zeropwn
/ Axway SecureTransport 5.x Unauthenticated XXE
Last active
November 17, 2023 08:59
Axway SecureTransport 5.x Unauthenticated XML Injection / XXE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| _ _ | |
| _______ _ __ ___ | | ___ | | | |
| |_ / _ \ '__/ _ \ | |/ _ \| | | |
| / / __/ | | (_) || | (_) | | | |
| /___\___|_| \___(_)_|\___/|_| | |
| https://zero.lol | |
| zero days 4 days | |
| ATTENTION: |
mariuszpoplawski
/ CVE-2020-11976
Last active
June 2, 2021 16:52
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2020-11976 - Apache wicket LFI / markup source file read vulnerability | |
| ------------------------------------------ | |
| By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. | |
| This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. | |
| Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5 | |
| For example if there are credentials in the markup which are never supposed to be visible to the client: | |
| <wicket:remove> |