sysentr0py

10 exploits Active since Jul 2024
CVE-2024-37829 WRITEUP HIGH WRITEUP
Outline <= 0.76.1 - Session Fixation via Crafted Magic Sign-In Link
An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link.
CVSS 8.8
CVE-2024-37830 WRITEUP MEDIUM WRITEUP
Outline <= 0.76.1 - Open Redirect via State Cookie Manipulation
An issue in Outline <= v0.76.1 allows attackers to redirect a victim user to a malicious site via intercepting and changing the state cookie.
CVSS 6.1
CVE-2024-39063 WRITEUP HIGH WRITEUP
LimeSurvey <= 6.5.12 - Cross-Site Request Forgery via GET Request
Lime Survey <= 6.5.12 is vulnerable to Cross Site Request Forgery (CSRF). The YII_CSRF_TOKEN is only checked when passed in the body of POST requests, but the same check isn't performed in the equivalent GET requests.
CVSS 8.8
CVE-2024-42901 WRITEUP MEDIUM WORKING POC
Lime Survey <6.5.12 - Code Injection
A CSV injection vulnerability in Lime Survey v6.5.12 allows attackers to execute arbitrary code via uploading a crafted CSV file.
CVSS 4.8
CVE-2024-42902 WRITEUP HIGH WRITEUP
LimeSurvey < 6.6.2 - Remote Code Execution via js_localize.php lng Parameter Injection
An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function
CVSS 8.8
CVE-2024-42903 WRITEUP MEDIUM WRITEUP
LimeSurvey <6.6.1+240806 - Host Header Injection
A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
CVSS 6.5
CVE-2024-42904 WRITEUP MEDIUM WRITEUP
syspass 3.2.0-3.2.10 - Cross-Site Scripting via Client Name Parameter
A cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter at /Controllers/ClientController.php.
CVSS 6.1
CVE-2025-25476 WRITEUP MEDIUM WRITEUP
SysPass 3.2.0-3.2.10 - Stored Cross-Site Scripting via Notification Type or Component
A stored cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows a malicious user with elevated privileges to execute arbitrary Javascript code by specifying a malicious XSS payload as a notification type or notification component.
CVSS 5.4
CVE-2025-25477 WRITEUP HIGH WRITEUP
SysPass 3.2.0-3.2.10 - Host Header Injection
A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser.
CVSS 8.1
CVE-2025-25478 WRITEUP MEDIUM WRITEUP
syspass 3.2.0-3.2.10 - Source Code Disclosure via Account File Upload Filename Mismanagement
The account file upload functionality in Syspass 3.2.x fails to properly handle special characters in filenames. This mismanagement leads to the disclosure of the web application s source code, exposing sensitive information such as the database password.
CVSS 6.5