>> CATEGORY: exploit

Sitecore.NET version 8.1 suffers from a directory traversal vulnerability.

A lack of validation on cookie values allows you to login as any user on hik-connect.com and ezvizlife.com.

SickRage versions prior to 2018.03.09 return clear-text credentials in HTTP responses.

October CMS User plugin version 1.4.5 suffers from a persistent cross site scripting vulnerability.

WordPress WP with Spritz plugin version 1.0 suffers from local and remote file inclusion vulnerabilities.

Jfrog Artifactory versions prior to 4.16 suffer from unauthenticated arbitrary file upload and remote command execution vulnerabilities.

This is a simple proof of concept exploit for Drupal versions prior to 7.58 that demonstrate the drupalgeddon3 authenticated remote code execution vulnerability.

HRSALE The Ultimate HRM version 1.0.2 suffers from a local file inclusion vulnerability.

HRSALE The Ultimate HRM version 1.0.2 suffers from a cross site scripting vulnerability.

Google Chrome V8 Await methods call ResolveNativePromise which calls InternalResolvePromise which can invoke a user JavaScript code through a “then” getter. If the AwaitedPromise is replaced by the user script,…