An attacker could then access this information via JavaScript. Zoho ManageEngine ADSelfService Plus before 6122 allows an authenticated user to achieve remote code execution via executable CMD.EXE input in a password field, This only occurs if a certain password sync feature is enabled that uses passwords as script arguments.Ī vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. Jenkins Mask Passwords Plugin 3.0 and earlier does not escape the name and description of Non-Stored Password parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. The exported XML contains every option of the exported user (even the hashed password). It allows an attacker with user management rights (default is Administrator) to export the user options of any user, even ones with higher privileges (like Global Administrators) than the current user. Kentico CMS before 13.0.66 has an Insecure Direct Object Reference vulnerability.
0 Comments
Leave a Reply. |