Michael Tsai

Researcher fromZX Security
#8665of 53,633
31.6Total CVSS
Vulnerabilities · 4
Medium
2
Critical
2
PT-2024-26526
5.9
2024-06-25
Unknown · Farcry Core · CVE-2024-35526
**Name of the Vulnerable Software and Affected Versions** FarCry Core framework versions prior to 7.2.14 **Description** The issue allows attackers to access sensitive information in the "/facade" directory. **Recommendations** For versions prior to 7.2.14, update to version 7.2.14 or later to resolve the issue.
PT-2024-26527
9.8
2024-06-25
Unknown · Farcry Core · CVE-2024-35527
**Name of the Vulnerable Software and Affected Versions** FarCry Core framework versions prior to 7.2.14 **Description** The issue allows attackers to execute arbitrary code via uploading a crafted .cfm file to the /fileupload/upload.cfm endpoint. **Recommendations** For versions prior to 7.2.14, update to version 7.2.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the /fileupload/upload.cfm endpoint until a patch is available.
PT-2021-20207
9.8
2021-05-27
Dragonfly · Dragonfly · CVE-2021-33564
**Name of the Vulnerable Software and Affected Versions** Dragonfly gem versions prior to 1.4.0 **Description** An argument injection issue allows remote attackers to read and write to arbitrary files via a crafted URL when the `verify url` option is disabled, potentially leading to code execution. This occurs because the generate and process features mishandle the use of the ImageMagick convert utility. **Recommendations** For Dragonfly gem versions prior to 1.4.0, update to version 1.4.0 or later to resolve the issue. As a temporary workaround, consider enabling the `verify url` option to minimize the risk of exploitation. Restrict access to the generate and process features until the update is applied.
PT-2021-17679
6.1
2021-03-16
Symbiote · Symbiote/Silverstripe-Queuedjobs · CVE-2021-27938
Name of the Vulnerable Software and Affected Versions: symbiote/silverstripe-queuedjobs module versions 3 through 4 Description: A Cross Site Scripting issue allows an attacker to inject an arbitrary payload in the CreateQueuedJobTask dev task via a specially crafted URL. This is achieved by exploiting the `CreateQueuedJobTask` dev task. Recommendations: For versions 3 through 4, consider disabling the `CreateQueuedJobTask` dev task until a patch is available to prevent exploitation. Restrict access to the dev task to minimize the risk of arbitrary payload injection.