Team Foundation Server Remote Code Execution Vulnerability

A remote code execution vulnerability exists when Team Foundation Server TFS does not enable basic authorization on the communication between the TFS and Search services. Without basic authorization, an attacker could run certain commands on the Search service. The security update addresses the...

CVE-2018-18830

MCMS 4.6.5 is affected by a flaw in com\mingsoft\basic\action\web\FileAction.java where the upload interface does not verify login status, allowing an attacker to upload JSP content disguised as a .png file and then coerce a suffix change to .jsp to access a stored path and execute arbitrary JSP ...

CVE-2018-18720

An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS 1.1.5...

CVE-2018-18720

An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS 1.1.5...

Cross site scripting

An XSS issue was discovered in index.php/admin/system/basic in YUNUCMS 1.1.5...

YUNUCMS cross-site scripting vulnerability (CNVD-2018-23272)

YUNUCMS is a three-network, self-substation system of open source content management system. YUNUCMS 1.1.5 in index.php/admin/system/basic cross-site scripting vulnerability, attackers can exploit the vulnerability to carry out cross-site attacks...

Mutiny Fuzzing Framework

The Mutiny Fuzzing Framework is a network fuzzer that operates by replaying PCAPs through a mutational fuzzer. The goal is to begin network fuzzing as quickly as possible, at the expense of being thorough. The general workflow for Mutiny is to take a sample of legitimate traffic, such as a browse...

Design/Logic Flaw

Leanote 2.6.1 has XSS via the Blog Basic Setting title field, which is mishandled during rendering of the "likes" page...

CVE-2018-18553

Leanote 2.6.1 is affected by a cross-site scripting (XSS) vulnerability in the Blog Basic Setting title field, exploitable via rendering of the  Likes page. The issue stems from mishandling the title field during page rendering, allowing injected scripts/HTML to execute in affected contexts. Pub...

Microsoft Zero-Day Patch for JET Bug Incomplete, Claims Firm

UPDATE Microsoft patched a zero-day in its JET Database Engine this week – but the patch was incomplete, according to researchers at 0patch. The company has developed a micropatch that corrects that hole, it said Friday. The memory corruption vulnerability CVE-2018-8423 could allow remote...

China Chip Hack Shines Spotlight on Hardware and Supply-Chain Risk

Recent revelations in the press regarding hardware implants and supply-chain compromise are troubling and should be seen as an opportunity to assess our current threat model and security approach. This recently revealed situation is the hardware analogue to the software supply chain compromises w...

The Facebook Hack Is an Internet-Wide Failure

Major sites using Facebook's Single Sign-On don't implement basic security features, potentially making the fallout of last week's hack much worse...

Security Bulletin: CVE-2017-7660: Security Vulnerability in secure inter-node communication in Apache Solr

Summary A potential security vulnerability has been identified for systems that are set up to use basic authentication. The version of Solr that is included with both IBM i2 Enterprise Insight Analysis and IBM i2 Analyze is affected, and has been patched in the latest fix pack. Vulnerability...

The vulnerability of the PAC Control Basic and PAC Control Professional industrial automation software, caused by buffer overflow in the stack, allows a hacker to execute arbitrary code.

The vulnerability of the PAC Control Basic and PAC Control Professional industrial automation software arises due to a buffer overflow in the stack. Exploiting this vulnerability allows an attacker to execute arbitrary code...

Moderate severity vulnerability that affects actionpack

Withdrawn, accidental duplicate publish. The httpbasicauthenticatewith method in actionpack/lib/actioncontroller/metal/httpauthentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and...

GHSA-VWFG-QJ3R-6V3R Moderate severity vulnerability that affects actionpack

Withdrawn, accidental duplicate publish. The httpbasicauthenticatewith method in actionpack/lib/actioncontroller/metal/httpauthentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and...

CVE-2018-16337

An issue was discovered in Cscms V4.1.8. There is a CSRF vulnerability that can modify a website's basic configuration via upload/admin.php/setting/save...

High-Severity Flaws Patched in Schneider Electric Products

Schneider Electric has released fixes for a slew of vulnerabilities that can be exploited remotely in two of its industrial control system products. The two flaws, which exist in Schneider Electric’s power management system, PowerLogic PM5560, and its programmable logic controller, Modicon M221,...

Schneider Electric Modicon M221

1. EXECUTIVE SUMMARY CVSS v3 4.8 ATTENTION: Exploitable remotely Vendor: Schneider Electric Equipment: Modicon M221 Vulnerability: Improper Check for Unusual or Exceptional Conditions 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthorized user to remotely...

PHP Scripts Mall Basic B2B Script Cross-Site Scripting Vulnerability

PHP Scripts Mall Basic B2B Script is a B2B website system script from PHP Scripts Mall India. A cross-site scripting vulnerability exists in PHP Scripts Mall Basic B2B Script version 2.0.0, which can be exploited by remote attackers to inject scripts via the First name, Last name, City, State, or...