TechMedia – Page 81100

[sup] Sup Code Injection vulnerability

Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment.
References

https://nvd.nist.gov/vuln/detail/CVE-2013-4478
https://github.com/sup-heli…

[fat_free_crm] Fat Free CRM vulnerable to Exposure of Sensitive Information

Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224.
References

…

[fat_free_crm] Fat Free CRM has fixed token value

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.
References

…

[fat_free_crm] Fat Free CRM contains Cross-site Request Forgery vulnerablilities

Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controlle…

[fat_free_crm] Fat Free CRM allows remote attackers to obtain sensitive information via a direct request

Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.
References

https://nvd.nist.gov/vuln/detail/CVE-2013-72…

[fat_free_crm] Fat Free CRM vulnerable to SQL Injection

Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
References
…

[fat_free_crm] Fat Free CRM subject to Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) c…

[sup] Sup Code Injection vulnerability

lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment.
References

https://nvd.nist.gov/vuln/detail/CVE-2013…

[org.jboss.resteasy:resteasy-client] JacksonJsonpInterceptor susceptible to cross-site script inclusion (XSSI) attack

JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-6348
https://bugzilla.redhat.com/show_bug.cgi?id=1372129
https://github.com/a…

[karteek-docsplit] Karteek Docsplit vulnerable to OS Command Injection

Posted inHIGH
Posted byWpmaster
05/17/202201/27/2023

The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.
References

https…