439 matches found
Nord Security: Password Reset Link Leaked In Refer Header In Request To Third Party Sites
The reporter has identified that the web application is leaking password reset token in the HTTP referrer header. By obtaining a token, malicious user would be able to reset the passwords for a particular user. It is worth to mention that the attack must be highly personalised and requires prior...
Cross site scripting
Open redirect in proxy.php in FlashCanvas before 1.6 allows remote attackers to redirect users to arbitrary web sites and conduct cross-site scripting XSS attacks via the HTTP Referer header...
CVE-2013-6880
Open redirect in proxy.php in FlashCanvas before 1.6 allows remote attackers to redirect users to arbitrary web sites and conduct cross-site scripting XSS attacks via the HTTP Referer header...
CVE-2018-10727
Reflected Cross-Site Scripting XSS vulnerability in the fabrikreferrer hidden field in the Fabrikar Fabrik component through v3.8.1 for Joomla! allows remote attackers to inject arbitrary web script via the HTTP Referer header...
Cross site scripting
Reflected Cross-Site Scripting XSS vulnerability in the fabrikreferrer hidden field in the Fabrikar Fabrik component through v3.8.1 for Joomla! allows remote attackers to inject arbitrary web script via the HTTP Referer header...
CVE-2018-10727
Reflected Cross-Site Scripting XSS vulnerability in the fabrikreferrer hidden field in the Fabrikar Fabrik component through v3.8.1 for Joomla! allows remote attackers to inject arbitrary web script via the HTTP Referer header...
CVE-2015-9453
The broken-link-manager plugin before 0.6.0 for WordPress has XSS via the HTTP Referer or User-Agent header to a URL that does not exist...
CVE-2015-9453
The broken-link-manager plugin before 0.6.0 for WordPress has XSS via the HTTP Referer or User-Agent header to a URL that does not exist...
CVE-2015-9453
The CVE concerns the WordPress Broken Link Manager plugin, affected versions before 0.6.0. Root cause: the plugin does not properly validate or sanitize input via HTTP Referer or User‑Agent headers when requests target a non-existent URL, enabling cross‑site scripting. Impact: attacker can inject...
CVE-2016-10988
The leenkme plugin before 2.6.0 for WordPress has stored XSS via facebookmessage, facebooklinkname, facebookcaption, facebookdescription, defaultimage, or wphttpreferer...
CVE-2019-6726
The WP Fastest Cache plugin through 0.8.9.0 for WordPress allows remote attackers to delete arbitrary files because wppostratingsclearfastestcache and rmfolderrecursively in wpFastestCache.php mishandle ../ in an HTTP Referer header...
CVE-2019-6726
The WP Fastest Cache plugin through 0.8.9.0 for WordPress allows remote attackers to delete arbitrary files because wppostratingsclearfastestcache and rmfolderrecursively in wpFastestCache.php mishandle ../ in an HTTP Referer header...
CVE-2019-12362
EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doaction.php...
Cross site scripting
EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doaction.php...
CVE-2019-12362
EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/doaction.php...
CVE-2019-12362
CVE-2019-12362 affects EmpireCMS 7.5.0. The vulnerability is an XSS flaw exploitable via the HTTP Referer header to the endpoint e/member/doaction.php, as documented across Red Hat, NVD, CVE lists and CNVD/CVELIST entries. The available sources identify a cross-site scripting risk in EmpireCMS 7....
Cross site scripting
The admin web interface on Technicolor MediaAccess TG789vac v2 HP devices with firmware v16.3.7190-2761005-20161004084353 displays unsanitised user input, which allows an unauthenticated malicious user to embed JavaScript into the Log viewer interface via a crafted HTTP Referer header, aka XSS...
CVE-2018-8827
The admin web interface on Technicolor MediaAccess TG789vac v2 HP devices with firmware v16.3.7190-2761005-20161004084353 displays unsanitised user input, which allows an unauthenticated malicious user to embed JavaScript into the Log viewer interface via a crafted HTTP Referer header, aka XSS...
CVE-2018-8827
The admin web interface on Technicolor MediaAccess TG789vac v2 HP devices with firmware v16.3.7190-2761005-20161004084353 displays unsanitised user input, which allows an unauthenticated malicious user to embed JavaScript into the Log viewer interface via a crafted HTTP Referer header, aka XSS...
CVE-2018-18244
Cross-site scripting in syslog.html in VIVOTEK Network Camera Series products with firmware 0x06x to 0x08x allows remote attackers to execute arbitrary JavaScript code via an HTTP Referer Header...