karthi-the-hacker

5 exploits Active since Jun 2006
CVE-2020-17453 NOMISEC MEDIUM SCANNER
WSO2 Management Console <5.10 - XSS
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
5 stars
CVSS 6.1
CVE-2006-2842 NOMISEC SCANNER
SquirrelMail < 1.4.6 - Remote File Inclusion via Plugin Array Parameter
PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicable
3 stars
CVE-2023-27524 NOMISEC HIGH SCANNER
Apache Superset Signed Cookie Priv Esc
Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config. All superset installations should always set a unique secure random SECRET_KEY. Your SECRET_KEY is used to securely sign all session cookies and encrypting sensitive information on the database. Add a strong SECRET_KEY to your `superset_config.py` file like: SECRET_KEY = <YOUR_OWN_RANDOM_GENERATED_SECRET_KEY> Alternatively you can set it with `SUPERSET_SECRET_KEY` environment variable.
1 stars
CVSS 8.9
CVE-2021-31589 NOMISEC MEDIUM SCANNER
BeyondTrust Appliance Base Software < 6.0.1 - Unauthenticated Cross-Site Scripting
A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.
1 stars
CVSS 6.1
CVE-2023-29489 NOMISEC MEDIUM SCANNER
cPanel < 11.102.0.31 - Cross-Site Scripting via Invalid Webcall ID
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
CVSS 5.3