Kirby CMS 2.1.0 - Cross-Site Request Forgery / Content Upload / PHP Script Execution

============================================= - Release date: 14.09.2015 - Discovered by: Dawid Golunski - Severity: High ============================================= I. VULNERABILITY ------------------------- Kirby CMS = 2.1.0 CSRF Content Upload and PHP Script Execution II. BACKGROUND...

Kirby CMS multi-vulnerability analysis-vulnerability warning-the black bar safety net

Kirby CMS is an easy to use, easy to install and setup is very flexible CMS system, no database support, the use of file system storage. Support Markdown grammar, templates and plug-ins. Vulnerability details In Kirby CMS found two vulnerabilities: 1. By path traversal authentication bypass 2. Th...

Microsoft Exchange Server CVE-2015-2543 Spoofing Vulnerability

Description Microsoft Exchange Server is prone to a security vulnerability that may allow attackers to conduct spoofing attacks. An attacker can exploit this issue to conduct spoofing attacks and perform unauthorized actions; other attacks are also possible. The following versions are affected:...

Amazon Linux: Security Advisory (ALAS-2014-388)

The remote host is missing an update for the SPDX-FileCopyrightText: 2015 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

OpenDocMan vulnerable to cross-site scripting

Overview OpenDocMan is a document management system DMS. OpenDocMan contains a cross-site scripting vulnerability due to a processing flaw in the "redirection" parameter. Gen Sato of TRADE WORKS Co.,Ltd. Security Dept. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer...

BBS X102 vulnerable to cross-site scripting

Overview BBS X102 provided by guide-park.com is a bulletin board software. BBS X102 contains a cross-site scripting vulnerability. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on May 26, 2015, it was judged that an advisory for this vulnerabili...

hitSuji (rktSNS2) vulnetable to cross-site scripting

Overview hitSuji rktSNS2 provided by rakuto.net is an open source SNS software. hitSuji rktSNS2 contains a cross-site scripting vulnerability. During the meeting of Committee for authorizing the disclosure of unresolved vulnerabilities held on May 26, 2015, it was judged that an advisory for this...

JVN#24692261: hitSuji (rktSNS2) vulnetable to cross-site scripting

hitSuji rktSNS2 provided by rakuto.net is an open source SNS software. hitSuji rktSNS2 contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Consider stop using hitSuji rktSNS2 0.2.2b Since the developer was unreachable,...

Drupal Search API Autocomplete Module Cross-Site Scripting Vulnerability

Drupal is a free, open source content management system developed in PHP and maintained by the Drupal community.Search API Autocomplete is one of the modules used to add autocomplete functionality to search fields during searches and provide a list of suggestions. A cross-site scripting...

Trend Micro Deep Discovery Inspector Cross-Site Scripting Vulnerability

Trend Micro Deep Discovery Inspector is a set of protection products from Trend Micro that can detect and identify hard-to-find threats in real time and propose solutions. A cross-site scripting vulnerability exists in Trend Micro Deep Discovery Inspector, which arises from the program's failure ...

Adobe Flash Heap Use-After-Free In SurfaceFilterList::C​reateFromScriptAtom

Source: https://code.google.com/p/google-security-research/issues/detail?id=484&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id Tracking for: https://code.google.com/p/chromium/issues/detail?id=508072 VULNERABILITY DETAILS Copy Paste of Issue 480496 VERSION Chrome Version:...

Adobe Flash - Heap Use-After-Free in SurfaceFilterList::C​reateFromScriptAtom

Source: https://code.google.com/p/google-security-research/issues/detail?id=484&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id Tracking for: https://code.google.com/p/chromium/issues/detail?id=508072 VULNERABILITY DETAILS Copy Paste of Issue 480496 VERSION Chrome Version:...

Spree Commerce 'show.v1.rabl' File Inclusion Vulnerability

Spree also known as Spree Commerce is the United States Spree Commerce, Inc. based on Ruby on Rails open source e-commerce solutions. A file inclusion vulnerability exists in Spree Commerce. An attacker can exploit this vulnerability to obtain sensitive information and execute arbitrary scripts...

WordPress Plugin Eventbrite Tickets Cross-Site Scripting Vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress plugin Eventbrite Tickets. The vulnerability stems from a failur...

WordPress Flickr Justified Gallery plugin 'fjgwpp.php' cross-site scripting vulnerability

WordPress is the WordPress Software Foundation's set of blogging platform developed using the PHP language, the platform supports personal blog sites set up on servers with PHP and MySQL.Flickr Justified Gallery is one of the JQuery photo gallery plugin. A cross-site scripting vulnerability exist...

Git GitWeb HTML Injection Vulnerability

Git gitweb is a WEB-based management interface for git. An HTML injection vulnerability exists in Git GitWeb. Because the program fails to properly filter user-supplied input, an attacker could exploit the vulnerability to run executable HTML and script code in the context of an affected browser,...

Apple Mac OS X 'entity' Parameter Cross-Site Scripting Vulnerability

Apple Mac OS X is a commercial operating system. A cross-site scripting vulnerability exists in the Apple Mac OS X 'entity' parameter. Because the program fails to properly filter user-supplied input, an attacker could exploit the vulnerability to execute arbitrary script code in the browser of a...

Wordpress Ephox Plupload Cross-Site Scripting Vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed in PHP language, which supports setting up personal blog sites on PHP and MySQL servers.Ephox Plupload is a Web browser-based file upload module from Ephox, which supports displaying upload progress, automatic image...

Drupal OSF for Drupal Module Cross-Site Scripting Vulnerability

Drupal is a free, open-source content management system developed in PHP and maintained by the Drupal community. osf for Drupal is one of the middle-tier modules that allows customization tools and data display for internally structured data RDF and related vocabularies ontologies. A cross-site...

Snorby 'view.html.erb' HTML Injection Vulnerability

Snorby is a set of Ruby on Rails based on the Ruby language open source web application framework for network security monitoring web applications . Snorby suffers from an HTML injection vulnerability that could be exploited by an attacker to cause the browser to execute arbitrary HTML or script...