Cross-site request forgery in Django

Django 1.1.x before 1.1.4 and 1.2.x before 1.2.5 does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery CSRF attacks via forged AJAX requests that leverage a "combination of browser plugins...

CVE-2016-10549

Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests ...

CVE-2016-10549

Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests ...

Cross site scripting

Sails is an MVC style framework for building realtime web applications. Version 0.12.7 and lower have an issue with the CORS configuration where the value of the origin header is reflected as the value for the Access-Control-Allow-Origin header. This would allow an attacker to make AJAX requests ...

Healwire Online Pharmacy 3.0 - XSS / CSRF Vulnerabilities

Exploit for php platform in category web applications Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Exploit Author: L0RD Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?srank=1499 Version: 3.0 Tested on:...

Healwire Online Pharmacy 3.0 - Cross-Site Scripting / Cross-Site Request Forgery

Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Date: 2018-05-17 Exploit Author: L0RD Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?srank=1499 Version: 3.0 Tested on: windows POC 1 : Cross site scripting :...

CVE-2017-6929

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

CVE-2017-6929

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

Cross site scripting

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

CVE-2017-6929

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

CVE-2017-6929

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

CVE-2017-6929

Removed by vendor...

Drupal 7.x < 7.57 Multiple Vulnerabilities (SA-CORE-2018-001)

According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.57. It is, therefore, affected by multiple vulnerabilities : - A flaw exists with the Drupal.checkPlain function due to improper handling of HTML injection. A remote attacker, with a...

CVE-2017-1000401

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation e.g. for API keys. The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations o...

Default credentials

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation e.g. for API keys. The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations o...

CSRF Protection Bypass in Ruby on Rails

Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery CSRF attacks via forged 1 AJAX or 2 API requests that...

Information Disclosure

Moodle is vulnerable to information disclosure. Authenticated attackers can get sensitive information from LTI Ajax requests because the moodle/course:manageactivities and the mod/lti:addinstance capabilities are not considered before registered-tool lists are searched...

Information Disclosure

piwik is susceptible to information disclosure. The library logs admin features using ajax requests with GET parameters rather than POST parameters. This can allow a malicious user with access to the logs to obtain sensitive information like tokenauth...

Cross-Site Scripting (XSS)

Overview Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option. Recommendation Update to version 3.0.0 or later. References - Issu...

FreePBX Recordings Backdoor Upload

Added: 10/14/2016 Background FreePBX is a web-based open-source graphical user interface used to manage Asterisk PBX, an open-source communication server. The FreePBX System Recordings module allows playback of recorded files. Problem The System Recordings module in FreePBX 13 and 14 is vulnerabl...