482 matches found
Ultra Electronics AEP Ultra Protect Multiple Vulnerabilities
Ultra Electronics AEP Ultra Protect is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
CVE-2014-3405
Cisco IOS XE enables the IPv6 Routing Protocol for Low-Power and Lossy Networks aka RPL on both the Autonomic Control Plane ACP and external Autonomic Networking Infrastructure ANI interfaces, which allows remote attackers to conduct route-injection attacks via crafted RPL advertisements on an AN...
Cart Engine 3.0 XSS / Open Redirect / SQL Injection
=== Details === Quantum Leap Advisory: http://www.quantumleap.it/cart-engine-3-0-multiple-vulnerabilities-sql-injection-reflected-xss-open-redirect/ Affected Product: Cart Engine Version: 3.0 === Executive Summary === SQL Injection: Using a specially crafted HTTP request, it is possible to exploi...
Cross site request forgery (csrf)
Multiple cross-site request forgery CSRF vulnerabilities in ZPanel 10.0.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that 1 create new FTP users via a CreateFTP action in the ftpmanagement module to the default URI, 2 conduct cross-site scriptin...
Comersus BackOffice 4.x/5.0/6.0 /comersus/database/comersus.mdb Direct Request Database Disclosure
No description provided by source. source: http://www.securityfocus.com/bid/15251/info Comersus BackOfficePlus and BackOfficeLite are prone to multiple input validation and information disclosure vulnerabilities. The applications are prone to SQL injection attacks, information disclosure and...
Web Chat Manager 2.0 HTML Code Injection Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/7190/info It has been reported that Web Chat Manager is prone to HTML injection attacks. This problem occurs due to insufficient sanitization of user-supplied input. As a result of this insufficiency an attacker may embed...
ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability
ESA-2014-024.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability EMC Identifier: ESA-2014-024 CVE Identifier: CVE-2014-2503 Severity Rating: CVSS v2 Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P Affected products: • E...
USPS Spam Campaign Drops Asprox Botnet Malware
A new spam campaign has emerged in support of the Asprox botnet. The scheme involves shipping receipt emails that contain malicious links and purport to come from the United States Postal Service USPS. Anyone who receives one of these emails and clicks on the link therein will have a zip file...
CVE-2014-2936
The directory manager in Caldera 9.20 allows remote attackers to conduct variable-injection attacks in the global scope via 1 the maindirhotfolder parameter to dirmng/index.php, or an unspecified parameter to 2 PPD/index.php, 3 dirmng/docmd.php, or 4 dirmng/param.php...
CVE-2014-2936
The CVE-2014-2936 entry concerns Caldera 9.20’s directory manager. The vulnerability stems from dynamic/global variable scope handling in multiple scripts (dirmng/index.php, PPD/index.php, dirmng/docmd.php, dirmng/param.php, via maindir_hotfolder or an unspecified parameter), enabling variable-in...
Automated NoSQL Database Injection Attacks: NoSQLMap
NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases as well as web applications using NoSQL in order to disclose data from the database. It is named as a tribute to Bernardo Damele and...
Sitecore XML Cross Site Scripting
Hey All, Sitecores special way of displaying XML Controls directly allows for a Cross Site Scripting Attack more can be achieved with these XML Controls and will be documented in another vulnerability report http://target/?xmlcontrol=body%20onload=alert123...
[NOSQLMap] NoSQLMap-Automated NoSQL Database pwnage
What is NoSQLMap? NoSQLMap is an open source Python tool designed to audit for as well as automate injection attacks and exploit default configuration weaknesses in NoSQL databases, as well as web applications using NoSQL in order to disclose data from the database. It is named as a tribute to...
phpMyAdmin 3.5.x < 3.5.8.2 / 4.0.x < 4.0.4.2 Multiple Vulnerabilities
Binary data 6967.prm...
shopEx the latest version of the API injection vulnerability analysis attached to the use of the exp-bug warning-the black bar safety net
The defect file: \core\api\payment\2.0\apib2b20paymentcfg.php core\api\payment\1.0\apib2b20paymentcfg.php Section 4 row 4 $data'columns' do not filter lead injection Packed sentence of ShopEx to the API operation the module does not do authentication, any user can access,the attacker can be to th...
CVE-2013-3573
HP Insight Diagnostics 9.4.0.4710 allows remote attackers to conduct unspecified injection attacks via unknown vectors...
Peer-to-Peer Botnet Takedowns a Challenge
The FBI, Justice Department and technology companies have had success shutting down botnets that rely on a centralized infrastructure and command and control servers to communicate with bots, steal data or send malicious commands. Peer-to-peer botnets, however, have proven more difficult to take...
[SECURITY] [DSA 2671-1] request-tracker4 security update
------------------------------------------------------------------------- Debian Security Advisory DSA-2671-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso May 22, 2013 http://www.debian.org/security/faq -...
CVE-2013-0175
multixml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption involvin...
CVE-2013-3221
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attack...