Compass Security

3 exploits Active since Apr 2017
CVE-2019-17554 EXPLOITDB MEDIUM text WORKING POC
Apache Olingo 4.0.0-4.6.0 - XML External Entity Injection via XML Content Type Deserialization
The XML content type entity deserializer in Apache Olingo versions 4.0.0 to 4.6.0 is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
CVSS 5.5
CVE-2017-7185 EXPLOITDB HIGH text WRITEUP
Cesanta Mongoose Library <6.7 & OS <1.2 Use-After-Free via Multipart POST
Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.
CVSS 7.5
CVE-2018-6563 EXPLOITDB HIGH html WORKING POC
totemo encryption_gateway < 6.0.0 - Cross-Site Request Forgery
Multiple cross-site request forgery (CSRF) vulnerabilities in totemomail Encryption Gateway before 6.0.0_Build_371 allow remote attackers to hijack the authentication of users for requests that (1) change user settings, (2) send emails, or (3) change contact information by leveraging lack of an anti-CSRF token.
CVSS 8.8