Vulnerabilities (Page 22)

SQL Injection in ManageEngine Privileged Access Management [CVE-2022-40300]

An SQLi in Password Manager Pro, which is bundled with Manage Engine’s Privileged Access Management 360 (PAM360) and Access Manager Plus.In the password manager, there’s a concept of “resources” which can be added or edited, which internally submits a multipart form request to the AddResourceType.ve endpoint…

 

Stealing passwords from infosec Mastodon - without bypassing CSP

web

Starts off with a somewhat classic parser attack,, placing a parsable object inside of another context hoping to trip up the system.In this case Gareth Heyes was able to inject :verified: within a supported HTML attribute, and have it be replaced with the emoji as an <img> tag…