95 matches found
ZZCMS HTTP_REFERER header cross-site scripting vulnerability
ZZCMS is a content management system CMS by the ZZCMS team in China. A cross-site scripting vulnerability exists in ZZCMS v2023 and earlier versions, which stems from incorrect HTTPREFERER header handling, and can be exploited by an attacker to execute malicious scripts via specially crafted URLs...
CVE-2024-43009
A reflected cross-site scripting XSS vulnerability exists in user/login.php at line 24 in ZZCMS 2023 and earlier. The application directly inserts the value of the HTTPREFERER header into the HTML response without proper sanitization. An attacker can exploit this vulnerability by tricking a user...
CVE-2024-43009
A reflected cross-site scripting XSS vulnerability exists in user/login.php at line 24 in ZZCMS 2023 and earlier. The application directly inserts the value of the HTTPREFERER header into the HTML response without proper sanitization. An attacker can exploit this vulnerability by tricking a user...
CVE-2024-43009
CVE-2024-43009 is a reflected XSS in ZZCMS 2023 and earlier, where the HTTP_REFERER header value is inserted directly into the HTML response in user/login.php (line 24). This can allow an attacker to execute arbitrary JavaScript in a victim’s browser, potentially enabling session hijacking or def...
Moodle Improper Input Validation
Unsafe direct use of $SERVER'HTTPREFERER' in admin/tool/mfa/index.php. The referrer URL used by MFA required additional sanitizing, rather than being used directly...
CVE-2024-33999 moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php
The referrer URL used by MFA required additional sanitizing, rather than being used directly...
Email Subscription Popup < 1.2.19 - Reflected Cross-Site Scripting
Description The Email Subscription Popup plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the HTTPREFERER header in all versions up to, and including, 1.2.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...
CVE-2023-6527
The Email Subscription Popup plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the HTTPREFERER header in all versions up to, and including, 1.2.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Cross site scripting
The Email Subscription Popup plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the HTTPREFERER header in all versions up to, and including, 1.2.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
Cross-site Scripting (XSS)
dolibarr is vulnerable to cross-site scripting XSS. The attack exists because it does not properly HTML encoded to sanitize $SERVER"HTTPREFERER" arguments, allowing an attacker to inject and execute malicious script...
Preferred Guest 365 site classification navigation system HTTP_REFERER exist SQL injection vulnerability
No description provided by source...
WordPress Total Security plugin <= 3.4 - Persistent Cross-Site Scripting (XSS) Vulnerability
With the 404 log feature is enabled, the function getRefe doesn't sanitize $SERVER'HTTPREFERER'. When the output is shown - the referer is not escaped. Solution Update the plugin...
Apache Struts 2.3.x Showcase - Remote Code Execution
Apache Struts 2.3.x Showcase - Remote Code Execution !/usr/bin/python -- coding: utf-8 -- Just a demo for CVE-2017-9791 import requests def exploiturl, cmd: print"+ command: %s" % cmd payload = "%" payload += "[email protected]@DEFAULTMEMBERACCESS." payload += "memberAccess?memberAccess=dm:"...
Drupal 8.0.0 Beta 14 Cross Site Scripting Vulnerability
Drupal version 8.0.0 Beta 14 suffers from a cross site scripting vulnerability. Drupal's sad fix was to simply throw an .htaccess file in place to block access to the file. Overview Recently, I was playing around with the Drupal CMS application code. Drupal is an open source CMS application widel...
Coinbase: iframes considered harmful
The Coinbase API offers an iframe payment option. iframes are attractive because they allow Coinbase's customers to give the illusion that the Bitcoin transaction is embedded entirely within the customer's website. But customers can and do refer to that iframe on insecure connections. Hijacking a...
Phorum 3.x login.php HTTP_REFERER XSS
No description provided by source. source: http://www.securityfocus.com/bid/9882/info It has been reported that Phorum is prone to a cross-site scripting vulnerability across multiple modules. The issue presents itself across multiple modules including 'login.php', 'register.php', and...
Nuked-klaN <= 1.7.7 / <= SP4.4 - Multiple Vulnerabilities Exploit
No description provided by source. ?php Name: Nuked-klaN = 1.7.7 and = SP4.4 Multiple Vulnerabilities Exploit Credits: Charles FOL charlesfolathotmail.fr URL: http://real.o-n.fr/ Date: 14/10/2008 Special thanks to Louis for remembering me I had to finish it = VULNERABILITY DETAILS...
WordPress Plugin Related Sites 2.1 - Blind SQL Injection Vulnerability
No description provided by source. WordPress Plugin Related Sites 2.1 BlindSQLinj Vuln http://wordpress.org/extend/plugins/related-sites/ /wp-content/plugins/related-sites/BTERWwebajax.php eLwauxc 30.05.2009, uasc.org.ua SQL-Inj 27: $guid = $POST'guid'; 28: $click = $POST'click'; 31: $ref =...
Phorum 3.x profile.php target Parameter XSS
No description provided by source. source: http://www.securityfocus.com/bid/9882/info It has been reported that Phorum is prone to a cross-site scripting vulnerability across multiple modules. The issue presents itself across multiple modules including 'login.php', 'register.php', and...
MaxWebPortal 1.3x down.asp HTTP_REFERER XSS
No description provided by source. source: http://www.securityfocus.com/bid/9625/info It has been reported that MaxWebPortal may be prone to multiple vulnerabilities due to insufficient sanitization of user-supplied input. The specific issues include cross-site scripting, HTML injection and SQL...