CVE-2017-1000145

Mahara up to 1.9.7, 1.10 up to 1.10.5, and 15.04 up to 15.04.2 are vulnerable to anonymous comments on artefact detail pages even when anonymous comments are disallowed. The issue affects the artefact detail page comment handling and is described consistently across multiple sources (CVE-2017-100...

Kallithea < 0.3.2 Multiple Vulnerabilities

Kallithea is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:kallithea:kallithea"; ifdescripti...

Cross site scripting

A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 allows attackers to execute unauthorized code or commands via 'Comments' while saving Config Revisions...

VK.com: XSS в комментариях от имени сообщества

XSS в дропдауне выбора сообщества при комментировании...

[SECURITY] Fedora 26 Update: augeas-1.8.1-1.fc26

A library for programmatically editing configuration files. Augeas parses configuration files into a tree structure, which it exposes through its public API. Changes made through the API are written back to the initially read files. The transformation works very hard to preserve comments and...

Design/Logic Flaw

app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation...

CVE-2017-13671

app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation...

CVE-2017-13671

app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation...

CVE-2017-13671

app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent XSS via comments. It only impacts the users of the same instance because the comment field is not part of the MISP synchronisation...

Drupal Patches Critical Access Bypass Bug

Website management platform Drupal released several patches that address access bypass vulnerabilities in its Drupal 8 Core engine Wednesday, fixing one critical and two moderately critical security bugs. The most serious of the vulnerabilities is the access bypass vulnerability CVE-2017-6925 in...

Dropbox: Missing URL sanitization in comments can be leveraged for phishing

The report points out that a link in shared file's comments could say one thing in the text but actually point to another website. This is a risk we have always accepted: the document preview could also contain links, the legit links could point to shorteners. Additionally, Dropbox Paper supports...

Information Disclosure

Moodle is vulnerable to information disclosure attacks. When viewing comments on a blog post, there is no verification of viewing permissions. This allows attackers to read the comments that can potentially contain sensitive information...

WakaTime: HTML - injection

Hello try to write this Done test in the comments it will run. https://wakatime.com/blog/26-download-your-team-activity-as-csvcomments...

Code injection

Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments add...

CVE-2017-9505

Atlassian Confluence, versions 4.3.0 up to 6.2.1, are vulnerable to an access-control bypass when creating a workbox notification for new comments. The root cause is failure to verify a viewer’s permission for the page, allowing an authenticated attacker who can log in to receive workbox notifica...

CVE-2017-9505

Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments add...

Cross-Site Scripting Vulnerability in NexusPHPV1.5 (Current Version)

NexusPHPV1.5 is a system that is used by pt stations in China. NexusPHPV1.5 current version has a cross-site scripting vulnerability. Attackers can use this vulnerability to insert special cross-site code in the message, comment, private message and other pages, the user clicks on the cross-site...

How to bypass libinjection in many WAF/NGWAF

Before we start, libinjection is a very popular open-source project created by Nick Galbreath from Signal Sciences. A lot of WAFs and NGWAFs use this library instead of regular expressions because of performance. For example, modsecurity since version 2.7.4 supports libinjection by two operators ...

Information Disclosure

github.com/justwatchcom/gopass is vulnerable to information disclosure. The password is being shown in terminal output by default when a show action is performed to read usernames or comments in password entry...

CVE-2016-3114

Kallithea before 0.3.2 allows remote authenticated users to edit or delete open pull requests or delete comments by leveraging read access...