pfSense 2.3.4 / 2.4.4-p3 Remote Code Injection

Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection Date: 23/09/2018 Author: Nassim Asrir Vendor Homepage: https://www.pfsense.org/ Contact: [email protected] | https://www.linkedin.com/in/nassim-asrir-b73a57122/ CVE: CVE-2019-16701 Tested On: Windows 1064bit | Pfsense 2.3.4 / 2.4.4-...

Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection

Exploit Title: Pfsense 2.3.4 / 2.4.4-p3 - Remote Code Injection Date: 23/09/2018 Author: Nassim Asrir Vendor Homepage: https://www.pfsense.org/ Contact: [email protected] | https://www.linkedin.com/in/nassim-asrir-b73a57122/ CVE: CVE-2019-16701 Tested On: Windows 1064bit | Pfsense 2.3.4 / 2.4.4-...

CVE-2019-1896

A vulnerability in the web-based management interface of Cisco Integrated Management Controller IMC could allow an authenticated, remote attacker to inject arbitrary commands and obtain root privileges. The vulnerability is due to insufficient validation of user-supplied input in the Certificate...

CVE-2018-18670

GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "Extra Contents" parameter, aka the adm/configformupdate.php cf110 parameter...

CVE-2018-18673

GNUBOARD5 5.3.1.9 contains a Cross‑Site Scripting (XSS) flaw in the adm/menu_list_update.php me_link parameter (Menu Link). This allows remote attackers to inject arbitrary web script/HTML. Public details consistently reference the same vulnerability across multiple feeds; no exploit specifics ar...

CVE-2019-9230

An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.253. A cross-site scripting XSS vulnerability in the search function of the management web interface allows remote attackers to inject arbitrary web script o...

CVE-2019-11827

Cross-site scripting XSS vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the objectid parameter...

CVE-2019-11827

Cross-site scripting XSS vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the objectid parameter...

CVE-2019-11828

Synology Office’s Chart component is affected by a Cross‑Site Scripting (XSS) vulnerability in versions prior to 3.1.4-2771. The issue arises from insufficient client data validation, enabling remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Impact is web...

MantisBT Cross-Site Scripting Vulnerability (CNVD-2019-19293)

MantisBT is a Web-based open source defect tracking system of the MantisBT team . The system provides project management and defect tracking services in the form of Web operations. A cross-site scripting vulnerability exists in the View Filters and Edit Filter pages in MantisBT versions 2.1.0...

CVE-2018-16514

CVE-2018-16514 is an XSS vulnerability in MantisBT versions 2.1.0–2.17.0 affecting the View Filters (view_filters_page.php) and Edit Filter (manage_filter_edit_page.php) pages. The issue allows remote attackers to inject arbitrary code through a crafted PATH_INFO, and is noted as a consequence of...

CVE-2019-7411

CVE-2019-7411 affects the WordPress plugin MyThemeShop Launcher (version 1.0.8) with multiple stored XSS vectors. The vulnerability arises in several input fields (Title, Favicon, Meta Description, Subscribe Form labels, Contact Form labels, and Social Links URLs), allowing remote authenticated u...

CVE-2019-11564

A cross-site scripting XSS vulnerability in HumHub 1.3.12 allows remote attackers to inject arbitrary web script or HTML via a /protected/vendor/codeception/codeception/tests/data/app/view/index.php POST request...

CVE-2019-11643

The CVE-2019-11643 issue affects the OneShield Policy (Dragon Core) framework prior to 5.1.10. It is a persistent Cross‑Site Scripting (XSS) vulnerability where malicious JavaScript can be injected into textboxes of type string and stored in the data store, enabling remote exploitation by both au...

Atlassian Confluence Widget Connector Macro Velocity Template Injection Exploit

Widget Connector Macro is part of Atlassian Confluence Server and Data Center that allows embed online videos, slideshows, photostreams and more directly into page. A template parameter can be used to inject remote Java code into a Velocity template, and gain code execution. Authentication is not...

CVE-2018-15635

Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a...

Cross site scripting

Cross-site scripting vulnerability in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote attackers to inject arbitrary web script in the browser of an internal user of the system by tricking them into inviting a follower on a document with a...

CVE-2019-7299

CVE-2019-7299 concerns a stored XSS in the WP Support Plus Responsive Ticket System WordPress plugin, specifically in submit_ticket.php (path: wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/ajax/submit_ticket.php) for version 9.1.1. The vulnerability allows injection of arbi...

Cross-Site Scripting (XSS)

froala-editor is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a victim's browser through the WYSIWYG editor by inserting a malicious link. This allows the attacker to steal session tokens or perform unwanted actions on behalf of the user...

CVE-2018-20241

The Edit upload resource for a review in Atlassian Fisheye and Crucible before version 4.7.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability in the wbuser parameter...