Moxa AWK-3131A iw_webs Account Settings Improper Access Control Vulnerability

Summary An exploitable improper access control vulnerability exists in the iwwebs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the...

About the security content of macOS High Sierra 10.13 - Apple Support

About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page. For more information about security, se...

New Relic: Account owner/admin can't actually delete personal users' API keys

Hey team, An account owner/admin should be able to remove API keys belonging to other users in a case of, for instance, they are compromised. This sentence is confirmed by your own docs: F695035 However, the account owner/admin can't actually do this so he can't protect the account data from bein...

Shopify: Cross Site Scripting at https://app.oberlo.com/

1- create an account from https://app.oberlo.com/ 2- path to https://app.oberlo.com/settings/account/profile 3- inject javascript code or xss payload at Name form 4- it will be printed at page and executed payload that i used it " Impact This vulnerability can be used by attacker to serve malicio...

Semmle: Authenticated Cross-Site-Request-Forgery

Summary: I have read the T&C to be eligible for bounty on this program. As per T&C authenticated CSRF requests are eligible for a bounty. I am not looking for the Bounty, However I want to give you an update on Authenticated CSRF that I have found. In the "Account Settings", a user can change his...

X (Formerly Twitter): Multiple XSS on account settings that can hijack any users in the company.

Note: Hello Twitter Team, I just noticed that my report 485748 is already fixed, can you confirm? but my other duplicate reports aren't and still exists. 492444 492913 are you sure it's on the same root cause? because I think the broad fix is already released but didn't fix the other issues. I wi...

X (Formerly Twitter): Html Injection and Possible XSS via MathML

Hi, I would like to report HTML Injection and possible cross site scripting XSS vulnerability using the MathML on Firefox. Account title of field is vulnerable to Html Injection which can lead an attacker to store javascript using the MathML in Firefox. Modern Firefox versions allow usage of inli...

Twitter Android Glitch Exposed Private Tweets for Years

Twitter disclosed a security issue on Thursday that had exposed protected tweets on Android devices – for more than four years. According to the social media giant, if Twitter users on the Android operating system made specific changes to their account settings – like changing the email address...

A Twitter Bug Left Android Users' Private Tweets Exposed For 4 Years

Twitter just admitted that the social network accidentally revealed some Android users' protected tweets to the public for more than 4 years — a kind of privacy blunder that you'd typically expect from Facebook. When you sign up for Twitter, all your Tweets are public by default, allowing anyone ...

PHP Scripts Mall Entrepreneur B2B Script Cross-Site Scripting Vulnerability

PHP Scripts Mall Entrepreneur B2B Script is a suite of B2B e-commerce platforms from PHP Scripts Mall India. A cross-site scripting vulnerability exists in PHP Scripts Mall Entrepreneur B2B Script version 3.0.6, which can be exploited by a remote attacker to inject arbitrary web script or HTML vi...

CVE-2018-20138

PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541...

Cross site scripting

PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541...

CVE-2018-20138

PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541...

Cross site scripting

Zenitel Norway IP-StationWeb before 4.2.3.9 allows stored XSS via the Display Name for Station Status or Account Settings, related to the goform/zFormsavechanges sipnick parameter. The password of alphaadmin for the admin account may be used for authentication in some cases...

CVE-2018-19927

Zenitel Norway IP-StationWeb before 4.2.3.9 is affected by a stored XSS vulnerability in the Display Name fields for Station Status or Account Settings, triggered via the goform/zForm_save_changes sip_nick parameter. The issue can be compounded by the potential use of the admin account password (...

Cross site scripting

An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings - Member Centre - Chinese information - Ordinary member" via a QQ number, as demonstrated by a formqq10= substring...

CVE-2018-11549

An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings - Member Centre - Chinese information - Ordinary member" via a QQ number, as demonstrated by a formqq10= substring...

CVE-2018-11549

CVE-2018-11549 describes a stored XSS in WUZHI CMS 4.1.0, exploitable via the “Account Settings → Member Centre → Chinese information → Ordinary member” form using the QQ number field (form[qq_10]). The underlying cause is injecting script/HTML through that field’s input. Documented impact is a c...

Moneybird: Open Redirection while saving User account Settings

Hi team , I got a Open redirection while saving account setting . This could lead to serious issues . Endpoint :- https://moneybird.com/user/edit?returnto=//evil.com Reproduce :- Visit https://moneybird.com/user/edit?returnto=//evil.com and click on Save . You will be take to evil.com . Impact :-...

WordPress Training Membership 1.0.8 Cross Site Scripting Vulnerability

WordPress Fitness Trainer - Training Membership plugin versions 1.0.8 and below suffer from a cross site scripting vulnerability. Exploit Title: Wordpress Fitness Trainer - Training Membership Plugin ================== 8bitsec - https://twitter.com/8bitsec 0day.today 2018-04-09...