CVE-2018-0674

CVE-2018-0674 affects AttacheCase, a file‑encryption tool by HiBARA Software. Vulnerability: when a specially crafted AtcCase.ini is in the same folder as the ATC file, decryption can trigger execution of an arbitrary script, enabling a remote unauthenticated attacker to run code. Affected: Attac...

CVE-2018-0675

CVE-2018-0675 affects AttacheCase up to version 3.3.0.0 (and earlier). The vulnerability allows arbitrary script execution via crafted settings, specifically when a malicious ATCCase.ini is placed in the same folder as the ATC file and the file is decrypted. The root cause is tied to handling of ...

AttacheCase Arbitrary Code Execution Vulnerability

AttacheCase is a suite of file encryption software. An arbitrary code execution vulnerability exists in AttacheCase, which can be exploited by a remote, unauthenticated attacker to execute arbitrary scripts...

AttacheCase vulnerable to arbitrary script execution

Overview AttacheCase is an open source file encryption software provided by HiBARA Software. If a setting file AtcCase.ini is specially crafted and it resides in the same folder where ATC file resides, it is leveraged to execute an arbitrary script when ATC file is decrypted. Taizoh Tsukamoto of...

JVN#02037158: AttacheCase vulnerable to arbitrary script execution

AttacheCase is an open source file encryption software provided by HiBARA Software. If a setting file AtcCase.ini is specially crafted and it resides in the same folder where ATC file resides, it is leveraged to execute an arbitrary script when ATC file is decrypted. Impact A remote unauthenticat...

Movable Type vulnerable to cross-site scripting

Overview Movable Type provided by Six Apart, Ltd. is a content management system. Movable Type contains a cross-site scripting vulnerability CWE-79. ASAI Ken reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...

DuckDuckGo: XSS in Subdomain of DuckDuckGo

A cross-site scripting vulnerability was discovered in a subdomain of DuckDuckGo. The subdomain had a Content Security Policy header intended to prevent script execution, but this could be bypassed in Internet Explorer. As a result, malicious scripts could be injected and executed in the...

Cisco Small Business 300 Series (Sx300) Managed Switches Cross-Site Scripting Vulnerability

Cisco Small Business 300 Series Sx300 Managed Switches is a 300 series switch device from the American company Cisco Cisco. A cross-site scripting vulnerability exists in the web-based management interface of the Cisco Small Business 300 Series Sx300 Managed Switches, which stems from the interfa...

CA API Developer Portal Cross-Site Scripting Vulnerability (CNVD-2018-17503)

CA API Developer Portal is a set of CA's API Application Programming Interface query function for software developers. A cross-site scripting vulnerability exists in CA API Developer Portal version 4.x, versions prior to 4.2.5.3, and versions prior to 4.2.7.1, which originates when the program...

IBM Rational DOORS Next Generation Cross-Site Scripting Vulnerability

IBM Rational DOORS Next Generation DNG/RRC is a suite of software for capturing, tracking, analyzing, and managing requirements from IBM, USA. The software provides a single platform for global team collaboration to manage requirements more efficiently, sharing unified users, servers and project...

Security Bulletin: Rational Host On-Demand administrative interface is vulnerable to DOM XSS (CVE-2015-5002)

Summary IBM Rational Host On-Demand administrative interface is vulnerable to DOM XSS in multiple parameters, caused by improper validation of user supplied input Vulnerability Details CVEID: CVE-2015-5002 DESCRIPTION: IBM Host On-Demand is vulnerable to cross-site scripting, caused by improper...

JVN#18716340: Multiple cross-site scripting vulnerabilities in GROWI

GROWI provided by WESEEK, Inc. contains multiple cross-site scripting vulnerabilities listed below. Stored cross-site scripting vulnerability in the UserGroup Management section of admin page CWE-79 - CVE-2018-0652 Version| Vector| Score ---|---|--- CVSS v3|...

Code Execution Vulnerability in the File Management System of Laoban CMS Backend

Laoban CMS content management system referred to as: Laoban CMS is developed by Laoban based on PHP + MYSQL environment of the open source station-building system. A code execution vulnerability exists in the background file management of Laoban CMS. An attacker can exploit the vulnerability to...

Subrion cross-site scripting vulnerability (CNVD-2018-14782)

Subrion CMS is a PHP-based content management system CMS developed by the Subrion team. The system can be integrated into a website and supports a wide range of extensions plug-ins and more. A cross-site scripting vulnerability exists in uploads/.htaccess in Subrion CMS version 4.2.1, which stems...

CVE-2017-7463

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of...

Design/Logic Flaw

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of...

WordPress Strong Testimonials Plugin Has Multiple Cross-Site Scripting Vulnerabilities

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. Multiple cross-site scripting vulnerabilities exist in the WordPress Strong Testimonials plugin, which can be exploited by an...

WordPress Gwolle Guestbook plugin cross-site scripting vulnerability (CNVD-2018-13972)

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the WordPress Gwolle Guestbook plugin, which can be exploited by an attacker t...

Cisco Webex Cross-Site Scripting Vulnerability (CNVD-2018-14204)

Cisco WebEx is the United States Cisco Cisco company's set of Web conferencing tools, the tool can assist off-site office workers to coordinate and collaborate.WebEx services include Web conferencing, telepresence video conferencing and enterprise instant messaging IM. A cross-site scripting...

WordPress plugin "FV Flowplayer Video Player" vulnerable to cross-site scripting

Overview The WordPress plugin "FV Flowplayer Video Player" provided by Foliovision contains a cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...