Firefox Blocks Inline and Eval JavaScript on Internal Pages to Prevent Injection Attacks

In an effort to mitigate a large class of potential cross-site scripting issues in Firefox, Mozilla has blocked execution of all inline scripts and potentially dangerous eval-like functions for built-in "about: pages" that are the gateway to sensitive preferences, settings, and statics of the...

USN-4127-1: Python vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description It was discovered that Python incorrectly handled certain pickle files. An attacker could possibly use this issue to consume memory, leading to a denial of service. This issue only...

Golang Go CVE-2019-16276 HTTP Request Smuggling Vulnerability

Description Golang Go is prone to an HTTP-request-smuggling vulnerability. A remote attacker may leverage this issue to poison web caches,bypass security defenses, launch cross-site scripting and HTML-injection attacks, and execute session-hijacking attacks. Other attacks are also possible...

Ubuntu 16.04 LTS / 18.04 LTS : Python vulnerabilities (USN-4127-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4127-1 advisory. It was discovered that Python incorrectly handled certain pickle files. An attacker could possibly use this issue to consume memory, leading ...

Pown-Duct - Essential Tool For Finding Blind Injection Attacks

Essential tool for finding blind injection attacks using DNS side-channels. Credits This tool is part of secapps.com open-source initiative. / | / | /\ | \ / | \ \ | / | / /\ \ |/// \| || |/ https://secapps.com NB : This tool is taking advantage of http://requestbin.net service. Future versions...

CVE-2018-10992

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU...

CVE-2019-5434

CVE-2019-5434 affecting Revive Adserver 4.2. The vulnerability is a deserialization/unsafe unserialize() trigger in the XML-RPC script (openads.spc) via the what parameter, allowing an attacker to execute arbitrary code on the target. The issue is tied to Revive Adserver 4.2.0+ and server-side PH...

Security Updates for Exchange (April 2019)

The Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - A spoofing vulnerability exists in Microsoft Exchange Server when Outlook Web Access OWA fails to properly handle web requests. An attacker who...

Netartmedia PHP Dating Site - SQL Injection

Netartmedia PHP Dating Site - SQL Injection Exploit Title: Netartmedia Php Dating Site - SQL Injection Date: 19.03.2019 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://www.netartmedia.net/datingsite/ Demo Site: https://www.phpscriptdemos.com/dating/ Version: Lastest Tested on: Kali Lin...

Denial Of Service (DoS) Memory Consumption, Arbitrary Code Execution And Object-injection Attacks

activesupport/coreext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a...

Zoho ManageEngine OpManager 12.3 SQL Injection Vulnerability

Zoho ManageEngine OpManager versions 12.3 before 123238 suffer from a remote SQL injection vulnerability in the getGraphData API. I. VULNERABILITY ------------------------- Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API. II. CVE REFERENCE...

MGASA-2018-0412 Updated lilypond packages fix security vulnerability

lilypond does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks CVE-2017-17523...

Updated scummvm packages fix security vulnerability

Updated scummvm package fixes security vulnerability ScummVM 1.8.1's POSIX backend does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL CVE-2017-17528. This...

openSUSE Security Update : xdg-utils (openSUSE-2018-573)

This update for xdg-utils fixes this security issues : - CVE-2017-18266: The openenvvar function in xdg-open did not validate strings launching the program specified by the BROWSER environment variable, which might allowed remote attackers to conduct argument-injection attacks via a crafted URL...

CVE-2017-18266

The openenvvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment...

Design/Logic Flaw

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU...

Design/Logic Flaw

The openenvvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment...

CVE-2017-18266

CVE-2017-18266 applies to xdg-utils (xdg-open) where open_envvar does not validate strings before launching the program specified by BROWSER. The issue affects versions before 1.1.3 and can enable argument-injection via a crafted URL in the BROWSER value. Multiple connected advisories confirm ups...

CVE-2018-7466

install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value...

CVE-2018-7466

TestLink Open Source Test Management