WordPress Plugin Delete All Comments Arbitrary File Upload

On November 20th, while auditing a hacked WordPress website, we identified a critical vulnerability in the Delete All Comments WordPress plugin v2.0, which has over 30,000 active installations. Because a part of the delete-all-comments.php main script is not restricted to the administrator, any...

DEBIAN-CVE-2016-6333

Cross-site scripting XSS vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css...

CVE-2016-4888

Cross-site scripting XSS vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

CVE-2016-2104

Multiple cross-site scripting XSS vulnerabilities in Red Hat Satellite 5 allow remote attackers to inject arbitrary web script or HTML via 1 the label parameter to admin/BunchDetail.do; 2 the packagename, 3 searchsubscribedchannels, or 4 channelfilter parameter to software/packages/NameOverview.d...

UBUNTU-CVE-2015-8864

Cross-site scripting XSS vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068...

CVE-2016-1179

Cross-site scripting XSS vulnerability in the standard template of the comment functionality in appleple a-blog cms 2.6.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML...

CVE-2017-3125

An unauthenticated XSS vulnerability with FortiMail 5.0.0 - 5.2.9 and 5.3.0 - 5.3.8 could allow an attacker to execute arbitrary scripts in the security context of the browser of a victim logged in FortiMail, assuming the victim is social engineered into clicking an URL crafted by the attacker...

Pixie Cross-Site Scripting Vulnerability

Pixie is an open source lightweight website content management system CMS. The system supports CSS themes, WYSIWYG editors and more. A cross-site scripting vulnerability exists in Pixie version 1.0.4, which stems from the program not properly validating user-submitted input. A remote attacker can...

Pixie cross-site scripting vulnerability (CNVD-2017-04817)

Pixie is an open source lightweight website content management system CMS. The system supports CSS themes, WYSIWYG editors and more. A cross-site scripting vulnerability exists in Pixie version 1.0.4. As the program fails to properly validate user-submitted input. A remote attacker can exploit th...

CherryMusic Cross-Site Scripting Vulnerability

CherryMusic is a music streaming server based on CherryPy and jPlayer. A cross-site scripting vulnerability exists in CherryMusic, which can be exploited by an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an affected site, due to the program...

Gazelle cross-site scripting vulnerability (CNVD-2017-05628)

Gazelle is a set of web frameworks for BitTorrent trackers. A cross-site scripting vulnerability exists in versions of Gazelle prior to 2017-03-19. A remote attacker can exploit the vulnerability to execute arbitrary HTML and script...

Nextcloud Server and ownCloud Server Cross-Site Scripting Vulnerabilities

ownCloud is a free and open source personal cloud storage solution from German company ownCloud. nextcloud is an open source self-hosted file synchronization and sharing communication application platform. ownCloud Server and Nextcloud Server are both a server version of one of them. A cross-site...

Revive Adserver Cross-Site Scripting Vulnerability (CNVD-2017-04905)

Revive Adserver is an open source advertising management system from the Revive Adserver team. The system provides ad placement, ad space management, data statistics and other functions. Revive Adserver has a cross-site scripting vulnerability. A remote attacker can exploit this vulnerability to...

Gazelle Cross-Site Scripting Vulnerability

Gazelle is a set of web frameworks for BitTorrent trackers. Gazelle suffers from a cross-site scripting vulnerability where the type parameter is not filtered in the Gazelle-master/sections/better/transcode.php file. A remote attacker can exploit this vulnerability to execute arbitrary HTML and...

CMS Made Simple Cross-Site Scripting Vulnerability (CNVD-2017-04705)

CMS Made Simple CMSMS is an open source content management system CMS developed by the CMSMS team. The system supports role-based rights management system , wizard-based installation and update mechanism , intelligent caching mechanism and so on. A cross-site scripting vulnerability exists in the...

IBM Call Center for Commerce Cross-Site Scripting Vulnerability

IBM Call Center for Commerce is a Web-based call center solution. The solution supports providing CSRs Customer Service Representatives with a single point of access to business information as well as comprehensive multi-channel interactions with customers. A cross-site scripting vulnerability...

CVE-2017-0110

Cross-site scripting XSS vulnerability in Microsoft Exchange Outlook Web Access OWA allows remote attackers to inject arbitrary web script or HTML via a crafted email or chat client, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability."...

DEBIAN-CVE-2016-10203

Cross-site scripting XSS vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor...

Air Transfer Cross-Site Scripting Vulnerability

Air Transfer Pro is an application for transferring files from your computer to your cell phone over a wireless network. Air Transfer suffers from a cross-site scripting vulnerability that allows remote attackers to exploit exploits to inject script code into client application requests with...

CVE-2017-5008

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed attacker controlled JavaScript to be run during the invocation of a private script method, which allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML pag...