JVN#96165722: WordPress plugin "WP Booking System" vulnerable to cross-site scripting

The WordPress plugin "WP Booking System" provided by WP Booking System contains a stored cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of a user who logged-in as an administrator. Solution Update the plugin Update the plugin according to...

Apple Revokes Certificate Used By OSX/Dok Malware

Apple revoked a legitimate developer certificate used by hackers behind malware dubbed OSX/Dok, which was able to eavesdrop on secure HTTPS traffic of infected systems. On Sunday, Apple also rolled out an update to its XProtect built-in antimalware software to fend off existing and upcoming...

Android Security Bulletin—May 2017Stay organized with collectionsSave and categorize content based on your preferences.

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Alongside the bulletin, we have released a security update to Nexus devices through an over-the-air OTA update. The Google device firmware images have also been released to the Google Developer...

SquirrelMail Remote Code Execution Vulnerability Patched

Developers behind the PHP-based webmail package SquirrelMail patched a remote code execution vulnerability that could let attackers execute arbitrary commands on the target and compromise the system on Thursday. Dawid Golunski, a researcher with Legal Hackers discovered the vulnerability and...

Fastspot BigTree CMS Cross-Site Request Forgery Vulnerability (CNVD-2017-06039)

Fastspot BigTree CMS is the United States Fastspot company based on PHP and MySQL open source content management system CMS. A security vulnerability exists in the core/admin/modules/developer/header.php file in Fastspot BigTree CMS 4.2.17 and earlier versions. A remote attacker can exploit this...

CVE-2017-5468

An issue with incorrect ownership model of "privateBrowsing" information exposed through developer tools. This can result in a non-exploitable crash when manually triggered during debugging. This vulnerability affects Firefox 53...

UBUNTU-CVE-2017-5468

An issue with incorrect ownership model of "privateBrowsing" information exposed through developer tools. This can result in a non-exploitable crash when manually triggered during debugging. This vulnerability affects Firefox 53...

Facebook Delegated Account Recovery SDKs Published for Java, Ruby Apps

Facebook’s Delegated Account Recovery, a protocol that allows applications to delegate account recovery permission to third-party applications, entered its beta phase today with the release of SDKs and additional support for new platforms. The feature has been running on a trial basis since late...

CVE-2017-1161

IBM API Connect 5.0.6.0 could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of URLs for the Developer Portal. By crafting a malicious URL, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the...

Input validation

IBM API Connect 5.0.6.0 could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of URLs for the Developer Portal. By crafting a malicious URL, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the...

CVE-2017-1161

IBM API Connect 5.0.6.0 could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of URLs for the Developer Portal. By crafting a malicious URL, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the...

@Base - Critical - Unsupported - SA-CONTRIB-2017-040

Provide some more API for developer to work with Drupal 7. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

SilverStripe CMS 3.1.9 Path Disclosure

https://www.osisecurity.com.au/silverstripe-cms---path-disclosure.html Date: 04-Apr-2017 Product: SilverStripe CMS Versions affected: 3.1.9 and below. Vulnerability: Path disclosure. Example URL: http://target/dev/build/ Path reported: /home/target/publichtml/framework/dev/DebugView.php...

Github Repository Owners Targeted by Data-Stealing Malware

Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots. Researchers at Palo Alto Networks this week said that in mid-January, an unknown number of developers were...

How to bypass the latest Microsoft Edge patch and continue to spoof the address bar to load a malicious warning page-bug warning-the black bar safety net

Overview On Tuesday, Microsoft pushed out a major patch to fix many major security holes, which greatly improve the Edge of the browser developers and the security of reputation. But I hope that Microsoft is able to convince those who still follow the absurd IE policy of the old school, or at lea...

Private - Critical - Access bypass - DRUPAL-SA-CONTRIB-2017-031

This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions. The module doesn't always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes...

KLA11833 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information. Below is a complete list of vulnerabilities: 1. A remote code execution vulnerability in Windows Graphics Component can be...

Designed to pit people up! The outlaws are a large number of the abuse of Apple's iOS enterprise certificate-vulnerability warning-the black bar safety net

Not molecule by abuse or the purchase of the corporate certificate packing illegal Apps through itms:services://?, the Online install ipa ,across the Appstore in the form, spread a large number of jurisprudence involved in gambling applications, designed to pit the Chinese people! Include...

CVE-2015-8815

Multiple cross-site scripting XSS vulnerabilities in Umbraco before 7.4.0 allow remote attackers to inject arbitrary web script or HTML via the name parameter to 1 the media page, 2 the developer data edit page, or 3 the form page...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Umbraco before 7.4.0 allow remote attackers to inject arbitrary web script or HTML via the name parameter to 1 the media page, 2 the developer data edit page, or 3 the form page...