CVE-2021-21246: OneDev User Access Token Leak

This module looks for access token leaks from Onedev through the /users/{id} endpoint. Attackers can use these access tokens to access the API or clone code through the stolen user account. Submitted by payloadartist.

CVE-2021-26723: Jenzabar XSS

This module looks for an XSS vulnerability in Jenzabar 9.2.x through 9.2.2. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain. Submitted by xelkomy.

CVE-2020-35572: Adminer 4.7.8 XSS

This module searches for a reflected XSS vulnerability in Adminer. An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain. Thanks madrobot for the submission.

CVE-2020-7741: hello.js XSS

Another one from madrobot, this module searches for a DOM XSS vulnerability in hello.js. his affects the package hello.js before 1.18.6. The code get the param oauth_redirect from url and pass it to location.assign without any check and sanitisation. So we can simply pass some XSS payloads into the url param oauth_redirect, such as javascript:alert(1). An attacker can use this flaw to steal credentials and otherwise execute JavaScript in the origin of the affected domain.

How can Detectify help?

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!

Already have an account? Login to check your assets.

Detectify is a continuous web vulnerability scanner service and we release Detectify security updates at least bi-weekly. Detectify offers a crowdsource-powered testbed of 2000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!