107 matches found
CVE-2014-0169
In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an...
CVE-2014-0169
CVE-2014-0169 affects JBoss EAP 6: a security domain uses a cache shared across all applications in the domain, enabling an authenticated user from one application to access resources in another without proper authorization. Root cause cited as lack of clear documentation on cache isolation betwe...
Mail.ru: Cross application scripting via account.mail.ru
Crossapplication scripting via User-Agent on push login confirmation functionality in mobile application in the context of account.mail.ru domain allowed session hijacking with minimal user interaction...
Security Bulletin: IBM Mobile Foundation, IBM Worklight, and IBM Worklight Foundation are affected by the following Apache Cordova vulnerabilities: CVE-2014-3500, CVE-2014-3501 and CVE-2014-3502
Summary Apache Cordova, which is used by these products, is vulnerable to Cross-Application Scripting XAS and Data Exfiltration vulnerabilities. A remote attacker might exploit these vulnerabilities to expose sensitive data from the mobile application. Vulnerability Details CVEID: CVE-2014-3500...
Mail.ru: XSS на e.mail.ru в мобильном приложении!
Cross application scripting via message content in mobile mail application. Vulnerability affected a limited number of external domains connected in Mail.Ru mail application. Users of Mail.Ru mailboxes and largest mailbox providers were not affected, no access to confidential data was possible as...
UBUNTU-CVE-2017-5648
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was...
Harvest: Leak of all project names and all user names , even across applications
Summary ------------ All project names and user names can be leaked, even cross application. Steps to reproduce ------------ 1. Create a new expense, this should generate a POST request like this: bash POST /api/v2/expenses?userid=1340164 HTTP/1.1 Host: 8888sasdf.harvestapp.com - snip -...
Tomcat/JBossWeb: XML parser hijack by malicious web application
It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by JBoss Web / Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors TLDs, and tag plug-in configuration files. The injected XML...
Microsoft Lync information leakage
Cross application scripting...
SPI Dynamics WebInspect 5.0.196 Cross Application Script Injection Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/14385/info WebInspect is vulnerable to a cross-application script injection vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied data prior to including it in content rendere...
KDE <= 4.4.1 Ksysguard RCE via Cross Application Scripting
No description provided by source. Exploit Title: Ksysguard RCE via Cross Application Scripting Date: 2010 03 20 Author: Emanuele 'emgent' Gentili Code: http://www.backtrack.it/emgent/exploits/20100320KsysguardRCECAS.txt Version: = 4.4.1 CVE : N/A Vendor: http://www.kde.org Video:...
Ziepod+ 1.0 Cross Application Scripting
No description provided by source. !/usr/bin/python import thread import socket |------------------------------------------------------------------| | | | / / / / | | / / / / / / / \ / / / / \ | | / // // / / / / / // / / / / / // / // / / / / / / | | /// //,// // //,// // // | | | |...
UBUNTU-CVE-2014-0119
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to 1 read arbitrary files via a crafted web application that provides an XML external entity...
Chrome for Android - UXSS via com.android.browser.application_id Intent extra
CVE Number: CVE-2012-4905 Title: Chrome for Android - UXSS via com.android.browser.applicationid Intent extra Affected Software: Confirmed on Chrome for Android v18.0.1025123 Credit: Takeshi Terada Issue Status: v18.0.1025308 was released which fixes this vulnerability Overview: By sending a...
Mojarra: deployed web applications can read FacesContext from other applications under certain conditions
Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function...
Mojarra: deployed web applications can read FacesContext from other applications under certain conditions
Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function...
CVE-2012-4904
Cross-application scripting vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script via unspecified vectors, as demonstrated by "Universal XSS UXSS" attacks against the current tab...
CVE-2012-4904
Cross-application scripting vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script via unspecified vectors, as demonstrated by "Universal XSS UXSS" attacks against the current tab...
CVE-2012-4904
CVE-2012-4904 is a Cross-site scripting (UXSS) vulnerability in Google Chrome for Android, affecting versions before 18.0.1025308. The issue allows remote attackers to inject arbitrary web script via unspecified vectors, demonstrated as UXSS attacks on the current tab. Affected product: Google Ch...
CVE-2012-4904
Cross-application scripting vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script via unspecified vectors, as demonstrated by "Universal XSS UXSS" attacks against the current tab...