Fedora 20 : mediawiki-1.21.3-1.fc20 (2013-22047)

Kevin Israel Wikipedia user PleaseStand identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist CVE-2013-4567, CVE-2013-4568. - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly...

Updated mediawiki packages fix security vulnerabilities

Updated mediawiki packages fix security vulnerabilities: Kevin Israel Wikipedia user PleaseStand identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist CVE-2013-4567, CVE-2013-4568. Internal review while debugging a site issue discovered that...

MGASA-2013-0368 Updated mediawiki packages fix security vulnerabilities

Updated mediawiki packages fix security vulnerabilities: Kevin Israel Wikipedia user PleaseStand identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist CVE-2013-4567, CVE-2013-4568. Internal review while debugging a site issue discovered that...

Helpdesk Pilot Cross Site Request Forgery / Cross Site Scripting

Ciaran McNally Application: Helpdesk Pilot http://www.helpdeskpilot.com/ Versions: All versions. Platforms: Windows, Mac, Linux Bug: XSS/CSRF Add Administrator Exploitation: WEB Date: 30 November 2013. Author: Ciaran McNally Web: http://makthepla.net/blog/=/helpdesk-pilot-add-admin My Twitter:...

Fedora 19 : mediawiki-1.21.3-1.fc19 (2013-21856)

Kevin Israel Wikipedia user PleaseStand identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist CVE-2013-4567, CVE-2013-4568. - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly...

Fedora 18 : mediawiki-1.19.9-1.fc18 (2013-21874)

Kevin Israel Wikipedia user PleaseStand identified and reported two vectors for injecting JavaScript in CSS that bypassed MediaWiki's blacklist CVE-2013-4567, CVE-2013-4568. - Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly...

Claroline 1.11.8 Cross Site Scripting Vulnerability

Malicious users can inject JavaScript, HTML. and attacker can steal the session cookie and take over the account. Exploit Title: Claroline 1.11.8 Cross Site Scripting Date: 2013 11 October Author: Arsan Software Homepage: http://www.claroline.net Version : 1.11.8 Security Risk: High Tested on:...

Moodle 2.3.82.4.5 - Multiple Vulnerabilities

Moodle 2.3.82.4.5 - Multiple Vulnerabilities Ciaran McNally Application: Moodle http://download.moodle.org/ Versions: parameter in an rss feed is vulnerable to javascript injection. This blog post is viewable by everyone on moodle and you can link to it directly. Upon clicking the "Link to origin...

Moodle 2.3.9 / 2.4.9 Javascript Insertion

Ciaran McNally Application: Moodle http://download.moodle.org/ Versions: parameter in an rss feed is vulnerable to javascript injection. This blog post is viewable by everyone on moodle and you can link to it directly. Upon clicking the "Link to original blog entry" link, you get javascript...

Hewlett-Packard Application Lifecycle Management Quality Center Multiple Cross-Site Scripting Vulnerabilities

This vulnerability allows remote attackers to execute arbitrary client side script on vulnerable installations of HP Application Lifecycle Management Quality Center. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file...

Cisco Linksys E4200 Firmware - XSS/LFI Vulnerabilities

Exploit for hardware platform in category web applications ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html...

Cisco Linksys E4200 Cross Site Scripting / Local File Inclusion

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================= XSS, LFI in Cisco, Linksys E4200 Firmware ============================================= URL: http://www.cloudscan.me/2013/05/xss-lfi-linksys-e4200-firmware-0d.html...

MongoDB server-side JavaScript injection-vulnerability warning-the black bar safety net

Security researchers agixid in the MongoDB database 2. 2. 3 version on found a security vulnerability, and represents a Metasploit exploit payload being developed. The vulnerability is mainly MongoDB incorrect use SpiderMonkey Javascript NativeHelper function, the result can be injected into the...

Qool CMS 2.0 RC2 Cross Site Scripting

Qool CMS v2.0 RC2 Multiple HTML And JavaScript Injection Vulnerabilities input type="hidden" name="lib" value="default"...

Qool CMS 2.0 RC2 - Multiple Vulnerabilities

Qool CMS v2.0 RC2 XSRF Add Root Exploit input...

Alt-N MDaemon 13.0.3 and 12.5.6 Email Body HTML/JS Injection Vulnerability

Exploit for windows platform in category web applications VULNERABILITY DESCRIPTION: ========================== Alt-N MDaemon is prone to an HTML/Javascript injection vulnerability because it fails to sanitize user-supplied input. Attacker-supplied HTML and/or JavaScript code could run in the...

FreeBSD : YUI JavaScript library -- JavaScript injection exploits in Flash components (aa4f86af-3172-11e2-ad21-20cf30e32f6d)

The YUI team reports : Vulnerability in YUI 2.4.0 through YUI 2.9.0 A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files. If your site...

Bugzilla < 3.6.12 / 4.0.9 / 4.2.4 / 4.4rc1 Multiple Vulnerabilities

According to its banner, the version of Bugzilla installed on the remote host is affected by multiple vulnerabilities : - Due to incorrectly filtered field values in tabular reports, code can be injected, which could allow cross-site scripting XSS. Note that this affects versions 4.1.1 to 4.2.3 a...

Movable Type Pro 5.13en - Persistent Cross-Site Scripting

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Source URL: http://www.cloudscan.me/2012/10/cve-2012-1503-movable-type-pro-513en.html Keywords: CVE-2012-1503, Movable Type Pro 5.13en, Stored XSS, JavaScript Injection, Vendor Unresponsive, Full Disclosure Introduction Movable Type MT started as on...

Movable Type Pro 5.13en - Persistent Cross-Site Scripting

Movable Type Pro 5.13en - Persistent Cross-Site Scripting -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Source URL: http://www.cloudscan.me/2012/10/cve-2012-1503-movable-type-pro-513en.html Keywords: CVE-2012-1503, Movable Type Pro 5.13en, Stored XSS, JavaScript Injection, Vendor Unresponsive,...