Command injection

s/sprm/s/dyn/PlayersetScriptFile in Sahi Pro 8.0.0 allows command execution. It allows one to run ".sah" scripts via Sahi Launcher. Also, one can create a new script with an editor. It is possible to execute commands on the server using the execute function...

CVE-2019-12578

A vulnerability in the London Trust Media Private Internet Access PIA VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The openvpnlauncher.64 binary is setuid root. This binary executes /opt/pia/openvpn-64/openvpn, passing the...

MiniCMS Cross-Site Scripting Vulnerability (CNVD-2019-23979)

MiniCMS is a content management system CMS designed for personal websites. A cross-site scripting vulnerability exists in the mc-admin/post-edit.php file in MiniCMS version 1.10. The vulnerability stems from the lack of proper validation of client-side data by the WEB application. An attacker can...

CVE-2019-1931

Multiple vulnerabilities in the RSS dashboard in the web-based management interface of Cisco Firepower Management Center FMC could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The...

PT-2019-2656 · Cisco · Cisco Firepower Management Center

Name of the Vulnerable Software and Affected Versions: Cisco Firepower Management Center affected versions not specified Description: The issue is related to insufficient validation of user-supplied input by the web-based management interface, which could allow an unauthenticated, remote attacker...

bootstrap: XSS in the affix configuration target property

A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hostin...

Cisco Prime Service Catalog Input Validation Error Vulnerability

Cisco Prime Service Catalog PSC is a service catalog solution from Cisco that provides all IT services through a single portal. The solution supports automated ordering of a unified service catalog for compute, network, storage, and other data center resources. An input validation error...

CVE-2017-14395

Auth 2.0 Authorization Server of ForgeRock Access Management OpenAM 13.5.0-13.5.1 and Access Management AM 5.0.0-5.1.1 does not correctly validate redirecturi for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS...

Cross site scripting

Auth 2.0 Authorization Server of ForgeRock Access Management OpenAM 13.5.0-13.5.1 and Access Management AM 5.0.0-5.1.1 does not correctly validate redirecturi for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS...

The vulnerability of the Microprogramming Software of the ConneXium TSXETG100 firewall lies in the insufficient protection of the web page structure, allowing attackers to execute arbitrary scripts within the user’s web interface.

The vulnerability of the Microprogrammed Software for the ConneXium TSXETG100 firewall lies in the insufficient protection of the web page structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary scripts in the context of the current web interface user, using a...

CVE-2019-0303

SAP BusinessObjects Business Intelligence Platform Administration Console, versions 4.2, 4.3, module BILogon/appService.jsp is reflecting requested parameter errMsg into response content without sanitation. This could be used by an attacker to build a special url that execute custom JavaScript co...

CVE-2019-3872

It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks...

Cisco Prime Infrastructure Runrshell Privilege Escalation

This modules exploits a vulnerability in Cisco Prime Infrastructure's runrshell binary. The runrshell binary is meant to execute a shell script as root, but can be abused to inject extra commands in the argument, allowing you to execute anything as root. This module requires Metasploit:...

Multiple vulnerabilities in WordPress Plugin "Attendance Manager"

Overview WordPress Plugin "Attendance Manager" provided by SUKIMALAB.COM contains multiple vulnerabilities listed below. Stored cross-site scripting vulnerability CWE-79 - CVE-2019-5970 Cross-site request forgery vulnerability CWE-352 - CVE-2019-5971 Natsumi Matsuoka of Cryptography...

CVE-2019-6800

In TitanHQ SpamTitan through 7.03, a vulnerability exists in the spam rule update function. Updates are downloaded over HTTP, including scripts which are subsequently executed with root permissions. An attacker with a privileged network position is trivially able to inject arbitrary commands...

PT-2019-18694 · Prima Systems · Flexair

Name of the Vulnerable Software and Affected Versions: Prima Systems FlexAir versions 2.3.38 and prior Description: The issue arises from parameters sent to scripts not being properly sanitized before being returned to the user. This may allow an attacker to execute arbitrary code in a user’s...

CVE-2018-13380

A Cross-site Scripting XSS vulnerability in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.7, 5.4.0 to 5.4.12, 5.2 and below and Fortinet FortiProxy 2.0.0, 1.2.8 and below under SSL VPN web portal allows attacker to execute unauthorized malicious script code via the error or message handling...

Multiple vulnerabilities in WordPress Plugin "Zoho SalesIQ"

Overview WordPress Plugin "Zoho SalesIQ" provided by Zoho SalesIQ Team contains multiple vulnerabilities listed below. Cross-site Scripting CWE-79 - CVE-2019-5962 Cross-site Request Forgery CWE-352 - CVE-2019-5963 Kouhei Ikeda of Cryptography Laboratory,Department of Information and Communication...

Kanboard Cross-Site Scripting Vulnerability

Kanboard is a suite of open source visual task board software. The software is able to customize the panels according to the business. A cross-site scripting vulnerability exists in the app / Core / Paginator.php file in versions prior to Kanboard 1.2.8. A remote attacker can exploit this...

CVE-2018-13375

An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5.6.0 and below and FortiManager 5.6.0 and below allows an attacker to send DHCP request containing malicious scripts in the HOSTNAME parameter. The malicious script code is executed while viewing the logs in...