Design/Logic Flaw

An issue was discovered in KaiOS 2.5. The pre-installed Recorder application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Recorder application. At a bare minimum, this allows an attacker to take control over the Recorder application's...

Design/Logic Flaw

An issue was discovered in KaiOS 2.5. The pre-installed Note application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Note application. At a bare minimum, this allows an attacker to take control over the Note application's UI e.g.,...

Design/Logic Flaw

An issue was discovered in KaiOS 1.0, 2.5, and 2.5.1. The pre-installed Radio application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Radio application. At a bare minimum, this allows an attacker to take control over the Radio...

CVE-2019-14761

CVE-2019-14761 affects KaiOS 2.5, specifically the pre-installed Note application. The vulnerability is HTML/JavaScript injection in the Note app, exploitable by a local attacker to inject arbitrary HTML and take control of the app’s UI (e.g., prompt user to re-enter KaiOS credentials) and to abu...

CVE-2019-14760

The CVE-2019-14760 issue affects KaiOS 2.5 and its pre-installed Recorder application, described as HTML/JavaScript injection. A local attacker can inject arbitrary HTML into the Recorder UI, potentially displaying prompts to capture credentials or otherwise abusing the app’s privileges. The conn...

CVE-2019-14759

The CVE-2019-14759 entry applies to KaiOS 1.0, 2.5, and 2.5.1, affecting the pre-installed Radio app. A local attacker can perform HTML/JavaScript injection to inject arbitrary HTML into the Radio UI, potentially prompting credential re-entry and enabling abuse of the app’s privileges. This descr...

CVE-2019-14759

An issue was discovered in KaiOS 1.0, 2.5, and 2.5.1. The pre-installed Radio application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Radio application. At a bare minimum, this allows an attacker to take control over the Radio...

CVE-2019-14756

An issue was discovered in KaiOS 1.0, 2.5, and 2.5.12.5. The pre-installed Email application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a specially crafted email to the victim that will inject HTML into the email application's UI as soon as the email is opened. A...

Input validation

An issue was discovered in KaiOS 1.0, 2.5, and 2.5.12.5. The pre-installed Email application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a specially crafted email to the victim that will inject HTML into the email application's UI as soon as the email is opened. A...

CVE-2019-14758

CVE-2019-14758 affects KaiOS 2.5 and 2.5.1. The pre-installed File Manager is vulnerable to HTML/JavaScript injection when a victim opens a file received via email and downloaded. The issue can let an attacker take control of the File Manager UI (for example, showing a malicious prompt to harvest...

CVE-2019-14757

CVE-2019-14757 affects KaiOS 2.5 and 2.5.1. The pre-installed Contacts app is vulnerable to HTML and JavaScript injection when a victim imports a crafted vCard file. The issue enables an attacker to inject HTML into the Contacts UI, potentially displaying malicious prompts and prompting users to ...

CVE-2019-14756

An issue was discovered in KaiOS 1.0, 2.5, and 2.5.12.5. The pre-installed Email application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a specially crafted email to the victim that will inject HTML into the email application's UI as soon as the email is opened. A...

CVE-2019-14756

KaiOS Email app (pre-installed) on KaiOS 1.0, 2.5 and 2.5.12.5 is vulnerable to HTML/JavaScript injection via specially crafted emails. When such an email is opened, HTML can be injected into the Email UI, potentially allowing UI control (e.g., prompting for credentials) and abuse of app privileg...

CVE-2020-21732

Rukovoditel Project Management app 2.6 is affected by: Cross Site Scripting XSS. An attacker can add JavaScript code to the filename...

CVE-2020-21731

Gazie 7.29 is affected by: Cross Site Scripting XSS via http://192.168.100.7/gazie/modules/config/adminutente.php?username=amministratore&Update. An attacker can inject JavaScript code, and the webapplication stores the injected code...

Cross site scripting

Gazie 7.29 is affected by: Cross Site Scripting XSS via http://192.168.100.7/gazie/modules/config/adminutente.php?username=amministratore&Update. An attacker can inject JavaScript code, and the webapplication stores the injected code...

Debian DLA-2371-1 : wordpress security update

Multiple vulnerabilities were discovered in Wordpress, a popular content management framework. CVE-2019-17670 WordPress has a Server Side Request Forgery SSRF vulnerability because Windows paths are mishandled during certain validation of relative URLs. CVE-2020-4047 Authenticated users with uplo...

[SECURITY] [DLA 2371-1] wordpress security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-2371-1 [email protected] https://www.debian.org/lts/security/ September 11, 2020 https://wiki.debian.org/LTS - -------------------------------------------------------------------------...

Cross site scripting

The Table Filter and Charts for Confluence Server app before 5.3.25 for Atlassian Confluence allow remote attackers to inject arbitrary HTML or JavaScript via cross site scripting XSS through the provided Markdown markup to the "Table from CSV" macro...

Atlassian Jira 7.6.x < 8.5.4, 8.6.x < 8.7.1 Stored XSS (JRASERVER-70814)

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is version 7.6.x prior to 8.5.4 or 8.6.x prior to 8.7.1. It is, therefore, affected by a stored cross-site scripting XSS vulnerability in the REST API component. An authenticated, remote...