Apple Safari Flaws Enable One-Click Webcam Access

A security researcher has disclosed vulnerabilities in Apple’s Safari browser that can be used to snoop on iPhones, iPads and Mac computers using their microphones and cameras. To exploit the flaws in a real-world attack, all an attacker would need to do is convince a victim to click one maliciou...

CVE-2020-8823

A cross-site scripting XSS vulnerability was found in the Node.js library, sockjs. An attacker could use this vulnerability to supply a query string with script tags, which could trick a victim into executing a specially crafted JavaScript code...

Sql injection

An injection issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A remote attacker may be able to cause arbitrary javascript code execution...

CVE-2020-3884

An injection issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A remote attacker may be able to cause arbitrary javascript code execution...

CVE-2020-3884

Summary: CVE-2020-3884 is an injection issue in the Mail component of macOS Catalina that allowed a remote attacker to cause arbitrary JavaScript execution. The issue was addressed by improved input validation and is fixed in macOS Catalina 10.15.4. The primary sources describe the vulnerability ...

CVE-2019-10180

A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service TPS did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting XSS vulnerability. An attacker able to modify the parameters of any token could...

Cross site scripting

A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service TPS did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting XSS vulnerability. An attacker able to modify the parameters of any token could...

CVE-2019-10180

A vulnerability was found in all pki-core 10.x.x version, where the Token Processing Service TPS did not properly sanitize several parameters stored for the tokens, possibly resulting in a Stored Cross Site Scripting XSS vulnerability. An attacker able to modify the parameters of any token could...

F5 Networks BIG-IP : BIG-IP APM Portal Access vulnerability (K73183618)

The version of F5 Networks BIG-IP installed on the remote host is prior to 11.6.5.2 / 12.1.5.2 / 14.1.2.5 / 15.0.1.3 / 15.1.0.2 / 16.0.0. It is, therefore, affected by a vulnerability as referenced in the K73183618 advisory. InBIG-IP APM Portal Access, HTTP pages that are served by back-end serve...

CVE-2020-1771

Attacker is able craft an article with a link to the customer address book with malicious content JavaScript. When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: OTRS Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior...

Qulture.Rocks: XSS from arbitrary attachment upload.

Summary: The New Comment feature in the OKRs page allows a user to upload an arbitrary file. I was able to upload HTML file that contains Javascript code. The Javascript code will execute when victim access visits the attachment. Steps To Reproduce: 1. Upload an HTML file that contains javascript...

Cross site scripting

A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service TPS where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting XSS vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated...

CVE-2020-1696

A flaw was found in the all pki-core 10.x.x versions, where Token Processing Service TPS where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting XSS vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated...

Security Bulletin: IBM Jazz for Service Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI ( CVE-2019-4717)

Summary IBM Jazz for Service Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI CVE-2019-4717 Vulnerability Details CVEID: CVE-2019-4717 DESCRIPTION: IBM Jazz for Service Management is vulnerable to cross-site...

CVE-2019-16375

An issue was discovered in Open Ticket Request System OTRS 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious...

CVE-2019-16375

An issue was discovered in Open Ticket Request System OTRS 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious...

Design/Logic Flaw

An issue was discovered in Open Ticket Request System OTRS 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious...

CVE-2019-16375

An issue was discovered in Open Ticket Request System OTRS 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious...

CVE-2019-16375

An issue was discovered in Open Ticket Request System OTRS 7.0.x through 7.0.11, and Community Edition 5.0.x through 5.0.37 and 6.0.x through 6.0.22. An attacker who is logged in as an agent or customer user with appropriate permissions can create a carefully crafted string containing malicious...

CVE-2019-10178

It was found that the Token Processing Service TPS did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting XSS vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would...