An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands.
Published at: May 17, 2020 at 08:15PM
View on website
In Cherokee through 1.2.104, multiple memory corruption errors may be used by a remote attacker to destabilize the work of a server.
Published at: May 17, 2020 at 08:15PM
View on website
In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers.
Published at: May 17, 2020 at 08:15PM
View on website
An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application’s file-transfer web server allows for cross-origin requests from any domain, and the WebSocket server lacks authorization control. Any web site can execute JavaScript code (that accesses a user’s data) via cross-origin requests.
Published at: May 17, 2020 at 08:15PM
View on website
An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application’s file-transfer web server improperly displays directory names, leading to Stored XSS, which may be used to steal a user’s data. This requires user interaction because there is no known direct way for an attacker to create a crafted directory name on a victim’s device. However, a crafted directory name can occur if a victim extracts a ZIP archive that was provided by an attacker.
Published at: May 17, 2020 at 08:15PM
View on website
Educ Arte Económico 