QNAP QTS APP Center Cross-Site Scripting Vulnerability

QNAP QTS is a Turbo NAS operating system from QNAP Systems that provides file storage, management, backup, multimedia applications and security monitoring. The system provides file storage, management, backup, multimedia applications and security monitoring, etc. APP Center is one of the...

CVE-2017-13072

Cross-site scripting XSS vulnerability in App Center in QNAP QTS 4.2.6 build 20171208, QTS 4.3.3 build 20171213, QTS 4.3.4 build 20171223, and their earlier versions could allow remote attackers to inject Javascript code...

Security Bulletin: IBM HTTP Server Response Time module is affected by JavaScript injection vulnerability.

Summary IBM HTTP Server Response Time module, which is delivered as part of IBM Performance Management, has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-1441 DESCRIPTION: IBM Application Performance Management - Response Time Monitoring Agent is vulnerable to...

Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Javascript Injection Attack (CVE-2017-1305)

Summary An undisclosed security vulnerability in IBM Rational DOORS Next Generation may allow a JavaScript Injection attack Vulnerability Details CVEID: CVE-2017-1305 DESCRIPTION: IBM DOORS Next Generation DNG/RRC is vulnerable to cross-site scripting. This vulnerability allows users to embed...

Security Bulletin: IBM Call Center for Commerce is affected by Cross Site Scripting (XSS) Vulnerability (CVE-2016-6056)

Summary IBM Call Center for Commerce is vulnerable to a cross-site scripting attack which could lead to unauthorized access through the injected scripts. Vulnerability Details CVEID: CVE-2016-6056 DESCRIPTION: IBM Call Center for Commerce is vulnerable to cross-site scripting. This vulnerability...

Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) - CVE-2017-1425

Summary IBM BPM reflects untrusted user input without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection. Vulnerability Details CVEID: CVE-2017-1425 DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site scripting. This...

LuckyMouse hits national data center to organize country-level waterholing campaign

What happened? In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government...

QNAP QTS App Center XSS Vulnerability (NAS-201805-16)

QNAP QTS is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/o:qnap:qts"; if...

DEBIAN-CVE-2018-5158

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...

CVE-2018-5158

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...

CVE-2017-7840

JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripti...

CVE-2017-7840

JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripti...

Code injection

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...

Cross site scripting

JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripti...

CVE-2018-5158

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...

CVE-2017-7799

JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting XSS attack...

CVE-2017-7840

JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripti...

CVE-2018-5158

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...

CVE-2017-7840

JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripti...

ClassLink OneClick Browser Extension / Agent Universal XSS / Remote Code Execution

The ClassLink OneClick Browser Extension and the ClassLink Agent are vulnerable to Universal XSS and Remote Code Execution. Vendor has released software updates to fix both vulnerabilities on 3 June 2018. === Vendor === ClassLink: https://www.classlink.com === Vulnerability 1: Universal XSS throu...