski/26e1fbde8f9a607478bee1de90daa329 | |
------------------------------------------ | |
Bitrix24 through 20.0.975 allows SSRF via an intranet IP address in | |
the services/main/ajax.php?action=attachUrlPreview url parameter, if |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
https://gist.github.com/mariuszpoplawski/44c5dd8ca1c40ebbacd119505254195e | |
CVE-2020-13483 | |
------------------------------------------ | |
The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via | |
the items[ITEMS][ID] parameter to the | |
components/bitrix/mobileapp.list/ajax.php/ URI. |