CVE-2018-3747

The public node module versions = 1.0.3 allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript...

Design/Logic Flaw

The public node module versions = 1.0.3 allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript...

CVE-2018-3747

The public node module versions = 1.0.3 allows to embed HTML in file names, which in certain conditions might lead to execute malicious JavaScript...

CVE-2018-3747

CVE-2018-3747 concerns the public Node.js module (versions

Stored Cross-Site Scripting Vulnerability in Udesk Online Counseling System

Udesk online consulting system is an industry customer service solution for businesses. A stored cross-site scripting vulnerability exists in Udesk Online Consultation System. Attackers can use the vulnerability to insert malicious js code in the page, obtain user cookies and other sensitive...

Cross-Site Scripting (XSS)

qutebrowser is vulnerable to cross-site scripting attacks. The attacks exists in the history command, qute://history page through which an attacker can inject malicious Javascript to steal a user's browsing history when the user visits a page with an html input element as it's title...

WordPress Ultimate Form Builder Lite Plugin Cross-Site Scripting Vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability in the WordPress Ultimate Form Builder Lite plugin allows attackers to construct URLs th...

Chinese Hackers Carried Out Country-Level Watering Hole Attack

Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks. The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers fr...

SAP Hana DB, UI5 and UI Cross-Site Scripting Vulnerabilities

SAP Hana DB, UI5, and UI are products of SAP, an in-memory database based on rows and columns.UI5 and UI are JavaScript-based UI libraries that integrate a large number of UI controls. A security vulnerability exists in SAP Hana DB, UI5, and UI that stems from the program's failure to validate us...

Malicious JavaScript Package Detection

Detection and reporting of known malicious JavaScript packages or package versions. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescripti...

CVE-2018-5158

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...

Authorization

The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. Thi...

CVE-2018-5176

The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. Thi...

Cross site scripting

An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. This plugin is vulnerable to a stored Cross-site scripting XSS vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CS...

CVE-2018-11485

The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. It allows an attacker to inject malicious JavaScript code on the WooCommerce - Orders admin page. The attack is possible by modifying the "referralsite" cookie to have an XSS payload, and...

Node.js third-party modules: [serve] Stored XSS in the filename when directories listing

I would like to report a Stored XSS issue in module serve It allows executing malicious javascript code in the user's browser. Module module name: serve version: 7.0.1 npm page: https://www.npmjs.com/package/serve Module Description Assuming you would like to serve a static site, single page...

CVE-2018-5176

The JSON Viewer displays clickable hyperlinks for strings that are parseable as URLs, including "javascript:" links. If a JSON file contains malicious JavaScript script embedded as "javascript:" links, users may be tricked into clicking and running this code in the context of the JSON Viewer. Thi...

CVE-2018-5158

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...

Huawei AppGallery Arbitrary Code Execution Vulnerability

Huawei AppGallery is a software from Huawei China that is integrated into Huawei phones for downloading third-party applications. A security vulnerability exists in Huawei AppGallery versions prior to 8.0.4.301. The vulnerability can be exploited to bypass the whitelisting mechanism, load and...

Fake Software Update Abuses NetSupport Remote Access Tool

Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool RAT. NetSupport Manager is a commercially available RAT that can be used legitimately by system...