zadewg

6 exploits Active since Dec 2018
CVE-2020-20093 NOMISEC MEDIUM WORKING POC
Facebook Messenger <227.0-228.1.0.10.116 - CSRF
The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
89 stars
CVSS 6.5
CVE-2018-20377 NOMISEC CRITICAL NO CODE
Orange Livebox 00.96.320S - Info Disclosure
Orange Livebox 00.96.320S devices allow remote attackers to discover Wi-Fi credentials via /get_getnetworkconf.cgi on port 8080, leading to full control if the admin password equals the Wi-Fi password or has the default admin value. This is related to Firmware 01.11.2017-11:43:44, Boot v0.70.03, Modem 5.4.1.10.1.1A, Hardware 02, and Arcadyan ARV7519RW22-A-L T VR9 1.2.
75 stars
CVSS 9.8
CVE-2020-20094 WRITEUP MEDIUM WORKING POC
Instagram iOS < 106.0 and Android < 107.0.0.11 - URI Spoofing via RTLO Injection
Instagram iOS 106.0 and prior and Android 107.0.0.11 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages
CVSS 6.5
CVE-2020-20095 WRITEUP MEDIUM WORKING POC
iMessage <iOS 12.4 - Info Disclosure
iMessage (Messages app) iOS 12.4 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
CVSS 6.5
CVE-2020-20096 WRITEUP MEDIUM WORKING POC
Whatsapp <2.19.80 - Info Disclosure
Whatsapp iOS 2.19.80 and prior and Android 2.19.222 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages.
CVSS 6.5
CVE-2022-28345 WRITEUP HIGH WORKING POC
Signal < 5.34 - URI Spoofing via RTLO Injection
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.
CVSS 7.5