sysentr0py

10 exploits Active since Jul 2024
CVE-2024-37829 WRITEUP HIGH WRITEUP
Outline <= 0.76.1 - SSRF
An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link.
CVSS 8.8
CVE-2024-37830 WRITEUP MEDIUM WRITEUP
Outline < 0.76.1 - Open Redirect
An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and changing the state cookie.
CVSS 6.1
CVE-2024-39063 WRITEUP HIGH WRITEUP
Limesurvey < 6.5.12 - CSRF
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.
CVSS 8.8
CVE-2024-42901 WRITEUP MEDIUM WORKING POC
Lime Survey <6.5.12 - Code Injection
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
CVSS 4.8
CVE-2024-42902 WRITEUP HIGH WRITEUP
LimeSurvey <6.6.2 - RCE
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function
CVSS 8.8
CVE-2024-42903 WRITEUP MEDIUM WRITEUP
LimeSurvey <6.6.1+240806 - Host Header Injection
A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
CVSS 6.5
CVE-2024-42904 WRITEUP MEDIUM WRITEUP
SysPass 3.2.x - XSS
A cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php.
CVSS 6.1
CVE-2025-25476 WRITEUP MEDIUM WRITEUP
Syspass < 3.2.11 - XSS
A stored cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows a malicious user with elevated privileges to execute arbitrary Javascript code by specifying a malicious XSS payload as a notification type or notification component.
CVSS 5.4
CVE-2025-25477 WRITEUP HIGH WRITEUP
Syspass < 3.2.11 - Injection
A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser.
CVSS 8.1
CVE-2025-25478 WRITEUP MEDIUM WRITEUP
Syspass 3.2.x - Info Disclosure
The account file upload functionality in Syspass 3.2.x fails to properly handle special characters in filenames. This mismanagement leads to the disclosure of the web application s source code, exposing sensitive information such as the database password.
CVSS 6.5