JVN#96954395: Nessus vulnerable to cross-site scripting

Nessus provided by Tenable, Inc. contains a stored cross-site scripting vulnerability CWE-79. Impact Arbitrary JavaScript may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected...

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application For iOS

This is a Swift version of original iGoat Objective C project. Using OWASP iGoat, you can learn exploiting and defending vulnerabilities in iOS Swift applications. Developed using Swif 4 and Ruby iGoat Objective C was presented at: OWASP TOP 10 Mobile Reverse Engineering Runtime Analysis Data...

CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

UBUNTU-CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

Microsoft Adds Support for JavaScript in Excel—What Could Possibly Go Wrong?

Shortly after Microsoft announced support for custom JavaScript functions in Excel, someone demonstrated what could possibly go wrong if this feature is abused for malicious purposes. As promised last year at Microsoft's Ignite 2017 conference, the company has now brought custom JavaScript...

KLA11248 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, bypass security restrictions, cause denial of service. Below is a complete list of vulnerabilities: 1. A spoofing vulnerability in Azure IoT SDK can be...

Asylo Open-Source Framework Tackles TEEs for Cloud

Asylo, an open-source framework and software development kit SDK for creating applications that run in trusted execution environments TEEs, has launched to tackle the complexity involved in running a confidential computing platform for workloads in the cloud and virtual environments. TEEs provide...

Android Security Bulletin—May 2018Stay organized with collectionsSave and categorize content based on your preferences.

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2018-05-05 or later address all of these issues. To learn how to check a device's security patch level, see Check & update your Android version. Android partners are...

ExpressionEngine: XML Member Proccessing - Local File inclusion Vulnerability

@lawrenceamer discovered a local file inclusion vulnerability that logged in users with access to the control panel and permission to access developer utilities may be able to exploit. @lawrenceamer gave a detailed report with step-by-step instructions for replicating and screen captures of a the...

ExpressionEngine: Import File Converter - local File inclusion

@lawrenceamer discovered a local file inclusion vulnerability that logged in users with access to the control panel and permission to access developer utilities may be able to exploit. @lawrenceamer gave a detailed report with step-by-step instructions for replicating and screen captures of a the...

CVE-2016-2169

Cloud Foundry Cloud Controller, capi-release versions prior to 1.0.0 and cf-release versions prior to v237, contain a business logic flaw. An application developer may create an application with a route that conflicts with a platform service route and receive traffic intended for the service...

CVE-2018-6111

An object lifetime issue in the developer tools network handler in Google Chrome prior to 66.0.3359.117 allowed a local attacker to execute arbitrary code via a crafted HTML page...

JVN#77753476: Hatena Bookmark App for iOS contains an address bar spoofing vulnerability

Hatena Bookmark App for iOS provided by Hatena Co., Ltd. contains a vulnerability where the address bar displays a different URL than the URL that is being accessed. Impact This vulnerability could be leveraged to forge the contents of the address bar for conducting phishing attacks. Solution...

KLA11226 OSI vulnerability in Microsoft Developer Tools

An information disclosure vulnerability was found in Microsoft Developer Tools. Malicious users can exploit this vulnerability to obtain sensitive information. Original advisories CVE-2018-1037 Related products Microsoft-Visual-Studio CVE list CVE-2018-1037 warning KB list 4089501 4087371 4091346...

March 13, 2018—KB4088786 (OS Build 10240.17797)

March 13, 2018—KB4088786 OS Build 10240.17797 Improvements and fixes This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Addresses issue with printing XML documents with Internet Explorer and Microsoft Edge. Address...

CVE-2018-1469

IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow an unauthenticated attacker to execute system commands using specially crafted HTTP requests. IBM X-Force ID: 140605...

Design/Logic Flaw

IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow an unauthenticated attacker to execute system commands using specially crafted HTTP requests. IBM X-Force ID: 140605...

CVE-2018-1469

IBM API Connect Developer Portal in versions 5.0.0.0–5.0.8.2 is affected by a vulnerability that could allow an unauthenticated attacker to execute system commands via specially crafted HTTP requests. The CVE entry for CVE-2018-1469 is supported by multiple sources (NVD/NVD-derived pages and rela...

CVE-2018-1469

IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow an unauthenticated attacker to execute system commands using specially crafted HTTP requests. IBM X-Force ID: 140605...

CA API Developer Portal Cross-Site Scripting Vulnerability (CNVD-2018-06884)

CA API Developer Portal is a set of CA's API Application Programming Interface query function for software developers. A cross-site scripting vulnerability exists in the widgetID variable in CA API Developer Portal, which stems from the program failing to properly filter user-submitted HTML code....