CVE-2019-12741

The CVE-2019-12741 issue is an XSS in the HAPI FHIR testpage overlay module of the HAPI FHIR library (pre-3.8.0). Unsanitized HTTP parameters are echoed in a form page, enabling leakage of cookies and other sensitive data from ca/uhn/fhir/to/BaseController.java via a crafted URL. Impact is limite...

CVE-2019-12741

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafte...

CVE-2019-12741

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library before 3.8.0. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafte...

Cross-site Scripting

XSS exists in the HAPI FHIR testpage overlay module of the HAPI FHIR library. The attack involves unsanitized HTTP parameters being output in a form page, allowing attackers to leak cookies and other sensitive information from ca/uhn/fhir/to/BaseController.java via a specially crafted URL. This...

How to enable "Drop Invalid HTTP Requests" from default HTTP Parameters

This article provides instructions onHow to enable "Drop Invalid HTTP Requests" from default HTTP Parameters...

Greenhouse.io: DoS through cache poisoning using invalid HTTP parameters

I was taking a look into a related report https://hackerone.com/reports/298265 and I discovered that the https://boards.greenhouse.io/embed/jobboard/js?for= endpoint doesn't throw errors when I try to pass in an array of for parameters like this:...

TestLink Open Source Test Management < 1.9.16 - Remote Code Execution Vulnerability

Exploit for php platform in category remote exploits Title: TestLink Open Source Test Management comment out skip-networking as well as bind-addre...

CVE-2017-17562

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc...

Cisco Data Center Network Manager Software Content Spoofing Vulnerability

Cisco Data Center Network Manager DCNM Software is a data center management system from Cisco USA. The system works with Cisco Nexus and MDS series switches and provides storage visualization, configuration and troubleshooting. A content spoofing vulnerability exists in the web interface in Cisco...

WordPress User Login History 1.5.2 Cross Site Scripting

Product: User Login History Wordpress Plugin - https://wordpress.org/plugins/user-login-history/ Vendor: Er Faiyaz Alam Tested version: 1.5.2 CVE ID: CVE-2017-15867 CVE description Multiple cross-site scripting XSS vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow...

CVE-2017-12212

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting XSS attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain...

Trend Micro OfficeScan Proxy.php Command Injection (CVE-2017-11394)

A command injection vulnerability exists in Trend Micro's OfficeScan. The vulnerability is due to improper validation of HTTP parameters within the Proxy.php script. A remote, authenticated attacker could exploit the vulnerability by sending a crafted request to the vulnerable system...

Trend Micro IWSVA ManageSRouteSettings HttpServlet Command Injection

A command injection vulnerability exists in Trend Micro IWSVA. This vulnerability is due to incorrect validation of the netid, netmask, router, and interfacevlanidsel HTTP parameters by the ManageSRouteSettings Servlet. A remote authenticated attacker could exploit this vulnerability by sending a...

Mantis MantisBT Bug Tracker adm_config_report.php move_attachments_page.php XSS (CVE-2017-7309)

Three cross-site scripting vulnerabilities exist in Mantis Bug Tracker MantisBT. These vulnerabilities are due to insufficient input validation of the action, type and configoption HTTP parameters by admconfigreport.php and moveattachmentspage.php. A remote attacker could exploit this vulnerabili...

Trend Micro SafeSync for Enterprise deviceTool.pm devid Command Injection

A command injection vulnerability exists in Trend Micro's SafeSync for Enterprise. The vulnerability is due to insufficient validation of user-supplied HTTP parameters. A remote, authenticated attacker could exploit this vulnerability by sending a crafted input to the vulnerable system...

Input validation

A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could...

CVE-2017-3858

A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could...

CVE-2017-3858

Cisco IOS XE Software HTTP Command Injection (CVE-2017-3858) affects Cisco IOS XE 16.2.1 with HTTP Server enabled. The vulnerability arises from insufficient validation of user-supplied HTTP parameters in the web framework, allowing an authenticated, remote attacker to inject commands that run wi...

CVE-2017-3858

A vulnerability in the web framework of Cisco IOS XE Software could allow an authenticated, remote attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation of HTTP parameters supplied by the user. An attacker could...

CVE-2017-5960

An issue was discovered in Phalcon Eye through 0.4.1. The vulnerability exists due to insufficient filtration of user-supplied data in multiple HTTP GET parameters passed to the "phalconeye-master/public/external/pydio/plugins/editor.webodf/frame.php" URL. An attacker could execute arbitrary HTML...