Mezzanine Cross-Site Scripting Vulnerability

Mezzanine CMS is a set of open source content management system CMS built using the DJANGO framework. A cross-site scripting vulnerability exists in admin/blog/blogpost/add/ in Mezzanine CMS version 4.3.1. A remote attacker can create a cross-site scripting vulnerability in...

Security Bulletin: IBM Security Guardium is affected by a Query Parameter in SSL Request vulnerability

Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2017-1272 DESCRIPTION: IBM Security Guardium stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server...

PT-2018-5647 · Insteon · Insteon Hub

Name of the Vulnerable Software and Affected Versions: Insteon Hub version 1012 Description: A stack-based buffer overflow issue exists due to the HTTP server implementation unsafely extracting parameters from the query string, leading to a buffer overflow on the stack. An attacker can send an HT...

Web Application Penetration Testing Tool: Tracy

Tracy is a pentesting tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner. tracy should be used during the mapping-the-application phase of the pentest to identify sources of input and their corresponding outputs. tracy...

IBM API Connect Information Disclosure Vulnerability (CNVD-2018-03882)

IBM API Connect aka APIConnect is an integrated solution for managing the API lifecycle from IBM USA. The solution supports creating, running, managing and securing APIs, microservices and more. An information disclosure vulnerability exists in IBM API Connect versions 5.0.7.0 through 5.0.7.2 and...

Design/Logic Flaw

IBM API Connect 5.0.7 and 5.0.8 could allow an authenticated remote user to modify query parameters to obtain sensitive information. IBM X-Force ID: 136859...

CVE-2017-1785

IBM API Connect 5.0.7 and 5.0.8 could allow an authenticated remote user to modify query parameters to obtain sensitive information. IBM X-Force ID: 136859...

XSS vulnerability in phpok version 4.8.278

phpok is a set of enterprise website system developed by Shenzhen锟絪 technology limited company using PHP+MYSQL language. An XSS vulnerability exists in phpok version 4.8.278. The vulnerability stems from insufficient filtering of URL jump parameters, which can be exploited by attackers to obtain...

CVE-2018-5977

SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&pricetype=range&price= request...

UBUNTU-CVE-2017-7559

In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that als...

undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the...

undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)

It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the...

Reflected cross-site scripting vulnerability in FineCMS Security.php file

FineCMS is an efficient and simple small and medium-sized content management system based on PHP+MySql+CI framework. A reflective cross-site scripting vulnerability exists in the FineCMS Security.php file. The vulnerability is due to insufficient checking and filtering of user-submitted request...

CVE-2017-8044

In Pivotal Single Sign-On for PCF 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, certain pages allow code to be injected into the DOM environment through query parameters, leading to XSS attacks...

GHSA-FH39-V733-MXFR Active Record vulnerable to SQL Injection via nested query parameters

The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query...

activerecord vulnerable to SQL Injection

The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via...

activerecord vulnerable to SQL Injection

The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via...

SQL Injection Vulnerability in Ruby on Rails

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query...

Apache Hadoop Cross-Site Scripting Vulnerability

Apache Hadoop is a software framework that supports data-intensive distributed applications and is released under the Apache 2.0 license. A cross-site scripting vulnerability exists in Apache Hadoop versions prior to 2.7.0. A remote attacker can exploit this vulnerability to perform cross-site...

Sensitive Data in URL GET Query Parameters

PMASA-2016-14 Announcement-ID: PMASA-2016-14 Date: 2016-05-25 Updated: 2016-05-30 Summary Sensitive Data in URL GET Query Parameters Description Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attacke...