Sick Codes

7 exploits Active since Sep 2021
CVE-2020-20093 NOMISEC MEDIUM WORKING POC
Facebook Messenger <227.0-228.1.0.10.116 - CSRF
The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
89 stars
CVSS 6.5
CVE-2020-20094 WRITEUP MEDIUM WORKING POC
Instagram <106.0 - CSRF
Instagram iOS 106.0 and prior and Android 107.0.0.11 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages
CVSS 6.5
CVE-2020-20095 WRITEUP MEDIUM WORKING POC
iMessage <iOS 12.4 - Info Disclosure
iMessage (Messages app) iOS 12.4 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
CVSS 6.5
CVE-2020-20096 WRITEUP MEDIUM WORKING POC
Whatsapp <2.19.80 - Info Disclosure
Whatsapp iOS 2.19.80 and prior and Android 2.19.222 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
CVSS 6.5
CVE-2021-33318 WRITEUP CRITICAL WRITEUP
Joel Christner .NET C# packages - Input Validation Vulnerability
An Input Validation Vulnerability exists in Joel Christner .NET C# packages WatsonWebserver, IpMatcher 1.0.4.1 and below (IpMatcher) and 4.1.3 and below (WatsonWebserver) due to insufficient validation of input IP addresses and netmasks against the internal Matcher list of IP addresses and subnets.
CVSS 9.8
CVE-2022-28345 WRITEUP HIGH WORKING POC
Signal app <5.34 iOS - CSRF
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.
CVSS 7.5
CVE-2021-40875 EXPLOITDB HIGH bash WORKING POC
Gurock TestRail <7.2.0.3014 - Info Disclosure
Improper Access Control in Gurock TestRail versions < 7.2.0.3014 resulted in sensitive information exposure. A threat actor can access the /files.md5 file on the client side of a Gurock TestRail application, disclosing a full list of application files and the corresponding file paths. The corresponding file paths can be tested, and in some cases, result in the disclosure of hardcoded credentials, API keys, or other sensitive data.
CVSS 7.5