CVE-2014-8636

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors...

WoltLab Burning Board 4.0 Tapatalk Cross Site Scripting

Advisory: Cross-site Scripting in Tapatalk Plugin for WoltLab Burning Board 4.0 RedTeam Pentesting discovered a cross-site scripting XSS vulnerability in the Tapatalk plugin for the WoltLab Burning Board forum software, which allows attackers to inject arbitrary JavaScript code via URL parameters...

rabbitmq -- Security issues in management plugin

The RabbitMQ project reports: Some user-controllable content was not properly HTML-escaped before being presented to a user in the management web UI: When a user unqueued a message from the management UI, message details header names, arguments, etc. were displayed unescaped. An attacker could...

Hacking Facebook Accounts Using Android 'Same Origin Policy' Vulnerability

A serious security vulnerability has been discovered in the default web browser of the Android OS lower than 4.4 running on a large number of Android devices that allows an attacker to bypass the Same Origin Policy SOP. The Android Same Origin Policy SOP vulnerability CVE-2014-6041 was first...

CVE-2011-1796

CVE-2011-1796 is a use-after-free in WebKit’s FrameView.cpp (WebCore) affecting Google Chrome up to version 11.0.696.65. The flaw allows a remote attacker to crash the browser (DoS) or potentially cause other impact via crafted JavaScript that calls removeChild while interacting with a FRAME elem...

Persistent XSS Vulnerability in CMS Papoo Light v6.0.0 Rev. 4701

Advisory: Persistent XSS Vulnerability in CMS Papoo Light v6 Advisory ID: SROEADV-2014-01 Author: Steffen Rцsemann Affected Software: CMS Papoo Version 6.0.0 Rev. 4701 Vendor URL: http://www.papoo.de/ Vendor Status: fixed CVE-ID: - ========================== Vulnerability Description:...

CVE-2014-7205

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors...

CVE-2014-3191

Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with the render tree,...

CVE-2014-3190

Use-after-free vulnerability in the Event::currentTarget function in core/events/Event.cpp in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via crafted JavaScript code that...

CVE-2014-3195

Google V8, as used in Google Chrome before 38.0.2125.101, does not properly track JavaScript heap-memory allocations as allocations of uninitialized memory and does not properly concatenate arrays of double-precision floating-point numbers, which allows remote attackers to obtain sensitive...

Design/Logic Flaw

Use-after-free vulnerability in the Event::currentTarget function in core/events/Event.cpp in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via crafted JavaScript code that...

CVE-2014-3190

Use-after-free vulnerability in the Event::currentTarget function in core/events/Event.cpp in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via crafted JavaScript code that...

CVE-2014-3191

Removed by vendor...

CVE-2014-3195

Removed by vendor...

CVE-2014-3190

Removed by vendor...

CVE-2014-3191

Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with the render tree,...

CVE-2014-3191

Use-after-free vulnerability in Blink, as used in Google Chrome before 38.0.2125.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers a widget-position update that improperly interacts with the render tree,...

Nessus Web UI 2.3.3 Cross Site Scripting

Nessus Web UI 2.3.3: Stored XSS ========================================================= CVE number: CVE-2014-7280 Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html Vendor advisory: http://www.tenable.com/security/tns-2014-08 -- Info -- Nessus is a proprietary...

Concrete CMS: Stored XSS in concrete5 5.7.0.4.

Hello. I found stored XSS in concrete5 5.7.0.4. If the user have file upload permission the user can upload the file named like ".txt and the file name is displayed without being escaped. and when other user access the file manager page, Execute Javascript code on page load. Regards...

Design/Logic Flaw

The login page on the ZyXEL SBG-3300 Security Gateway with firmware 1.00AADY.4C0 and earlier allows remote attackers to cause a denial of service persistent web-interface outage via JavaScript code within unspecified "welcome message" form data that is improperly handled during use for the loginM...