InSite Troubleshooting Cross-Site Scripting

Class Input Validation Error CVE Remote Yes Local No Published Feb 14 2011 08:55AM Credit Dionach Vulnerable Kodak InSite 5.5.2 Kodak InSite is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execut...

Support Incident Tracker (SiT!) 3.62 - Multiple Cross-Site Scripting Vulnerabilities

Support Incident Tracker SiT! 3.62 - Multiple Cross-Site Scripting Vulnerabilities source: https://www.securityfocus.com/bid/46671/info Support Incident Tracker SiT! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker ma...

[waraxe-2010-SA#078] - Multiple Vulnerabilities in CruxCMS 3.0.0

waraxe-2010-SA078 - Multiple Vulnerabilities in CruxCMS 3.0.0 =============================================================================== Author: Janek Vind "waraxe" Date: 27. December 2010 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-78.html Affected Software: CruxCMS is a...

NoScript Cross Site Scripting Via SQL Injection

Hi List NoScript fails to detect the reflective XSS from trusted domains when an attack is conducted through SQLXSSI. The bypass in NoScript has been successfully conducted by using "Reflective XSS" through Union SQL poisoning attacks by exploiting the reverted errors in the browser. The attack...

Social-Engineer Toolkit v1.0 - Latest Version Download

The Social Engineer Toolkit SET has been updated to version 1.0! We wrote about the Social Engineer's Toolkit in our old post here. This release is called the Devolution Release. "The Social Engineering Toolkit SET is a python-driven suite of custom tools which solely focuses on attacking the hum...

CVE-2010-3700: Spring Security bypass of security constraints

CVE-2010-3700 - Spring Security - Bypassing of security constraints Severity: Important Vendor: SpringSource, a division of VMware Versions affected: Spring Security 3.0.0 to 3.0.3 Spring Security 2.0.0 t0 2.0.5 Acegi Security 1.0.0 to 1.0.7 Description: Spring Security does not consider URL path...

LES PACKS - 'ID' SQL Injection

source: https://www.securityfocus.com/bid/44457/info LES PACKS is prone to an SQL-injection vulnerability. An attacker can exploit this SQL-injection issue to carry out unauthorized actions on the underlying database, which may compromise the application and aid in further attacks...

Microsoft IIS FTP Server NLST Response Overflow

$Id: ms09053ftpdnlst.rb 10558 2010-10-05 23:39:14Z jduck $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use...

Tiki Wiki CMS Groupware 5.2 - Multiple Vulnerabilities

source: https://www.securityfocus.com/bid/43507/info Tiki Wiki CMS Groupware is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit the local file-include vulnerability using...

Mozilla Patches Firefox DLL Load Hijacking Bug

Mozilla has joined Apple in being among the first to fix the DLL load hijacking attack vector that continues to haunt hundreds of Windows applications. The open-source group released Firefox 3.6.9 with patches for a total of 15 vulnerabilities 11 rated critical, including the publicly known DLL...

Potential attack vector using attachments

Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...

Potential attack vector using attachments

Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...

Potential attack vector using attachments

Suspicious handling of attachment uploads with filenames containing quotes the quoted ended up being repeated and semicolons semicolon and all subsequent characters were stripped from filename...

Microsoft Security Advisory (2269637) Insecure Library Loading Could Allow Remote Code Execution

Microsoft Security Advisory 2269637 Insecure Library Loading Could Allow Remote Code Execution Published: August 23, 2010 Version: 1.0 General Information Executive Summary Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that...

New Firefox iFrame Bug Bypasses URL Protections

UPDATED–There is a bug in Mozilla’s flagship Firefox browser related to the way the browser handles obfuscated URLs in iFrames. However, a Mozilla official said the bug poses “very low” risk to users. Johnathan Nightingale of Mozilla said in a blog post late Tuesday that the bug poses little risk...

Macs CMS 1.1.4 - SearchString Cross-Site Scripting

Macs CMS 1.1.4 - SearchString Cross-Site Scripting source: https://www.securityfocus.com/bid/41529/info Mac's CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the...

Orbis CMS 1.0.2 - editor-body.php Cross-Site Scripting

Orbis CMS 1.0.2 - editor-body.php Cross-Site Scripting source: https://www.securityfocus.com/bid/41390/info Orbis CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in...

Critical PDF Reader Patch Fixes '/Launch' Command Attack Vector

Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac and UNIX users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF “/Launch”...

Spring Framework - Arbitrary code Execution

CVE-2010-1622: Spring Framework execution of arbitrary code Severity: Critical Vendor: SpringSource, a division of VMware Versions Affected: 3.0.0 to 3.0.2 2.5.0 to 2.5.6.SEC01 community releases 2.5.0 to 2.5.7 subscription customers Earlier versions may also be affected Description: The Spring...

Mass SQL Injection Attack Hits Sites Running IIS

There’s a large-scale attack underway that is targeting Web servers running Microsoft’s IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there’s no clear indication of who’s behind the campaign righ...