Oracle: Security Advisory (ELSA-2011-0909)

The remote host is missing an update for the SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

The vulnerability of the SAP Afaria mobile device management program allows a hacker to inject arbitrary JavaScript code.

The vulnerability of the SAP Afaria mobile device management program allows a malicious actor to inject arbitrary JavaScript code by sending a specially crafted request to the Xcomms network service...

IBM OpenPages GRC Platform Cross-Site Scripting Vulnerability (CNVD-2015-06298)

IBM OpenPages GRC Platform is a suite of governance, risk and compliance platforms for managing enterprise risk and compliance challenges. A cross-site scripting vulnerability exists in IBM OpenPages GRC Platform, which allows remote attackers to exploit the vulnerability to inject malicious scri...

Invision Power Board (IP.Board) 4.x - Persistent Cross-Site Scripting

Exploit Title: IP.Board 4.X Stored XSS Date: 27-08-2015 Software Link: https://www.invisionpower.com/ Exploit Author: snop. Contact: http://twitter.com/rabbitzorg Website: http://rabbitz.org Category: webapps 1. Description A registered or non-registered user can create a calendar event including...

mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages

A flaw was found in the way the modcluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the modcluster manager web interface...

mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages

A flaw was found in the way the modcluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the modcluster manager web interface...

Firefox PDF.js Privileged Javascript Injection

This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. This module requires Metasploit:...

Apache Ranger JavaScript Code Injection Vulnerability

Apache Ranger is the Apache Software Foundation's architecture for implementing comprehensive security measures for Hadoop clusters, providing centralized security policy management for core enterprise security requirements such as authorization, billing, and data protection. A security...

Hide My WP <= 4.53 - Stored-Cross Site Scripting (XSS)

An attacker can make a fake attack attempt which will be logged, and can inject JavaScript. PoC curl --referer 'you are using bad filtering for input ript alert"XSS here" ript; :; ;' http://example.com...

RT -- two XSS vulnerabilities

Best Practical reports: RT 4.0.0 and above are vulnerable to a cross-site scripting XSS attack via the user and group rights management pages. This vulnerability is assigned CVE-2015-5475. It was discovered and reported by Marcin Kopec at Data Reliance Shared Service Center. RT 4.2.0 and above ar...

Mozilla Firefox PDF Viewer Same-Origin Bypass Information Disclosure Vulnerability

Mozilla Firefox is an open source WEB browser. Mozilla Firefox PDF Viewer suffers from a security vulnerability that allows remote attackers to construct malicious WEB pages and trick users into parsing them, bypassing the same-origin policy, injecting arbitrary JavaScript into PDF Viewer, and...

MGASA-2015-0302 Updated moodle package fixes security vulnerabilities

In Moodle before 2.8.7, phishing is possible when redirecting to external site using referer headers in error messages CVE-2015-3272. In Moodle before 2.8.7, several web services returning user information did not clean text in text custom profile fields, leading to possible XSS CVE-2015-3274. In...

Updated moodle package fixes security vulnerabilities

In Moodle before 2.8.7, phishing is possible when redirecting to external site using referer headers in error messages CVE-2015-3272. In Moodle before 2.8.7, several web services returning user information did not clean text in text custom profile fields, leading to possible XSS CVE-2015-3274. In...

Slack: OSX slack:// protocol handler javascript injection

The Mac Slack app version 1.1 introduced the slack:// protocol handler. Due to improper input sanitization, arbitrary Javascript code can be run in the context of the client app if the user clicks on a slack:// link on a website or email. I have confirmed this issue still exists in the 1.1.1...

QNAP TS-x09 Turbo NAS Cross Site Scripting

On the 7th of July 2015 I discovered a reflected cross-site scripting XSS vulnerability in QNAP TS-x09 Network Attached Storage devices. Full disclosure was undertaken with the vendor and a CVE-ID has been requested from Mitre. CVE-ID: requested via PGP email 7th July 2015 Author: Mark Cross...

Moodle JavaScript Code Injection Vulnerability

Moodle is a free, open-source e-learning software platform, also known as a course management system, learning management system, or virtual learning environment, developed by Dr. Martin Dougiamas of Australia. A security vulnerability exists in Moodle. An attacker can exploit this vulnerability ...

moodle -- multiple vulnerabilities

Marina Glancy reports: MSA-15-0026: Possible phishing when redirecting to external site using referer header. CVE-2015-3272 MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum CVE-2015-3273 MSA-15-0028: Possible XSS through custom...

(Pwn2Own) Apple OS X XSS Sandbox Bypass Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple OS X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within certain URLs in the...

Concrete CMS: No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group

crayons There is no csrf protection on index.php/ccm/system/user/addgroup, and index.php/ccm/system/user/removegroup. A malicious POST request can be constructed to add or remove group membership from arbitrary users, if a logged-in admin surfs to a compromised site. For example, a registered use...

mod_cluster: JavaScript code injection is possible via MCMP mod_manager messages

A flaw was found in the way the modcluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the modcluster manager web interface...