Cisco Iframe Injection

Dear Support, I have found iframe injection on newsroom.cisco.com. Affected URL: http://newsroom.cisco.com/blair-christie?articleId=%27%22%3E%3Ciframe%20src=%22http://www.avsecurity.in%22%20width=%221000%22%20height=%221000%22%3E/ Below are the description for the same. IFrame Injection: Using...

WordPress plugins wp-catpro arbitrary file upload-vulnerability warning-the black bar safety net

----------------------------------------------------------------------- Wordpress plugins - wp-catpro Arbitrary File Upload Vulnerability ----------------------------------------------------------------------- Author = Zikou-1 6 Mailbox = [email protected] Test System : Windows 7 , Backtrack 5r3...

jenkins -- HTTP access to the server to retrieve the master cryptographic key

Jenkins Security Advisory reports: This advisory announces a security vulnerability that was found in Jenkins core. An attacker can then use this master cryptographic key to mount remote code execution attack against the Jenkins master, or impersonate arbitrary users in making REST API calls. The...

BloofoxCMS 0.3.5 - Multiple Cross-Site Scripting Vulnerabilities

source: https://www.securityfocus.com/bid/56353/info bloofoxCMS is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context ...

Steam Gaming Platform Vulnerable to Remote Exploits; 50 Million at Risk

More than 50 million users of the Steam gaming and media distribution platform are at risk for remote compromise because of weaknesses in the platform’s URL protocol handler, a pair of researchers at ReVuln wrote in a paper released this week. Luigi Auriemma and Donato Ferrante discovered a numbe...

Critical issues affecting Steam users

We have just released a paper 1, in which we prove that the current implementation of the Steam Browser Protocol handling mechanism is an excellent attack vector to exploit local issues in a remote fashion. Steam 2 is the biggest gaming related digital delivery platform with an audience of more...

AxisInternet VoIP Manager - Multiple Cross-Site Scripting Vulnerabilities

AxisInternet VoIP Manager - Multiple Cross-Site Scripting Vulnerabilities source: https://www.securityfocus.com/bid/55589/info AxisInternet VoIP Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamical...

minimal Gallery - 'index.php' Multiple Cross-Site Scripting Vulnerabilities

source: https://www.securityfocus.com/bid/55577/info minimal Gallery is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user i...

PT-2012-1362 · 3D · 3D Eqsecure Professional Edition

Name of the Vulnerable Software and Affected Versions: 3D EQSecure Professional Edition version 4.2 Description: A race condition in the software allows local users to bypass kernel-mode hook handlers and execute dangerous code that would otherwise be blocked by a handler but not blocked by...

OpenDocMan 1.2.6.1 Cross Site Request Forgery

Exploit Title: OpenDocMan Password Change CSRF Date: 22/08/2012 Exploit Author: Shai rod @NightRang3r Vendor Homepage: http://www.opendocman.com/ Software Link: https://github.com/downloads/opendocman/opendocman/opendocman-1.2.6.1.tar.gz Version: 1.2.6.1 Gr33Tz: @aviadgolan , @benhayak,...

JPM Article Blog Script 6 - tid Cross-Site Scripting

JPM Article Blog Script 6 - tid Cross-Site Scripting source: https://www.securityfocus.com/bid/55112/info JPM Article Blog Script 6 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary...

CakePHP / Squiz CMS XXE Injection

Hello! I'll give you additional information concerning advisories CakePHP 2.x-2.2.0-RC2 XXE Injection http://securityvulns.ru/docs28331.html and Squiz CMS Multiple Vulnerabilities http://securityvulns.ru/docs28220.html. It's about XXE Injection in CakePHP and Squiz CMS. Similarly to earlier...

Design/Logic Flaw

The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via...

Flogr - tag Multiple Cross-Site Scripting Vulnerabilities

Flogr - tag Multiple Cross-Site Scripting Vulnerabilities source: https://www.securityfocus.com/bid/54354/info Flogr is prone to multiple unspecified cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute...

http-phpself-xss NSE Script

Crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $SERVER"PHPSELF". This script crawls the webserver to create a list of PHP files and then sends an attack vector/probe to identify PHPSELF cross site scripting vulnerabilities. PHPSELF...

Western Digital's WD TV Live SMP/Hub - Privilege Escalation

Introduction ============ The WD TV Live Streaming Media Player is a consumer device to play various audio and video formats. Additionally it allows access to multiple video streaming services like Netflix, Hulu or Youtube.1 The device allows customization of its user interface and limited remote...

Strato Newsletter Manager Directory Traversal

STRATO Newsletter Manager is vulnerable against Directory Traversal Vendor: www.strato-cgi.de Google Dork: inurl:"newsletter.php.cgi" Exploit: http://server/cgi-bin/newsletter.php.cgi?PHPSESSID=af92ed633ae0d06d1e24d22520f709f7&action=nlshow&nl=../../../../../../../../../../../../../../etc/passwd...

struts2 xsltResult Local code execution vulnerability

the file: http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java String pathFromRequest = ServletActionContext.getRequest.getParameter"xslt.location"; path = pathFromRequest; URL resource =...

ManageEngine Firewall Analyzer 7.2 - 'fw/mindex.do?url' Cross-Site Scripting

source: https://www.securityfocus.com/bid/52841/info Firewall Analyzer is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the...

Singapore 0.10.1 - gallery Cross-Site Scripting

Singapore 0.10.1 - gallery Cross-Site Scripting source: https://www.securityfocus.com/bid/52399/info singapore is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of ...