The ForzeArmate application安全绕过任意Javascript代码执行漏洞

CVE ID:CVE-2014-1885 The ForzeArmate application是一款基于安卓的应用。 当使用Adobe PhoneGap 2.9.0或之前版本时The ForzeArmate application存在安全漏洞，允许远程攻击者控制任意某一Google联合广告域，来执行任意JavaScript代码，获取外部存储资源。 0 The ForzeArmate application for Android 目前没有详细解决方案提供：...

CVE-2014-1885

The ForzeArmate application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently obtain write access to external-storage resources, by leveraging control over any Google syndication advertising domain...

CVE-2014-1887

The DrinkedIn BarFinder application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently obtain sensitive fine-geolocation information, by leveraging control over one of a number of adult sites, as demonstrated b...

CVE-2014-1887

The DrinkedIn BarFinder application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently obtain sensitive fine-geolocation information, by leveraging control over one of a number of adult sites, as demonstrated b...

Design/Logic Flaw

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application...

CVE-2014-1887

The CVE concerns the DrinkedIn BarFinder Android app when used with Adobe PhoneGap 2.9.0 or earlier. The underlying issue allows a remote attacker to execute arbitrary JavaScript by exploiting control over certain adult sites (e.g., freelifetimecheating.com and www.babesroulette.com), which in tu...

CVE-2012-6636

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application...

CVE-2012-6636

CVE-2012-6636 corresponds to an Android WebView issue where WebView.addJavascriptInterface is not properly restricted, allowing crafted JavaScript to invoke Java object methods via Reflection and potentially achieve remote code execution on apps targeting API level 16 or earlier. Connected docs s...

CVE-2014-1887

The DrinkedIn BarFinder application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently obtain sensitive fine-geolocation information, by leveraging control over one of a number of adult sites, as demonstrated b...

CVE-2014-1886

The Edinburgh by Bus application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently access external-storage resources, by leveraging control over one of a number of "obscure Eastern European dating sites."...

otrs -- XSS Issue

The OTRS Project reports: An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed...

CVE-2013-6658

Multiple use-after-free vulnerabilities in the layout implementation in Blink, as used in Google Chrome before 33.0.1750.117, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving 1 running JavaScript code during execution of the...

WordPress Buddypress 1.9.1 Cross Site Scripting

Vulnerability: Wordpress plugin Buddypress = 1.9.1 stored xss Date: 13/02/2014 Author: Pietro Oliva Vendor Homepage: http://buddypress.org Software Link: http://downloads.wordpress.org/plugin/buddypress.1.9.1.zip Version: 1.9.1 CVE : CVE-2014-1888 Responsibly disclosed and patched in version 1.9....

Microsoft Internet Explorer Use-After-Free Vulnerability

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014. Recent...

CVE-2014-0322

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014. Recent...

CTERA 3.2.29.03.2.42.0 - Persistent Cross-Site Scripting

CTERA 3.2.29.03.2.42.0 - Persistent Cross-Site Scripting Exploit Title: CTERA Project Folders - Stored XSS Date: 11-Mar-2013 Exploit Author: Luigi Vezzoso Vendor Homepage: http://www.ctera.com Version: 3.2.29.0 and 3.2.42.0 Tested on: ctera os CVE : CVE-2013-2639 OVERVIEW Standard Ctera User...

Android Browser / WebView addJavascriptInterface Code Execution

This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 "Android", :arch = ARCHARMLE, :javascript = true, :rank = ExcellentRanking, :vulntest = %Q| for i in top try...

i-doit Pro 1.2.4 Cross Site Scripting

COMPASS SECURITY ADVISORY http://www.csnc.ch/ CVE ID : CVE-2014-1237 CSNC ID: CSNC-2014-002 Product: i-doit Vendor: synetics Gesellschaft für Systemintegration mbH Subject: Cross-site Scripting - XSS Risk: High Effect: Remotely exploitable Author: Stephan Rickauer [email protected] Date:...

GetSimple CMS 3.1.2 / 3.2.3 Cross Site Scripting

Author Information Author : Ahmed Elhady Mohamed Website : http://1nfosec4all.blogspot.com/ twitter : @kingasmk facebook :https://www.facebook.com/groups/ITsec4all/ Software Information Affected Software : GetSimple CMS 3.2.3, 3.1.2 Software website : http://get-simple.info/ CVE Reference :...

YXcmsApp某处xss导致getshell

简要描述： xss到后台导致getshell一条龙服务不过略鸡肋。 详细说明： YXCMS是一款面向企业的内容管理系统，采用三级缓存，MVC架构以BSD协议开源。 注册了用户以后来到用户管理页面，点击信息发布 - 增加咨询，发现是一个富文本编辑器，kindeditor。不管是什么编辑器，既然给了一个用户这么大的权限，这种情况下很容易出现xss。 随便输入点什么东西，抓包，修改content字段内容，写你的xss代码，什么都行。 好了。管理员在后台就能看到我提交的文章： 然后编辑的话就能触发xss：...