456 matches found
Cross site scripting
Cross-site scripting XSS vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response...
CVE-2014-9153
Cross-site scripting XSS vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response...
CVE-2014-9153
CVE-2014-9153 is a XSS vulnerability in the Drupal Services module for Drupal 7.x-3.x, present before 7.x-3.10. The issue arises from an unfiltered JSONP callback parameter, allowing remote authenticated users to inject arbitrary JavaScript in a JSONP response. Affected version range is Services ...
SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass
The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. New user's password set to weak password in userresourcecreate When creating a new user account via Services, the new user's password was set to a weak password. This issue is mitigated...
Mandriva Linux Security Advisory : bugzilla (MDVSA-2014:169)
Updated bugzilla packages fix security vulnerabilities : Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery CSRF attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT...
[SECURITY] [DSA 3011-1] mediawiki security update
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3011-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso August 23, 2014 http://www.debian.org/security/faq -...
Updated bugzilla packages fix a CSRF vulnerability
Updated bugzilla packages fix security vulnerabilities: Adobe does not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery CSRF attacks against Bugzilla's JSONP endpoint, possibly obtaining sensitive bug information, via a crafted OBJECT...
Debian DSA-3011-1 : mediawiki - security update
It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash CVE-2014-5241 and clickjacking between OutputPage and ParserOutput CVE-2014-5243 . The vulnerabilities are addressed by upgrading MediaWiki to the new upstream version 1.19.18, whi...
[SECURITY] [DSA 3011-1] mediawiki security update
------------------------------------------------------------------------- Debian Security Advisory DSA-3011-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso August 23, 2014 http://www.debian.org/security/faq -...
[SECURITY] [DSA 3011-1] mediawiki security update
------------------------------------------------------------------------- Debian Security Advisory DSA-3011-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso August 23, 2014 http://www.debian.org/security/faq -...
DSA-3011-1 mediawiki - security update
Bulletin has no description...
Debian Security Advisory DSA 3011-1 (mediawiki - security update)
It was discovered that MediaWiki, a website engine for collaborative work, is vulnerable to JSONP injection in Flash CVE-2014-5241 and clickjacking between OutputPage and ParserOutput CVE-2014-5243 . The vulnerabilities are addressed by upgrading MediaWiki to the new upstream version 1.19.18, whi...
CVE-2014-5241
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site...
DEBIAN-CVE-2014-5241
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site...
CVE-2014-5241
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site...
Cross site request forgery (csrf)
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site...
CVE-2014-5241
CVE-2014-5241 affects MediaWiki’s JSONP endpoint (includes/api/ApiFormatJson.php) and allows CSRF exploitation and potential information disclosure via crafted JSONP responses when certain long callback values are used. The underlying issue is improper restriction of the initial bytes of a JSONP ...
CVE-2014-5241
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site...
CVE-2014-5241
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site...
Debian: Security Advisory (DSA-3011-1)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...