WordPress Yoast SEO Cross Site Scripting

Discoverer: Elias Dimopoulos Linkedin: https://gr.linkedin.com/in/dimopouloselias Vulnerability: Reflected XSS Affected plugin: Yoast SEO plugin alertwindow.location!-- The victim has to have a valid profile under http://victim/wp-admin/admin.php?page=wpseosearchconsole&tab=settings example:...

Multiple AVM FRITZ!Box WPA2 Key Reinstallation Vulnerabilities - KRACK

WPA2 as used in several models of the AVM FRITZ!Box are prone to multiple security weaknesses aka Key Reinstallation Attacks KRACK. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

New tech support scam launches communication or phone call app

A new tech support scam technique streamlines the entire scam experience, leaving potential victims only one click or tap away from speaking with a scammer. We recently found a new tech support scam website that opens your default communication or phone call app, automatically prompting you to ca...

UBUNTU-CVE-2017-16544

In the addmatch function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code...

CVE-2017-16792

Stored cross-site scripting XSS vulnerability in "geminabox" Gem in a Box before 0.13.10 allows attackers to inject arbitrary web script via the "homepage" value of a ".gemspec" file, related to views/gem.erb and views/index.erb...

CVE-2017-16792

Gem in a Box (geminabox) prior to version 0.13.10 is affected by a stored XSS vulnerability. An attacker can inject arbitrary script via the homepage field in a .gemspec, related to the views/gem.erb and views/index.erb templates. The CVE-2017-16792 entry is corroborated by multiple sources (incl...

How to solve the Malwarebytes CrackMe: a step-by-step tutorial

The topic of this post is a Malwarebytes CrackMe—an exercise in malware analysis that I recently created. First, the challenge was created to serve internal purposes, but then it was released to the community on Twitter and triggered a lot of positive response. Thanks to all of you who sent in yo...

GHSA-QQXP-XP9V-VVX6 jquery-ui Tooltip widget vulnerable to XSS

Cross-site scripting XSS vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo...

Moderate severity vulnerability that affects jquery-ui

Cross-site scripting XSS vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo...

zaptourviagens.com.br XSS vulnerability

Vulnerable URL: http://www.zaptourviagens.com.br/modules/modjoinstagrambox/tmpl/instagrambox.php?username=xss%22%3E%3Csvg/onload=prompt/openbugbounty/%3E=〈=pt-BR=false=true=100%=350pxℑ=medium=285989=F8F8F8=FFFFFF==260796206.0efbe26.89a76a9668934089a2d00d928486fd26 Details: Description| Value...

UI-Dialog Arbitrary Command Execution Vulnerability

UI-Dialog is a jQuery UI a set of JavaScript libraries in a pop-up box plugin . An arbitrary command execution vulnerability exists in UI-Dialog 1.09 and earlier versions. A remote attacker can exploit this vulnerability to execute arbitrary commands...

Microsoft Word 2007 (x86) - Information Disclosure

Title: MS Office Word Information Disclosure Vulnerability Date: September 30th, 2017. Author: Eduardo Braun Prado Vendor Homepage: http://www.microsoft.com/ Software Link: https://products.office.com/ Version: 2007 32-bits x86 Tested on: Windows 8/7/Server 2008/Vista/Server 2003/XP X86 and x64...

Cross site request forgery (csrf)

geminabox aka Gem in a Box before 0.13.7 has CSRF, as demonstrated by an unintended gem upload...

CVE-2017-14506

geminabox aka Gem in a Box before 0.13.6 has XSS, as demonstrated by uploading a gem file that has a crafted gem.homepage value in its .gemspec file...

CVE-2017-14683

Gem in a Box (geminabox) CVE-2017-14683 affects versions before 0.13.7 and is due to a Cross-Site Request Forgery (CSRF) flaw demonstrated by an unintended gem upload. Affected software is geminabox, a Ruby-based personal code hosting platform. The Root Cause, per the description, is CSRF allowin...

CVE-2017-14506

Gem in a Box (geminabox) prior to 0.13.6 is vulnerable to Cross-site Scripting (XSS) via a crafted gem.homepage value in a .gemspec file uploaded as a gem. Affected product: geminabox (Ruby) before 0.13.6. Impact: XSS that may affect users accessing the web interface; some sources note potential ...

Remote code execution

OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted users can trigger...

CVE-2017-9333

OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted users can trigger...

CVE-2017-9333

OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted users can trigger...

CVE-2017-9333

OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted users can trigger...