English

Info Vendor: D-Link Italia Product: Router DVA-5592 Firmware: DVA-5592_A1_WI_20180823 CVE: 2018-17777 Shodan: ADB Broadband HTTP Server" title:“D-Link” Description In the router D-Link DVA-5592 it is possible to bypass the web authentication form. The problem is the path /ui/cbpc/login, because it is accessible without authentication. If the router’s owner has not changed the Parental Control PIN, it is possible to access to the Parental Control area, by using the default PIN code....

On 17 October 2018 Twitter released two datasets about the propaganda accounts of the Internet Research Agency (IRA) and Iran. Each dataset has three parts: a CSV file with the user list, a CSV file with all* the tweets of said users and a dataset of the shared images and memes. For fun I tried to use pandas and matplotlib to read the data. To read the file ira_tweets_csv_hashed.csv (5,4 GB) I split it into 91 parts, with 100....

Summary In Simplenote 1.1.3 - Desktop app there is a stored XSS vulnerability that can be used to execute arbitrary code. If there is malicious code in the note and the user tries to print it (for example to save it as a PDF), the malicious code runs. #358049 - RCE via Print function [Simplenote 1.1.3 - Desktop app] 27/05/2018 – I send the report 25/06/2018 – The vulnerability is fixed and the bug bounty reward is 250$...

A few days ago some researchers discovered an HTML Injection vulnerability in Signal Desktop and they wrote a public disclosure. The Signal team quickly released an update on May 11th, the problem was in the file /js/views/message_view.js. Reading the changes to message_view.js, it seemed that the Signal team had only fixed the “problem of the URL". So, maybe, I could still inject HTML code somehow. In Signal Desktop there are not many features, so I have tried to write me a basic message: <b>PROVA</b>....

Info Product: GD bbPress Attachments Version: 2.5 Active installations: 10,000+ Product page: https://it.wordpress.org/plugins/gd-bbpress-attachments/ Description An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker. The variable $error['file'] in **/code/**attachments/front.php (line 349) is not escaped. Proof of Concept GD bbPress Attachments 2....