Cisco Unified Communications Manager CVE-2019-12716 Cross Site Scripting Vulnerability

Description Cisco Unified Communications Manager is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This...

Python CVE-2019-16935 CRLF Multiple Cross Site Scripting Vulnerabilities

Description Python is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the...

WordPress Checklist 1.1.5 Cross Site Scripting

Class Input Validation Error Remote Yes Credit Ricardo Sanchez Vulnerable Checklist 1.1.5 Checklist is prone to a reflected cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the...

WordPress Ellipsis Human Presence Technology 2.0.8 Cross Site Scripting

Class Input Validation Error Remote Yes Credit Ricardo Sanchez Vulnerable Ellipsis human presence technology 2.0.8 Ellipsis human presence technology is prone to a reflected cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage...

WordPress Spryng Payments WooCommerce 1.6.7 Cross Site Scripting

Class Input Validation Error Remote Yes Credit Ricardo Sanchez Vulnerable Spryng payments woocommerce 1.6.7 Spryng payments woocommerce is prone to a reflected cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to...

Jenkins Multiple Security Vulnerabilities

Description Jenkins is prone to the following vulnerabilities: 1. A unauthorized-access vulnerability 2. A cross-site request forgery vulnerability An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal...

Cross site request forgery (csrf)

Ubiquiti UniFi 52 devices, when Hotspot mode is used, allow remote attackers to bypass intended restrictions on "free time" Wi-Fi usage by sending a /guest/s/default/ request to obtain a cookie, and then using this cookie in a /guest/s/default/login request with the byfree parameter...

Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in Drupal core (CVE-2019-10909 CVE-2019-10910 CVE-2019-10911 CVE-2019-11358)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-10911 DESCRIPTION: Drupal core could allow a remote attacker to bypass security restrictions, caused by a flaw in the cookie management. By using a specially-crafted cookie, an attacker could...

JQuery CVE-2019-11358 Cross Site Scripting Vulnerability

Description JQuery is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the...

CVE-2019-11018

application\admin\controller\User.php in ThinkAdmin V4.0 does not prevent continued use of an administrator's cookie-based credentials after a password change...

Default credentials

application\admin\controller\User.php in ThinkAdmin V4.0 does not prevent continued use of an administrator's cookie-based credentials after a password change...

NetData 1.13.0 - HTML Injection

NetData 1.13.0 - HTML Injection Author: Marcelo Vázquez aka s4vitar NetData v1.13.0 HTML Injection Vulnerability Exploit Title: NetData v1.13.0 HTML Injection Vulnerability Date: 2019-03-14 Exploit Author: Marcelo Vázquez aka s4vitar Collaborators: Victor Lasa aka vowkin Vendor Homepage:...

Microsoft Skype for Business and Lync Server CVE-2019-0798 Spoofing Vulnerability

Description Microsoft Skype for Business and Lync Server are prone to a spoofing vulnerability. An attacker can exploit this issue to conduct spoofing attacks, execute arbitrary script code in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

Dropbox: Significant Two step verification Authentication Bypass

This report described a concern with our “Trust this Computer” feature in Dropbox web sign in. The way our “Trust this Computer” feature works, at a high level, is that while authenticating using 2FA, the user can request that this device be trusted in the future so they don’t have to use 2FA...

CVE-2018-1279

CVE-2018-1279 affects Pivotal RabbitMQ for PCF, all versions. The root cause is a deterministically generated authentication cookie that is shared across all nodes in a multi-tenant cluster. A remote attacker who can glean information about the network topology can guess this cookie and, if they ...

UCMS Administrator Password Change Vulnerability

UCMS is a content management system written in PHP. A security vulnerability exists in UCMS version 1.4.7, where the vulnerable program uses COOKIE'admin'.cookiehash for arbitrary cookie values. A remote attacker can exploit the vulnerability to change the administrator password...

Security Bulletin: Vulnerabilities in Apache Spark affect IBM Operations Analytics Predictive Insights (CVE-2018-8024, CVE-2018-1334)

Summary Apache Spark is used by IBM Operations Analytics Predictive Insights. IBM Operations Analytics Predictive Insights has addressed the applicable CVEs. Note that the usage of Apache Spark within IBM Operations Analytics Predictive Insights is limited to the REST Mediation utility. If you do...

Security Bulletin: IBM API Connect is affected by multiple vulnerabilities in Drupal (CVE-2018-7603)

Summary API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-7603 DESCRIPTION: The Search Autocomplete for Drupal is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerabili...

zzcms SQL Injection Vulnerability (CNVD-2018-26018)

ZZCMS is a CMS Content Management System used to quickly build Merchants type websites. A SQL injection vulnerability exists in the zs/search.php file in ZZCMS version 8.3. A remote attacker can exploit this vulnerability to obtain the current database name of mysql with the help of pxzs cookie...

CVE-2018-12455

Intelbras NPLUG 1.0.0.14 wireless repeater devices have a critical vulnerability that allows an attacker to authenticate in the web interface just by using "admin:" as the name of a cookie...