What You Need To Know - Summer 2018 State of the Internet / Security: Web Attack Report

It's that time of year - the Summer 2018 State of the Internet / Security: Web Attack report is now live. This new naming schema is just one of the many changes you'll notice if you're a returning reader of quarterly report, and there are more changes coming as we work to bring you insights and...

coinpage.com XSS vulnerability

Open Bug Bounty ID: OBB-594256 Description| Value ---|--- Affected Website:| coinpage.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

Cross site scripting

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

Heap overflow

In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. Th...

lcl-discuss.media.mit.edu XSS vulnerability

Vulnerable URL: http://lcl-discuss.media.mit.edu/email/[email protected]%27%22%3E%3Csvg/onload=alert/openbugbounty/%3E Details: Description| Value ---|--- Patched:| Yes, at Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| Unknown / Not...

CVE-2017-14510

An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2.2, and 7.9.x before 7.9.2.0 and Sugar Community Edition 6.5.26. The WebToLeadCapture functionality is found vulnerable to unauthenticated cross-site scripting XSS attacks. This attack vector is mitigated by proper validating t...

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

The H5P module helps create interactive videos, question sets, drag and drop questions, multichoice questions, boardgames, presentations, flashcards and more using Drupal. The module does not sufficiently filter text prior to printing it back to the page, leading to a Reflected Cross Site Scripti...

Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066

This module provides a Facebook Like button on node pages and blocks. The module does not sufficiently sanitize output when configured to use custom css rules. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fblikebutton". CVE...

Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

This module enables you to add integration with Google Analytics statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is...

Use-after-free when using alt key and toplevel menus — Mozilla

Security researcher Abhishek Arya Inferno of the Google Chrome Security Team reported a use-after-free vulnerability when the alt key is used in conjunction with toplevel menu items in Firefox. This results in a potentially exploitable crash when triggered. This vulnerability is mitigated by not...

Nextcloud: [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter

@ahsantahir reported a low severity content spoofing vulnerability in an administrative component. We've mitigated the issue as a hardening in our upcoming Nextcloud 11 release and would like to thank @ahsantahir for reporting this issue to us. On request of the reporter this issue is only...

Advantech WebAccess ActiveX Vulnerabilities (Update A)

OVERVIEW This updated advisory is a follow-up to the original advisory titled ICSA-16-173-01 Advantech WebAccess ActiveX Vulnerabilities that was published June 21, 2016, on the NCCIC/ICS-CERT web site. --------- Begin Update A Part 1 of 2 -------- Zhou Yu of Acorn Network Security and ZDI Zero...

URL spoofing in reader mode — Mozilla

Security researcher Juho Nurminen reported a mechanism to spoof the URL displayed in the addressbar in reader mode by manipulating the loaded URL. This flaw allows for the URL displayed to be different than that the web content rendered. This allows for potential spoofing but the effects are...

[KIS-2015-01] Concrete5 <= 5.7.3.1 (sendmail) Remote Code Execution Vulnerability

------------------------------------------------------------------- Concrete5 = 5.7.3.1 sendmail Remote Code Execution Vulnerability ------------------------------------------------------------------- - Software Link: https://www.concrete5.org/ - Affected Versions: Version 5.7.3.1 and probably...

F5 BIG-IP 10.1.0 Directory Traversal

+------------------------------------------------------+ + F5 BIG-IP 10.1.0 - Directory Traversal Vulnerability + +------------------------------------------------------+ Affected Product : F5 BIG-IP Vendor Homepage : http://www.f5.com/ Version : 10.1.0 Vulnerability Category : Local vulnerabilit...

ABB RobotStudio and Test Signal Viewer DLL Hijack Vulnerability

OVERVIEW Ivan Sanchez of WiseSecurity Team has identified a dll hijack vulnerability in the ABB RobotStudio and Test Signal Viewer applications. ABB has produced new versions that mitigate this vulnerability. Mr. Sanchez has tested the new version to validate that it resolves the vulnerability...

OrbiTeam BSCW 5.0.7 Metadata Information Disclosure Vulnerability

RedTeam Pentesting discovered an information disclosure vulnerability in OrbiTeam's BSCW collaboration software. An unauthenticated attacker can disclose metadata about internal objects which are stored in BSCW. Versions 5.0.7 and below are affected. RedTeam Pentesting discovered an information...

Lavarel-Security XSS Filter Bypass Vulnerability

Lavarel-Security cross site scripting filter suffers from a bypass vulnerability. Product: Lavarel-Security XSS Filter Bypass Vulnerability: Mutation Based XSS Bypass Impact: Medium/High Authors: Rafay Baloch Company: RHAinfoSEC Website: http://rhainfosec.com Status: Fixed ========= Description...

Drupal Quick Tabs 6.x / 7.x Access Bypass

No description provided by source. Drupal Quick Tabs third party module versions 6.x and 7.x suffer from an access bypass vulnerability. View online: https://drupal.org/node/2103187 Advisory ID: DRUPAL-SA-CONTRIB-2013-078 Project: Quick Tabs 1 third-party module Version: 6.x, 7.x Date:...

CVE-2009-3569

Stack-based buffer overflow in OpenOffice.org OOo allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.8, aka "Client-side stack overflow exploit." NOTE: as of 20091005, this disclosure has no actionable...