CVE-2015-5379: Axigen XSS vulnerability for html attachments

CVEID: CVE-2015-5379 SUBJECT: Axigen XSS vulnerability for html attachments DESCRIPTION: Axigen's WebMail Ajax interface implements a view attachment function that executes javascript code that is part of email HTML attachments. This allows a malicious user to craft email messages that could expo...

CVE-2015-2727

Mozilla Firefox 38.0 and Firefox ESR 38.0 allow user-assisted remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges via a crafted web site that is accessed with unspecified mouse and keyboard actions. NOTE: this vulnerability exists because of a...

Design/Logic Flaw

The Reader mode feature in Mozilla Firefox before 37.0.1 on Android, and Desktop Firefox pre-release, does not properly handle privileged URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origi...

CVE-2015-0801

Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818...

CVE-2015-0802

Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of ...

CVE-2015-0818

Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation...

WordPress Geo Mashup 1.8.2 Cross Site Scripting

Vulnerability title: Wordpress Geo Mashup plugin XSS Author: Paolo Perego CVE: CVE-2015-1383 Affected versions: = 1.8.2 Fixed version: 1.8.3 January, 11 2015 Product link: https://wordpress.org/plugins/geo-mashup/ Description Geo Mashup is a wordpress plugin designed to let you save location...

Design/Logic Flaw

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors...

CVE-2014-8636

CVE-2014-8636 affects Mozilla Firefox and SeaMonkey through an information flow bug in the XrayWrapper. The issue arises when interacting with a DOM object that has a named getter, allowing a remote attacker to cause arbitrary JavaScript execution with chrome privileges via unspecified vectors. A...

CVE-2014-8636

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors...

CVE-2014-7205

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors...

PHP MicroCMS 1.0.1 CSRF and XSS Vulnerabilities

No description provided by source. Vulnerability ID: HTB22765 Reference: http://www.htbridge.ch/advisory/xsrfcsrfinphpmicrocms.html Product: PHP MicroCMS Vendor: ApPHP http://www.apphp.com/ Vulnerable Version: 1.0.1 and probably prior versions Vendor Notification: 21 December 2010 Vulnerability...

Microsoft SharePoint Server 2007 XSS Vulnerability

No description provided by source. Vulnerability ID: HTB22350 Reference: http://www.htbridge.ch/advisory/xssinmicrosoftsharepointserver2007.html http://www.microsoft.com/technet/security/advisory/983438.mspx Product: Microsoft SharePoint Server 2007 Vendor: Microsoft Corporation Vulnerable Versio...

MS IE 4/5/5.5/5.0.1 external.NavigateAndFind() Cross-Frame Vulnerability

No description provided by source. Microsoft Internet Explorer 4.0 for WfW/Windows 3.1/Windows 95/Windows NT 3/Windows NT 4,Internet Explorer 5.0 for Windows 2000/Windows 95/Windows 98/Windows NT 4,Internet Explorer 5.5,Internet Explorer 5.0.1,Internet Explorer for Unix 5.0 external.NavigateAndFi...

Diferior 8.03 Multiple XSS Vulnerabilities

No description provided by source. Vulnerability ID: HTB22721 Reference: http://www.htbridge.ch/advisory/storedxsscrosssitescriptingvulnerabilityindiferior.html Product: Diferior Vendor: Povilas Musteikis http://www.diferior.com/ Vulnerable Version: 8.03 and probably prior versions Vendor...

frog cms 0.9.5 - Multiple Vulnerabilities

No description provided by source. Vulnerability ID: HTB22685 Reference: http://www.htbridge.ch/advisory/xsrfcsrfinfrogcms.html Product: Frog CMS Vendor: Philippe Archambault http://www.madebyfrog.com/ Vulnerable Version: 0.9.5 and probably prior versions Vendor Notification: 09 November 2010...

Design/Logic Flaw

The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page f...

CVE-2014-1510

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary JavaScript code with chrome privileges by using an IDL fragment to trigger a window.open call...

CVE-2014-1885

The ForzeArmate application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently obtain write access to external-storage resources, by leveraging control over any Google syndication advertising domain...

CVE-2014-1887

The DrinkedIn BarFinder application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently obtain sensitive fine-geolocation information, by leveraging control over one of a number of adult sites, as demonstrated b...