Localize: CSRF in adding phrase.

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering like sending a link via email/chat, an attacker may trick the users of a web application into executing actions of the...

WordPress Uploader Plugin Multiple Vulnerabilities

The WordPress plugin SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wordpress:wordpress"; ifdescription...

Web message boards of the Big Three dangerous vulnerability-a vulnerability warning-the black bar safety net

Message boards as a web page with the viewer interactive media and popular,in a variety of large and small site almost always has its shadow,so the message Board is now the site of a key protagonist,so its safe not not seriously considered,now listed in the guestbook when making the three big...

Joomla! Kunena组件"[map]" BBCode脚本注入漏洞

Joomla!是一套在国外相当知名的内容管理系统。 由于在创建信息时通过"map" BBCode参数传递的输入在bbcode/bbcode.php中没有被正确过滤，攻击者可以利用漏洞在恶意数据被查看时，在受影响站点上下文的用户浏览器会话中注入并执行任意HTML和脚本代码。 0 Kunena 3.x component for Joomla! Joomla! Kunena 3.0.5版本以修复此漏洞，建议用户下载使用： http://www.kunena.org/blog/135-kunena-3-0-5-released...

ownCloud多个跨站脚本漏洞

ownCloud是一款开源的私有云服务器。 ownCloud存在多个跨站脚本漏洞，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被查看时，可获取敏感信息或劫持用户会话。 0 ownCloud 6.x ownCloud 6.0.2已经修复该漏洞，建议用户下载更新： http://owncloud.org...

Drupal Nivo Slider Module模块跨站脚本漏洞

Bugtraq ID:66327 Drupal是一套开放源码的内容管理平台。 Drupal Nivo Slider模块没有正确过滤图像标题数据，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被查看时，可获取敏感信息或劫持用户会话。 0 Drupal Nivo Slider Module 7.x Drupal Nivo Slider Module 7.x-1.11已经修复该漏洞，建议用户下载更新： http://drupal.org/project/nivoslider...

CMSimple 3.54 Cross Site Scripting

Advisory ID: HTB23205 Product: CMSimple Vendor: Preben Bjorn Biermann Madsen Vulnerable Versions: 3.54 and probably prior Tested Version: 3.54 Advisory Publication: February 26, 2014 without technical details Vendor Notification: February 26, 2014 Vendor Patch: February 26, 2014 Public Disclosure...

Debian: Security Advisory (DSA-2882-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Joomla Multi Calendar 4.0.2 Cross Site Scripting

Hello, Multiple cross-site scripting XSS vulnerabilities in Multi calendar 4.0.2 component for Joomla! allow remote attackers to inject arbitrary web script or HTML code via 1 the calid parameter to index.php or 2 the paletteDefault parameter to index.php. File: /tmpl/layouteditevent.php Lines: 1...

Serena Dimensions CM跨站脚本漏洞

Bugtraq ID:65976 CVE ID:CVE-2014-0335 Serena Dimensions CM是一款项目计划管理工具。 Serena Dimensions CM存在多个跨站脚本漏洞，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被查看时，可获取敏感信息或劫持用户会话。 0 Serena Dimensions CM 12.2 Build 7.199.0 web client 目前没有详细解决方案提供： http://www.serena.com/index.php/en/products/featured-products/dimensions-cm/...

e107 "comment"脚本注入漏洞

e107是一款内容管理系统。 由于通过"comment" POST参数传递到/news.php的输入在返回用户前未能正确过滤，当恶意数据被查看时，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中注入并任意HTML和脚本代码。 0 e107 1.0.4 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://e107.org/...

storytlr "search"跨站脚本漏洞

storytlr是一款博客平台。 由于通过"search"参数传递到index.php/search/的输入在protected/application/public/controllers/SearchController.php中被返回用户前未能正确过滤，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 0 storytlr 1.2 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://storytlr.org/...

PyroCMS "email"跨站脚本漏洞

PyroCMS是一款内容管理系统。 由于传递到index.php/register中"email" POST参数的输入在返回用户前未能正确过滤，攻击者可以利用漏洞在受影响站点上下文的用户浏览器会话中执行任意HTML和脚本代码。 0 PyroCMS 2.2.3 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： https://www.pyrocms.com/...

couponPHP CMS 1.0 - Multiple Stored XSS and SQL Injection Vulnerabilities

couponPHP is vulnerable to multiple Stored XSS and SQL Injection issues. Input passed via the parameters 'iDisplayLength' and 'iDisplayStart' in 'commentspaginate.php' and 'storespaginate.php' scripts are not properly sanitised before being returned to the user or used in SQL queries. This can be...

IBM Rational Focal Point未明多个安全漏洞

CVE ID:CVE-2014-0839、CVE-2014-0840、CVE-2014-0842、CVE-2014-0843、CVE-2014-0853 IBM Rational Focal Point是IBM Rational基于Web的产品管理系统，内置了面向客户和市场的产品管理流程，提供产品管理过程中的工作流自动化、信息相关性分析、信息统计分析以及信息的优先级分析功能。 IBM Rational Focal Point存在多个安全漏洞： 1，不正确过滤部分用户输入，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被查看时，可获取敏感信息或劫持用户会话。...

FortiOS 5.0.5 Cross Site Scripting

I. VULNERABILITY ------------------------- Reflected XSS Attacks vulnerabilities in FortiOS 5.0.5 II. BACKGROUND ------------------------- Fortinet's industry-leading, Network Security Platforms deliver Next Generation Firewall NGFW security with exceptional throughput, ultra low latency, and...

WordPress Seo Link Rotator 'title' Parameter Cross Site Scripting Vulnerability

WordPress Seo Link Rotator Plugin is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Motorola WiMAX CPEi25890 /cgi-bin/f1_fcgi_cgi.fcgi设备名字段跨站脚本漏洞

code/codeMotorola WiMAX CPEi25890是摩托罗拉发布的WiMax猫。 Motorola WiMAX CPEi25890 /cgi-bin/f1fcgicgi.fcgi脚本不正确过滤设备名字段输入，允许远程攻击者利用漏洞注入恶意脚本或HTML代码，当恶意数据被查看时可获取敏感信息或者劫持用户会话。 Motorola WiMAX CPEi25890是摩托罗拉发布的WiMax猫。 Motorola WiMAX CPEi25890...

Debian Security Advisory DSA 2830-1 (ruby-i18n - cross-site scripting)

Peter McLarnan discovered that the internationalization component of Ruby on Rails does not properly encode parameters in generated HTML code, resulting in a cross-site scripting vulnerability. This update corrects the underlying vulnerability in the i18n gem, as provided by the ruby-i18n package...

Jenkins 1.523 - Persistent HTML Code

Advisory Information Title: Default markup formatter permits offsite-bound forms Date published : 2013-12-16 Date of last update: 2013-12-16 Vendors contacted : Jenkins CI v 1.523 Discovered by: Christian Catalano Severity: Low 02. Vulnerability Information CVE reference: CVE-2013-5573 CVSS v2...