Drupal Autocomplete Deluxe Module Cross-Site Scripting Vulnerability

Drupal is the Drupal community maintained by a set of free , open source content management system developed in PHP language . Autocomplete Deluxe is one of the modules based on the JQuery UI autocomplete for the classification field to create a new widget . A cross-site scripting vulnerability...

CVE-2016-7967

KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled...

Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95)

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-5740

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. Th...

Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95)

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

UBUNTU-CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

WordPress: XSS via unicode characters in upload filename

Wordpress has a vulnerability that could lead to javascript execution and thus privileged escalation via an admin visiting the wrong page via specially crafted JavaScript. Unicode characters are escaped by javascript but they are not escaped serverside. I've checked the latest version 4.6.1 at th...

Yandex Browser for desktop Yandex Browser Translator Cross-Site Scripting Vulnerability

Yandex Browser for desktop is a desktop browser from the Russian company Yandex.Yandex Browser Translator is one of the translation applications. A cross-site scripting vulnerability exists in Yandex Browser Translator in Yandex Browser for desktop versions 15.12 through 16.2. A remote attacker c...

CVE-2016-7968

KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed...

IBM Financial Transaction Manager for ACH Cross-Site Scripting Vulnerability

IBM Financial Transaction Manager FTM for ACH Services is a Financial Transaction Manager product from IBM USA, which is used to monitor, track and report on financial payments and transactions. A cross-site scripting vulnerability exists in Financial Transaction Manager FTM for ACH Services...

New Relic: XSS in a newrelic.com site

Hello, I found a XSS vulnerability that could be used by an attacker to execute javascript in the client, for example, an attacker could steal the cookie of the user or an attacker could redirect the client to an attacker site and try to exploit vulnerabilities against the browser. Here you can...

CVE-2016-4215

Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC Classic before 15.006.30198, and Acrobat and Acrobat Reader DC Continuous before 15.017.20050 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors...

Design Vulnerability in YoMail Email Client of Shanghai Wulong Information Technology Co.

yomail is a lightweight design email client. A design vulnerability exists in the YoMail email client of Shanghai Wuji Information Technology Co. Ltd, which allows an attacker to execute js code, etc. by sending a payload...

Slack: Open Redirect on slack.com

Hi, my report has tow interesting parts here First ====== In this report 104087 the attacker uploads a svg file to execute JavaScript and redirect to any domain I have found a new way to execute full html files on victim machine instead of downloading them by adding a bunch of binary chars before...

Adobe Acrobat Reader DC Restriction Bypass Vulnerability (CNVD-2016-03132)

Adobe Acrobat Reader DC is the United States of America Odooby Adobe company's set of tools for viewing, printing and annotating PDF. A security vulnerability exists in Adobe Acrobat Reader DC that allows an attacker to bypass restrictions on the Javascript API executable...

Google Chrome Javascript Execution Vulnerability

Google Chrome is a popular web browser. A javascript execution vulnerability exists in Google Chrome's default search engine. An attacker is able to manipulate the masterpreferences file on the victim's machine...

Snapchat: XSS found on Snapchat website

Hi Snapchat Team, I've found a reflected XSS vulnerability on this page: https://www.snapchat.com/add/snapchat Example: https://www.snapchat.com/add/%22%3E%3Ch1%3EXSS%3C%2Fh1%3E Note: you should visit the page with a mobile user-agent since the server displays different information based on the...

Anti-Malware Security & Brute-Force Firewall <= 4.15.42 - XSS & CSRF

The Anti-Malware Security and Brute-Force Firewall WordPress plugin was affected by a XSS & CSRF security vulnerability. PoC XSS vulnerability in https://wordpress.org/plugins/gotmls/ has been identified. While I scan a site with that plugin , i had a file '".png and it was skippped , but result...