Arbitrary Code Execution

hmtlunit is vulnerable to arbitrary code execution. The application does not prevent Rhinos' access to Java resources such as Java methods. This allows an attacker to execute arbitrary Java code on the system using malicious Javascript code...

CVE-2018-18370

The ASG/ProxySG FTP proxy WebFTP mode allows intercepting FTP connections where a user accesses an FTP server via a ftp:// URL in a web browser. A stored cross-site scripting XSS vulnerability in the WebFTP mode allows a remote attacker to inject malicious JavaScript code in ASG/ProxySG's web...

XSS and Information Disclosure Vulnerabilities in ASG and ProxySG

SUMMARY The Symantec ASG and ProxySG FTP proxy WebFTP mode is susceptible to XSS and information disclosure vulnerabilities. A remote attacker can inject malicious JavaScript code in the web listing of a remote FTP server and obtain authentication credentials for a remote FTP server. AFFECTED...

Stored Cross-Site Scripting Vulnerability in Morphology Digital Lab Teaching Platform Frontend

Morphology digital experimental teaching platform is a virtual reality system with the core of computer virtual reality and digital simulation technology, supported by biosimulation engine, processing factor database, virtual environment interface and other technologies. Morphology digital...

Arbitrary Code Execution

firefox/thunderbird is vulnerable to arbitrary code execution. A remote attacker is able to execute arbitrary code via malicious Javascript code due to improper processing of data types in jsinfer.cpp...

Base Soundtouch 18.1.4 Cross Site Scripting

CWE-80 XSS Bose Soundtouch App Internal reference: - Vulnerability type: Cross-Site Scripting CWE-80 Vulnerable version: 18.1.4 and maybe older versions, too not tested Vulnerable component: IOS Frontend of the application Report confidence: Unconfirmed Solution status: Could be fixed by vendor?...

Cross site scripting

Symantec Web Isolation WI 1.11 prior to 1.11.21 is susceptible to a reflected cross-site scripting XSS vulnerability. A remote attacker can target end users protected by WI with social engineering attacks using crafted URLs for legitimate web sites. A successful attack allows injecting malicious...

Chinese Hackers Carried Out Country-Level Watering Hole Attack

Cybersecurity researchers have uncovered an espionage campaign that has targeted a national data center of an unnamed central Asian country in order to conduct watering hole attacks. The campaign is believed to be active covertly since fall 2017 but was spotted in March by security researchers fr...

Cross site scripting

An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. This plugin is vulnerable to a stored Cross-site scripting XSS vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CS...

Node.js third-party modules: [html-pages] Stored XSS in the filename when directories listing

I would like to report a Store XSS vulnerability in html-pages It allows executing malicious javascript code in the user's browser. Module module name: html-pages version: 2.1.1 npm page: https://www.npmjs.com/package/html-pages Module Description Simple development http server for file serving a...

Magento cross-site scripting vulnerability (CNVD-2018-04517)

Magento is an open source PHP e-commerce system from Magento, which provides permission management, search engine and payment gateway. Magento has a cross-site scripting vulnerability that can be exploited by attackers to inject malicious JavaScript script code...

Cross site scripting

An issue was discovered on RLE Wi-MGR/FDS-Wi 6.2 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP...

CVE-2018-7278

An issue was discovered on RLE Protocol Converter FDS-PC / FDS-PC-DP 2.1 devices. Persistent XSS exists in the web server. Remote attackers can inject malicious JavaScript code using the device's BACnet implementation. This is similar to a Cross Protocol Injection with SNMP...

CVE-2018-5071

Persistent XSS exists in the web server on Cobham Sea Tel 116 build 222429 satellite communication system devices: remote attackers can inject malicious JavaScript code using the device's TELNET shell built-in commands, as demonstrated by the "set ship name" command. This is similar to a Cross...

Cross site scripting

Persistent XSS exists in the web server on Cobham Sea Tel 116 build 222429 satellite communication system devices: remote attackers can inject malicious JavaScript code using the device's TELNET shell built-in commands, as demonstrated by the "set ship name" command. This is similar to a Cross...

XSS Vulnerability in NetEase Email Master Client PC Version

NetEase Mail Master client is a universal email client launched by NetEase 163. An XSS vulnerability exists in the PC version Ver2.4.1.8 of the NetEase Mail Master client. It allows attackers to insert malicious js code into the page to obtain user cookies and other information, leading to user...

Microsoft Edge XSS Filter Bypass (MS15-107: CVE-2015-6058)

An XSS filter bypass vulnerability exists in Microsoft Edge. A remote attacker could exploit this issue by convincing target users to view a web page containing malicious JavaScript code with an effected version of Microsoft Edge. Successful exploitation could allow an attacker to take any action...

KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability

Exploit for php platform in category web applications ================================================================= KnowledgeTree 3.5.2 Community Edition Permanent XSS Vulnerability ================================================================= Exploit Title: KnowledgeTree 3.5.2 Community...

Chrome privilege escalation in XPCVariant::VariantDataToJS() — Mozilla

Mozilla security researcher mozbugra4 reported that the XPCOM utility XPCVariant::VariantDataToJS unwrapped doubly-wrapped objects before returning them to chrome callers. This could result in chrome privileged code calling methods on an object which had previously been created or modified by web...

Stolen FTP credentials likely in massive web attacks

From SearchSecurity Rob Westervelt Stolen FTP credentials are suspected as the root cause of a massive attack compromising over 40,000 web sites. Attackers have targeted legitimate websites in the latest wave, and so far researchers at security vendor Websense Inc. say it isn’t likely that SQL...