141 matches found
Mailtraq WebMail 2.17.7.3550 Cross Site Scripting
Exploit Title: Persistent Cross Site Scripting XSS - Mailtraq WebMail version 2.17.7.3550 CVE: CVE-2019-9558 Exploit Author: Aloyce J. Makalanga Contact: https://twitter.com/aloycemjr Vendor Homepage: http://www.mailtraq.com/mail-server-software Category: webapps Attack Type: Remote Impact:...
TerraMaster TOS Session Fixation Vulnerability
TerraMaster TOS is a set of storage server special operating system based on Linux platform developed by Terra Master. The system supports file sharing, cloud data synchronization, data backup and virtualization. A session fixation vulnerability exists in the web application in TerraMaster TOS...
Majority of Sites Fail Mozilla's Comprehensive Security Review
A majority of the top 1 million websites earn an “F” letter grade when it comes to adopting defensive security technology that protect visitors from XSS vulnerabilities, man-in-the-middle attacks, and cookie hijacking. The failing grades come from a comprehensive analysis published this week by t...
Verizon Patches XSS Issues in its Messaging Client
Verizon late last year patched a vulnerability in its Message+ messaging client that could have allowed an attacker to take over a session and possibly extend their reach into a user’s account management settings. Researcher Randy Westergren yesterday disclosed some details on the bug, which coul...
Storage-based Cross-site Scripting Vulnerability in Aisook General Enterprise Website Builder System
Aisok universal enterprise building system cicms is based on PHP + Mysql development of an enterprise website management system. A storage-based cross-site scripting vulnerability exists in the Aisook General Enterprise Website Builder System. The vulnerability is caused by the message function...
WordPress W3 Total Cache 0.9.4.1 Race Condition Vulnerability
An information disclosure vulnerability was found in the W3 Total Cache plugin. This issue allows an attacker to hijack sensitive information, such as the administrator's session cookie. Exploiting the vulnerability is possible during a short period of time when an administrator submits the suppo...
WordPress W3 Total Cache 0.9.4.1 Race Condition
------------------------------------------------------------------------ Information disclosure race condition in W3 Total Cache WordPress Plugin ------------------------------------------------------------------------ Sipke Mellema, July 2016...
e107 CMS 2.1.2 Privilege Escalation
Exploit Title: e107 CMS 2.1.2 Privilege Escalation Date: 09-11-2016 Software Link: http://e107.org/ Exploit Author: Kacper Szurek Contact: http://twitter.com/KacperSzurek Website: http://security.szurek.pl/ Category: webapps 1. Description Datas from $POST'updateddata' inside usersettings.php are...
Lack of Encryption Leads to Large Scale Cookie Exposure
LAS VEGAS—There’s been an abundance of attacks against crypto over the last few years but a much simpler, scarier threat, cookie hijacking, remains significantly overlooked in the eyes of researchers. Two academics, Suphannee Sivakorn, a PhD student at Columbia University, and Jason Polakis, an...
Citrix Netscaler 11.0 Build 64.35 Cross Site Scripting
PERSICON Security Advisory ======================================================================= Title: Login Form Hijacking vulnerability Product: Citrix Netscaler Vulnerable Version: 11.0 Build 64.35 Fixed Version: 11.0 Build 66.11 CVE-ID: CVE-2016-4945 Impact: medium found: 2015-04-07 by: Dr...
Visual Paradigm Server 10.0 Cross Site Scripting
================================================================ Visual Paradigm Server v10.0 - Cross Site Scripting XSS ================================================================ Information -------------------- Name: Visual Paradigm Server v10.0 - Cross Site Scripting XSS Affected Softwar...
HSTS Missing From HTTPS Server
The remote HTTPS server is not enforcing HTTP Strict Transport Security HSTS. HSTS is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and...
chromium: multiple issues
CVE-2015-1235 cross-origin bypass A vulnerability was discovered that allows cross-origin-bypass in the HTML parser. - CVE-2015-1236 cross-origin bypass A vulnerability was discovered that allows cross-origin-bypass in the rendering engine Blink. - CVE-2015-1237 arbitrary code execution An...
CVE-2015-2296
The resolveredirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect...
Cookie hijacking: Internet Explorer UXSS (CVE-2015-0072)
Cookie hijacking: Internet Explorer UXSS CVE-2015-0072 Host below files on webserver attacker.com and share the exploit link with victims, exploit.php --- exploit link Share with victim redirect.php --- Script to redirect on target page target page should not contain X-Frame-Options or it will fa...
Microsoft Internet Explorer Universal XSS Proof Of Concept
Cookie hijacking: Internet Explorer UXSS CVE-2015-0072 Host below files on webserver attacker.com and share the exploit link with victims, exploit.php --- exploit link Share with victim redirect.php --- Script to redirect on target page target page should not contain X-Frame-Options or it will fa...
PHPNuke AddOn PHPToNuke.PHP 1.0 Cross-Site Scripting Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/3807/info phptonuke.php is a PHPNuke AddOn script to insert a PHP script into the middle of a PHPNuke site. It is written and maintained by Lebios. It is possible for a malicious user to create a link to the phptonuke.php...
PHP TopSites 2.0/2.2 help.php Cross Site Scripting Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/6622/info A vulnerability has been discovered in PHP TopSites. Due to invalid sanitization of user-supplied input by the 'help.php' script, it may be possible for an attacker to steal another users cookie information or...
PHP-Nuke 6.0 - Multiple Cross Site Scripting Vulnerabilities
No description provided by source. source: http://www.securityfocus.com/bid/6409/info It has been discovered that multiple PHP scripts used by PHP-Nuke are vulnerable to cross-sitescripting attacks. Due to insufficient sanitization of web requests it is possible for script code to be embedded in...
CTERA 3.2.29.0 and 3.2.42.0 - Stored XSS
No description provided by source. 恶意用户可以修改项目文件夹描述进行XSS攻击和HTML注入(添加链接、图片和按钮等)。 因为项目文件夹时被不同用户共享,该漏洞可以用来抓取会话cookie。 创建一个项目文件夹并添加下面的描述(根据版本修改特定路径):...