storytlr "search"跨站脚本漏洞

storytlr是一款博客平台。 由于通过"search"参数传递到index.php/search/的输入在protected/application/public/controllers/SearchController.php中被返回用户前未能正确过滤，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 0 storytlr 1.2 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://storytlr.org/...

PyroCMS "email"跨站脚本漏洞

PyroCMS是一款内容管理系统。 由于传递到index.php/register中"email" POST参数的输入在返回用户前未能正确过滤，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 0 PyroCMS 2.2.3 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： https://www.pyrocms.com/...

e107 "comment"脚本注入漏洞

e107是一款内容管理系统。 由于通过"comment" POST参数传递到/news.php的输入在返回用户前未能正确过滤，当恶意数据被查看时，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中注入并任意HTML和脚本代码。 0 e107 1.0.4 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://e107.org/...

couponPHP CMS 1.0 - Multiple Stored XSS and SQL Injection Vulnerabilities

couponPHP is vulnerable to multiple Stored XSS and SQL Injection issues. Input passed via the parameters 'iDisplayLength' and 'iDisplayStart' in 'commentspaginate.php' and 'storespaginate.php' scripts are not properly sanitised before being returned to the user or used in SQL queries. This can be...

IBM Rational Focal Point未明多个安全漏洞

CVE ID:CVE-2014-0839、CVE-2014-0840、CVE-2014-0842、CVE-2014-0843、CVE-2014-0853 IBM Rational Focal Point是IBM Rational基于Web的产品管理系统，内置了面向客户和市场的产品管理流程，提供产品管理过程中的工作流自动化、信息相关性分析、信息统计分析以及信息的优先级分析功能。 IBM Rational Focal Point存在多个安全漏洞： 1，不正确过滤部分用户输入，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被查看时，可获取敏感信息或劫持用户会话。...

FortiOS 5.0.5 Cross Site Scripting

I. VULNERABILITY ------------------------- Reflected XSS Attacks vulnerabilities in FortiOS 5.0.5 II. BACKGROUND ------------------------- Fortinet's industry-leading, Network Security Platforms deliver Next Generation Firewall NGFW security with exceptional throughput, ultra low latency, and...

WordPress Seo Link Rotator 'title' Parameter Cross Site Scripting Vulnerability

WordPress Seo Link Rotator Plugin is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Motorola WiMAX CPEi25890 /cgi-bin/f1_fcgi_cgi.fcgi设备名字段跨站脚本漏洞

code/codeMotorola WiMAX CPEi25890是摩托罗拉发布的WiMax猫。 Motorola WiMAX CPEi25890 /cgi-bin/f1fcgicgi.fcgi脚本不正确过滤设备名字段输入，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被查看时可获取敏感信息或者劫持用户会话。 Motorola WiMAX CPEi25890是摩托罗拉发布的WiMax猫。 Motorola WiMAX CPEi25890...

Debian Security Advisory DSA 2830-1 (ruby-i18n - cross-site scripting)

Peter McLarnan discovered that the internationalization component of Ruby on Rails does not properly encode parameters in generated HTML code, resulting in a cross-site scripting vulnerability. This update corrects the underlying vulnerability in the i18n gem, as provided by the ruby-i18n package...

Jenkins 1.523 - Persistent HTML Code

Advisory Information Title: Default markup formatter permits offsite-bound forms Date published : 2013-12-16 Date of last update: 2013-12-16 Vendors contacted : Jenkins CI v 1.523 Discovered by: Christian Catalano Severity: Low 02. Vulnerability Information CVE reference: CVE-2013-5573 CVSS v2...

IBM Sterling Connect:Enterprise跨站脚本漏洞

CVE ID:CVE-2013-6327 IBM Sterling Connect是一款点到点文件传输软件，可实现企业内和企业间的大容量、安全可靠的文件交付。 IBM Sterling Connect:Enterprise存在一个未明跨站脚本漏洞，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被查看时可获取敏感信息或者劫持用户会话。 0 IBM Sterling Connect:Enterprise 1.3.0.2 IBM Sterling Connect:Enterprise 1.4.0.0. 厂商补丁： IBM ----- IBM Sterling Connect...

Piwigo - 'admin.php' Cross-Site Request Forgery (User Creation)

source: https://www.securityfocus.com/bid/64357/info Piwigo is prone to cross-site request-forgery and HTML-injection vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, execute arbitrary script or HTML code within the context of the...

Cross-Site Scripting (XSS) in GuppY

High-Tech Bridge Security Research Lab discovered two XSS vulnerabilities in GuppY, which can be exploited to perform Cross-Site Scripting attacks against users of vulnerable application. 1 Cross-Site Scripting XSS in GuppY: CVE-2013-5983 1.1 The vulnerability exists due to insufficient...

Pluck CMS 4.7 - HTML Code Injection

Pluck CMS 4.7 - HTML Code Injection Exploit Title: Pluck CMS CSRF - Injecting malicious contents to pagess Date: 2013 4 August Exploit Author: Yashar shahinzadeh Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir Vendor Homepage: http://www.pluck-cms.org/ Tested on: Linux & Windows, PHP 5.2.9...

Pluck CMS 4.7 - HTML Code Injection

Exploit Title: Pluck CMS CSRF - Injecting malicious contents to pagess Date: 2013 4 August Exploit Author: Yashar shahinzadeh Credit goes for: http://y-shahinzadeh.ir & ha.cker.ir Vendor Homepage: http://www.pluck-cms.org/ Tested on: Linux & Windows, PHP 5.2.9 Affected Version : 4.7 Contacts:...

Updated phpmyadmin packages fix security vulnerabilities

Using a crafted SQL query, it was possible to produce an XSS on the SQL query form PMASA-2013-8CVE-2013-4995. In the setup/index.php, using a crafted hash with a Javascript event, untrusted JS code could be executed. In the Display chart view, a chart title containing HTML code was rendered...

AVAST Antivirus v8.0.1489 - Multiple Core Vulnerabilities

Title: ====== AVAST Antivirus v8.0.1489 - Multiple Core Vulnerabilities Date: ===== 2013-06-30 References: =========== http://www.vulnerability-lab.com/getcontent.php?id=963 VL-ID: ===== 963 Common Vulnerability Scoring System: ==================================== 4.1 Introduction: =============...

Vatican Cross Site Scripting

vaticanstate.va XSS Vulnerability webcam page ======================================================== Site: http://www.vaticanstate.va/IT/Monumenti/webcam/index?cam=webcam3 Discovered by: Andrea Menin base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ== Follow me: http://www.linkedin.com/in/andreamenin...

AVAST Internet Security Suite - Persistent Vulnerabilities

Document Title: =============== AVAST Internet Security Suite - Persistent Vulnerabilities References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=969 Release Date: ============= 2013-06-26 Vulnerability Laboratory ID VL-ID: ====================================...

IBM SPSS Data Collection CVE-2013-0464跨站脚本漏洞

Bugtraq ID:60246 CVE ID:CVE-2013-0464 IBM SPSS Data Collection是全球业界领先的问卷调查、市场研究以及客户行为分析的专业解决方案。 IBM SPSS Data Collection存在一个输入验证漏洞，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被用户查看时可获取敏感信息或劫持用户会话。 0 IBM SPSS Data Collection 6.0.1 IBM SPSS Data Collection 6.0 IBM SPSS Data Collection 7.0 用户可参考如下厂商提供的安全公告获得补丁程序：...