Security Advisories


Any vulnerabilities reported and disclosed by stypr are published on this page.

To protect users, security vulnerabilities will not be announced until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, vulnerabilities will be announced on this page.

For any inquiries regarding the advisory, please contact roohellot+advisoadvisoryry@styhellopr.chelloom



Responsible Disclosure


The disclosure policy is derived from the Google Project Zero. However, the disclosure policy does not apply for some specific cases upon mutual agreements.

Disclosure deadline of 90 days. If an issue remains unpatched after 90 days, technical details are published immediately. If the issue is fixed within 90 days, technical details are published 30 days after the fix. A 14-day grace period* is allowed. Earlier disclosure with mutual agreement.

Disclosure deadline of 7 days for issues that are being actively exploited in-the-wild against users. If an issue remains unpatched after 7 days, technical details are published immediately. If the issue is fixed within 7 days, technical details are published 30 days after the fix. Vendors can request a 3-day grace period* for in-the-wild bugs. Earlier disclosure with mutual agreement.

If a grace period* is granted, it uses up a portion of the 30-day patch adoption period. (e.g. Patched on Day 100 in grace period, disclosure on Day 120)




List of Advisories




SVDB-2022-0005Mar 24th, 2022
as Flatt Security Inc.

External ID

  • PSV-2022-0044

  • Affected Version

    • <= 1.0.4.6

    Fixed in 1.0.4.7.


    CWE

  • CWE-77

  • Description

    NETGEAR has released fixes for Post-Authentication Command Injection in NETGEAR WAC124 1.0.4.6


    Reference

  • https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
  • https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
  • SVDB-2022-0004Mar 24th, 2022
    as Flatt Security Inc.

    External ID

  • PSV-2022-0044

  • Affected Version

    • <= 1.0.4.6

    Fixed in 1.0.4.7.


    CWE

  • CWE-288

  • Description

    NETGEAR has released fixes for Authentication Bypass on the WAC124 in firmware version 1.0.4.7.


    Reference

  • https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
  • https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
  • SVDB-2022-0003Mar 24th, 2022
    as Flatt Security Inc.

    External ID

  • PSV-2022-0044

  • Affected Version

    • <= 1.0.4.6

    Fixed in 1.0.4.7.


    CWE

  • CWE-22

  • Description

    NETGEAR has released fixes for Arbitrary File Read on the WAC124 in firmware version 1.0.4.7.


    Reference

  • https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
  • https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
  • SVDB-2022-0002Mar 24th, 2022
    as Flatt Security Inc.

    External ID

  • PSV-2022-0044

  • Affected Version

    • <= 1.0.4.6

    Fixed in 1.0.4.7.


    CWE

  • CWE-79
  • CWE-80

  • Description

    NETGEAR has released fixes for Cross-site Scripting on the WAC124 in firmware version 1.0.4.7.


    Reference

  • https://kb.netgear.com/000064730/Security-Advisory-for-Multiple-Vulnerabilities-on-the-WAC124-PSV-2022-0044
  • https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc
  • SVDB-2022-0001Feb 15th, 2022
    as Flatt Security Inc.

    External ID

  • CVE-2021-4219

  • Affected Version

    • <= 6.9.12-33
    • <= 7.1.0-18

    Fixed in 6.9.12-34, 7.1.0-19.


    CWE

  • CWE-20

  • Description

    A flaw was found in ImageMagick. The vulnerability occurs due to improper use of open functions and leads to a denial of service. This flaw allows an attacker to crash the system.


    Reference

  • https://bugzilla.redhat.com/show_bug.cgi?id=2054611
  • https://www.cve.org/CVERecord?id=CVE-2021-4219
  • https://github.com/ImageMagick/ImageMagick/issues/4626
  • SVDB-2021-0018

    Vendor or reporter disallowed the vulnerability disclosure.
    SVDB-2021-0017

    Vendor or reporter disallowed the vulnerability disclosure.
    SVDB-2021-0016

    Vendor or reporter disallowed the vulnerability disclosure.
    SVDB-2021-0015

    Vendor or reporter disallowed the vulnerability disclosure.
    SVDB-2021-0014Oct 24, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-41175

  • Affected Version

    • <= 5.7

    Fixed in 5.8.


    CWE

  • CWE-79

  • Description

    Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.


    Reference

  • https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-mhr8-7rvg-8r43
  • https://github.com/pi-hole/AdminLTE/commit/01191c7a1b8d5032991ed9d88e0db8d3dbec744d
  • https://github.com/pi-hole/AdminLTE/releases/tag/v5.8
  • SVDB-2021-0013Sep 17, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-20829

  • Affected Version

    • <= v4.2.19

    Fixed in v4.2.20.


    CWE

  • CWE-79

  • Description

    Cross-site scripting vulnerability due to the inadequate tag sanitization in GROWI versions v4.2.19 and earlier allows remote attackers to execute an arbitrary script on the web browser of the user who accesses a specially crafted page.


    Reference

  • https://jvn.jp/en/vu/JVNVU94889258/index.html
  • https://weseek.co.jp/security/2021/09/17/vulnerability/growi-prevent-multiple-xss-addition/
  • SVDB-2021-0012Sep 01, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-32407

  • Affected Version

    • <= v0.6.2

    Fixed in v0.6.3.


    CWE

  • CWE-918

  • Description

    Server-Side Request Forgery (SSRF) vulnerability in Kallithea - v0.1 up to v0.6.2 and fixed in v0.6.3, allows a remote authenticated attacker to execute a 'git clone' with a crafted URL, which allows them to send arbitrary packets into the local network accessible from the server.


    Reference

  • https://kallithea-scm.org/security/20201201-stypr-2.html
  • https://kallithea-scm.org/repos/kallithea/changeset/a8a51a3bdb6181e498a862f84eb2d50928330a68
  • SVDB-2021-0011Sep 01, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-32408

  • Affected Version

    • <= v1.12.3

    Fixed in v1.13.0.


    CWE

  • CWE-918

  • Description

    Server-Side Request Forgery (SSRF) vulnerability in Gogs 0.7.0 through 1.12.x before 1.12.3 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in internal/form/repo.go.


    Reference

  • https://github.com/gogs/gogs/issues/6413
  • https://github.com/gogs/gogs/pull/6420
  • SVDB-2021-0010Sep 01, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-32409

  • Affected Version

    • <= v0.6.2

    Fixed in v0.6.3.


    CWE

  • CWE-79

  • Description

    Cross Site Scripting (XSS) in Kallithea v0.4.0 up to v0.6.2 and fixed in v0.6.3, when displaying repository group descriptions.


    Reference

  • https://kallithea-scm.org/security/20201201-stypr-1.html
  • https://kallithea-scm.org/repos/kallithea/changeset/cd8fa11c5c89278a103b795db50e740594038ec8
  • SVDB-2021-0008May 15, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-29625

  • Affected Version

    • <= v4.8.0

    Fixed in v4.8.1.


    CWE

  • CWE-79

  • Description

    Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).


    Reference

  • https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7
  • https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc
  • https://sourceforge.net/p/adminer/bugs-and-features/797/
  • SVDB-2021-0007Mar 08, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-20667

  • Affected Version

    • <= v4.2.2

    Fixed in v4.2.20.


    CWE

  • CWE-79

  • Description

    Stored cross-site scripting vulnerability due to inadequate CSP (Content Security Policy) configuration in GROWI versions v4.2.2 and earlier allows remote authenticated attackers to inject an arbitrary script via a specially crafted content.


    Reference

  • https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/
  • https://jvn.jp/en/vu/JVNVU94889258/index.html
  • SVDB-2021-0006Mar 08, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-20668

  • Affected Version

    • <= v4.2.2

    Fixed in v4.2.20.


    CWE

  • CWE-22

  • Description

    Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read an arbitrary path via a specially crafted URL.


    Reference

  • https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/
  • https://jvn.jp/en/vu/JVNVU94889258/index.html
  • SVDB-2021-0005Mar 08, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-20669

  • Affected Version

    • <= v4.2.2

    Fixed in v4.2.20.


    CWE

  • CWE-22

  • Description

    Path traversal vulnerability in GROWI versions v4.2.2 and earlier allows an attacker with administrator rights to read and/or delete an arbitrary path via a specially crafted URL.


    Reference

  • https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/
  • https://jvn.jp/en/vu/JVNVU94889258/index.html
  • SVDB-2021-0004Mar 08, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-20670

  • Affected Version

    • <= v4.2.2

    Fixed in v4.2.20.


    CWE

  • CWE-284

  • Description

    Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to read the user's personal information and/or server's internal information via unspecified vectors.


    Reference

  • https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/
  • https://jvn.jp/en/vu/JVNVU94889258/index.html
  • SVDB-2021-0003Mar 08, 2021
    as Flatt Security Inc.

    External ID

  • CVE-2021-20671

  • Affected Version

    • <= v4.2.2

    Fixed in v4.2.20.


    CWE

  • CWE-20
  • CWE-73

  • Description

    Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative privilege to overwrite the files on the server, which may lead to arbitrary code execution.


    Reference

  • https://weseek.co.jp/security/2021/03/08/vulnerability/growi-prevent-multiple-xss/
  • https://jvn.jp/en/vu/JVNVU94889258/index.html
  • SVDB-2021-0002

    Vendor or reporter disallowed the vulnerability disclosure.
    SVDB-2021-0001Jan 8, 2021
    as Flatt Security Inc.

    Affected Version

    • <= v2.30.0

    Fixed in v2.30.1.


    CWE

  • CWE-918

  • Description

    `git clone` command can pass in CRLF through git:// protocol, leading to partial SSRF on other applications using `git` command.


    Reference

  • https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473
  • SVDB-2020-0016Nov 17, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5673

  • Affected Version

    • <= v3.1.2

    Fixed in v3.1.3.


    CWE

  • CWE-79

  • Description

    Cross-site Scripting(XSS) was found on KonaWiki3 versions v3.1.3 and earlier. Because the sanitizing process is not performed properly, an arbitrary script is executed on the web browser of the user who accesses a specially crafted URL.


    Reference

  • https://jvn.jp/en/vu/JVNVU99880454/index.html
  • SVDB-2020-0015Nov 17, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5672

  • Affected Version

    • <= v3.1.2

    Fixed in v3.1.3.


    CWE

  • CWE-79

  • Description

    Cross-site Scripting(XSS) was found on KonaWiki3 versions v3.1.3 and earlier. Because the sanitizing process is not performed properly, an arbitrary script is executed on the web browser of the user who accesses a wiki page containing a specially crafted content written by an attacker.


    Reference

  • https://jvn.jp/en/vu/JVNVU99880454/index.html
  • SVDB-2020-0014Nov 17, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5671

  • Affected Version

    • <= v3.1.2

    Fixed in v3.1.3.


    CWE

  • CWE-22

  • Description

    Path Traversal was found on KonaWiki3 versions v3.1.3 and earlier. Inadequate query checking allows unauthorized disclosure of information stored above the target directory published as a website by a remote attacker. By exploiting this vulnerability, arbitrary files can be obtained.


    Reference

  • https://jvn.jp/en/vu/JVNVU99880454/index.html
  • SVDB-2020-0013Nov 17, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5670

  • Affected Version

    • <= v3.1.2

    Fixed in v3.1.3.


    CWE

  • CWE-22

  • Description

    Path Traversal was found on KonaWiki3 versions v3.1.3 and earlier. Inadequate query checking allows unauthorized disclosure of information stored above the target directory published as a website by a remote attacker. The exploit of this vulnerability is limited to the files with specific extension only.


    Reference

  • https://jvn.jp/en/vu/JVNVU99880454/index.html
  • SVDB-2020-0012Nov 06, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5664

  • Affected Version

    • <= v3.49

    Fixed in v3.50.


    CWE

  • CWE-502

  • Description

    Deserialization of untrusted data vulnerability in XooNIps 3.49 and earlier allows remote attackers to execute arbitrary code via unspecified vectors.


    Reference

  • https://xoonips.osdn.jp/modules/news/index.php?page=article&storyid=13
  • https://jvn.jp/en/vu/JVNVU92053563/index.html
  • SVDB-2020-0011Nov 16, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-28991

  • Affected Version

    • <= v1.12.5

    Fixed in v1.12.6.


    CWE

  • CWE-918

  • Description

    Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.


    Reference

  • https://github.com/go-gitea/gitea/pull/13525
  • https://github.com/go-gitea/gitea/releases/tag/v1.12.6
  • SVDB-2020-0010Nov 06, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5659

  • Affected Version

    • <= v3.49

    Fixed in v3.50.


    CWE

  • CWE-89

  • Description

    SQL injection vulnerability in the XooNIps 3.49 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.


    Reference

  • https://xoonips.osdn.jp/modules/news/index.php?page=article&storyid=13
  • https://jvn.jp/en/vu/JVNVU92053563/index.html
  • SVDB-2020-0009Nov 06, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5662

  • Affected Version

    • <= v3.49

    Fixed in v3.50.


    CWE

  • CWE-79

  • Description

    Reflected cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors.


    Reference

  • https://xoonips.osdn.jp/modules/news/index.php?page=article&storyid=13
  • https://jvn.jp/en/vu/JVNVU92053563/index.html
  • SVDB-2020-0008Nov 06, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5663

  • Affected Version

    • <= v3.49

    Fixed in v3.50.


    CWE

  • CWE-89

  • Description

    Stored cross-site scripting vulnerability in XooNIps 3.49 and earlier allows remote authenticated attackers to inject arbitrary script via unspecified vectors.


    Reference

  • https://xoonips.osdn.jp/modules/news/index.php?page=article&storyid=13
  • https://jvn.jp/en/vu/JVNVU92053563/index.html
  • SVDB-2020-0007Oct 20, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5640

  • Affected Version

    • <= v1.96c

    Fixed in v1.96d.


    CWE

  • CWE-98
  • CWE-94

  • Description

    Local file inclusion vulnerability in OneThird CMS v1.96c and earlier allows a remote unauthenticated attacker to execute arbitrary code or obtain sensitive information via unspecified vectors.


    Reference

  • https://onethird.net/en/p1340.html
  • https://jvn.jp/en/vu/JVNVU99467898/index.html
  • SVDB-2020-0006Sep 25, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-5631

  • Affected Version

    • <= v2.0.20191009

    Fixed in ver2.0.20200916.


    CWE

  • CWE-79

  • Description

    Stored cross-site scripting vulnerability in CMONOS.JP ver2.0.20191009 and earlier allows remote attackers to inject arbitrary script via unspecified vectors.


    Reference

  • https://jvn.jp/en/vu/JVNVU93741515/index.html
  • https://cmonos.jp/download/history.html
  • SVDB-2020-0005Sep 17, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-15182

  • Affected Version

    • <= 3.0.2.327

    Fixed in 3.0.2.328.


    CWE

  • CWE-22
  • CWE-352

  • Description

    The SOY Inquiry component of SOY CMS is affected by Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE). The vulnerability affects versions 2.0.0.3 and earlier of SOY Inquiry. This allows remote attackers to force the administrator to edit files once the administrator loads a specially crafted webpage. An administrator must be logged in for exploitation to be possible. This issue is fixed in SOY Inquiry version 2.0.0.4 and included in SOY CMS 3.0.2.328.


    Reference

  • https://github.com/inunosinsi/soycms/security/advisories/GHSA-j2qw-747j-mfv4
  • https://youtu.be/ffvKH3gwyRE
  • https://github.com/inunosinsi/soycms/pull/15
  • SVDB-2020-0004Sep 17, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-15183

  • Affected Version

    • <= 3.0.2.327

    Fixed in 3.0.2.328.


    CWE

  • CWE-79

  • Description

    SoyCMS 3.0.2 and earlier is affected by Reflected Cross-Site Scripting (XSS) which leads to Remote Code Execution (RCE) from a known vulnerability. This allows remote attackers to force the administrator to edit files once the adminsitrator loads a specially crafted webpage.


    Reference

  • https://github.com/inunosinsi/soycms/security/advisories/GHSA-33q6-4xmp-2f48
  • https://github.com/inunosinsi/soycms/commit/045a222016f99b56557b0d8f39bbfc653d2c4707
  • https://youtu.be/uAMAwH35ups
  • SVDB-2020-0003Sep 17, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-15188

  • Affected Version

    • <= 3.0.2.327

    Fixed in 3.0.2.328.


    CWE

  • CWE-502

  • Description

    SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any arbitrary code when the inquiry form feature is enabled by the service. The vulnerability is caused by unserializing the form without any restrictions. This was fixed in 3.0.2.328.


    Reference

  • https://github.com/inunosinsi/soycms/security/advisories/GHSA-hrrx-m22r-p9jp
  • https://github.com/inunosinsi/soycms/issues/10
  • https://github.com/inunosinsi/soycms/pull/12/commits/a75642989132dd25f74a13194b27c0986c3de020
  • https://www.youtube.com/watch?v=zAE4Swjc-GU&feature=youtu.be
  • SVDB-2020-0002Sep 17, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-15189

  • Affected Version

    • <= 3.0.2.327

    Fixed in 3.0.2.328.


    CWE

  • CWE-434

  • Description

    SOY CMS 3.0.2 and earlier is affected by Remote Code Execution (RCE) using Unrestricted File Upload. Cross-Site Scripting(XSS) vulnerability that was used in CVE-2020-15183 can be used to increase impact by redirecting the administrator to access a specially crafted page. This vulnerability is caused by insecure configuration in elFinder. This is fixed in version 3.0.2.328.


    Reference

  • https://github.com/inunosinsi/soycms/security/advisories/GHSA-6r2f-p68g-m433
  • https://github.com/inunosinsi/soycms/pull/14/commits/e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59
  • https://youtu.be/FWIDFNXmr9g
  • SVDB-2020-0001Aug 27, 2020
    as Flatt Security Inc.

    External ID

  • CVE-2020-15159

  • Affected Version

    • <= v4.3.6

    Fixed in v4.3.7.


    CWE

  • CWE-79
  • CWE-434

  • Description

    baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file.The affected components are ThemeFilesController.php and UploaderFilesController.php. This is fixed in version 4.3.7


    Reference

  • https://basercms.net/security/20200827
  • https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
  • https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d
  • SVDB-2019-0001Jul 26, 2019
    as LINE Corporation

    External ID

  • CVE-2019-6002

  • Affected Version

    • <= v0.40.1

    Fixed in v0.41.0.


    CWE

  • CWE-79

  • Description

    Central Dogma contains a cross-site scripting vulnerability.


    Reference

  • http://jvn.jp/en/jp/JVN94889214/index.html
  • https://github.com/line/centraldogma/releases/tag/centraldogma-0.41.0
  • SVDB-2018-00073Q 2018

    External ID

  • KVE-2018-0441

  • Affected Version

    • <= 5.3.1.4

    Fixed in v5.3.1.6.


    CWE

  • CWE-327
  • CWE-338

  • Description

    Stealing MySQL password on GNUBoard5/Youngcart5 5.3.1.4 by misusing the encryption function


    Reference

  • https://github.com/gnuboard/gnuboard5/commit/c03fec73b9aeb6571271f4141788e614cc3f6e82
  • https://www.youtube.com/watch?v=ZRczf4UTypQ
  • SVDB-2018-00063Q 2018

    External ID

  • KVE-2018-0449

  • Affected Version

    • <= 5.3.1.4

    Fixed in v5.3.1.6.


    CWE

  • CWE-79
  • CWE-352
  • CWE-98

  • Description

    Cross-Site Request Forgery and Remote Code Execution on GNUBoard5/Youngcart5 5.3.1.4


    Reference

  • https://github.com/gnuboard/gnuboard5/commit/c03fec73b9aeb6571271f4141788e614cc3f6e82
  • https://www.youtube.com/watch?v=56adGYBfHNQ
  • SVDB-2018-00053Q 2018

    External ID

  • KVE-2018-0439

  • Affected Version

    • <= 5.3.1.4

    Fixed in v5.3.1.6.


    CWE

  • CWE-79

  • Description

    Reflected XSS on GNUBoard5/Youngcart5 5.3.1.4


    Reference

  • https://github.com/gnuboard/gnuboard5/commit/c03fec73b9aeb6571271f4141788e614cc3f6e82
  • https://www.youtube.com/watch?v=56adGYBfHNQ
  • SVDB-2018-0004

    Vendor or reporter disallowed the vulnerability disclosure.
    SVDB-2018-0003

    Vendor or reporter disallowed the vulnerability disclosure.
    SVDB-2018-0002

    Vendor or reporter disallowed the vulnerability disclosure.
    SVDB-2018-0001

    Vendor or reporter disallowed the vulnerability disclosure.
    Not Found..


    Mailing Address
    
    stypr LLC
    1309 Coffeen Avenue STE 1200
    Sheridan, WY 82801
    USA
    Point of Contact
    
    Harold Kim
    
    stypr LLC
    1309 Coffeen Avenue STE 1200
    Sheridan, WY 82801
    USA
    
    root@styharoldpr.chelloom
    //harold.kim/