Hey folks,
Spark (sparkjava.com) is a mildly hyped Java micro web framework that
also provides functionality to serve static files. Unfortunately,
there's no protection against directory traversal attacks and I haven't
been able to contact anyone related to the project (after trying 4
people over
Disclose 10 * cve in Exponent CMS
[CVE-2016-7780]
> In the line 42 of cron/find_help.php , $_GET['version'] can be
> controlled and injected. It is possible to time-based blind SQL Inject
> by the param of "version".
fix:
https://github.com/exponentcms/exponent-cms/commit/a8efd9ca71fc9b8b843ad
On Tue, Nov 1, 2016 at 5:05 PM, Brandon Perry wrote:
>
>> On Oct 31, 2016, at 2:41 PM, Elar Lang wrote:
>>
>> Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)
>> Credit: Elar Lang / https://security.elarlang.eu
>> Vendor/Product: dotCMS (http://dotcms.com/)
>> Vulnerability: SQL i
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the second
entry in that series.
The below information is also available on my blog at
http://blog.skylined.nl/20161102001.html. There you can find a repro
that trigger
