GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting

Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.2 - CSRF to Stored XSS to RCE Exploit Author: Bobby Cooke boku Date: 22/04/2021 Vendor Homepage: http://get-simple.info & Software Link: http://get-simple.info/download/ Version: Exploit = v1.1.1 | Stored XSS = v1.1.2 Tested against Server...

GHSA-5C66-V29H-XJH8 XSS Cross Site Scripting

Impact It is possible to persistently inject scripts in XWiki. For unregistred users: - By filling simple text fields For registered users: - By filling their personal information - if they have edit rights By filling the values of static lists using App Within Minutes That can lead to user's...

CISA Incident Response to SUPERNOVA Malware

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident...

WordPress GiveWP plugin <= 2.10.1 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability

Authenticated Persistent Cross-Site Scripting XSS vulnerability discovered by m0ze Patchstack Red Team in WordPress GiveWP plugin versions = 2.10.1. Solution Update the WordPress GiveWP plugin to the latest available version at least 2.10.2...

CVE-2021-29459

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information...

CVE-2021-29459

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information...

Design/Logic Flaw

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information...

Xwiki Platform 跨站脚本漏洞

Xwiki Platform is a wiki platform for creating web collaboration applications from the French company Xwiki. XWiki Platform has a cross-site scripting vulnerability that can be exploited by attackers to persistently inject scripts...

Tibco Software TIBCO Administrator and Tibco Software TIBCO Runtime Agent 跨站脚本漏洞

Tibco Software TIBCO Administrator and Tibco Software TIBCO Runtime Agent are both products of Tibco Software, Inc.Tibco Software TIBCO Administrator is an application. Tibco Software TIBCO Administrator is an application used to manage users, monitor computers, and deploy applications that use...

SUSE: Security Advisory (SUSE-SU-2020:1842-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Bad Bot Report 2021: The Pandemic of the Internet

The 8th Annual Bad Bot Report is now available from Imperva. Created using data from Imperva’s Threat Research Lab, it provides a comprehensive look at the bad bot landscape and the impact that this malicious traffic has across multiple industries. Bad bot traffic amounted to 25.6 percent of all...

Detecting the "Next" SolarWinds-Style Cyber Attack

The SolarWinds attack, which succeeded by utilizing the sunburst malware, shocked the cyber-security industry. This attack achieved persistence and was able to evade internal systems long enough to gain access to the source code of the victim. Because of the far-reaching SolarWinds deployments, t...

Content Copy Protection & Prevent Image Save <= 1.3 - CSRF to Stored Cross-Site Scripting (XSS)

The plugin does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. -- PoC 1 | Authenticated Persistent XSS & XFS | Image saving disabled message text: ! POST...

WP Super Cache < 1.7.3 - Authenticated Stored Cross-Site Scripting (XSS)

The plugin did not properly sanitise its wpcachelocation parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. -- Payloads: $ ";' onmouseover=alertdocument.cookie; style=position:fixed;width:100%;height:100%;margin:0;padding:0;left:0;top:0; $ ";'...

WordPress Content Copy Protection & Prevent Image Save plugin <= 1.3 - Authenticated Persistent XSS & XFS vulnerabilities

Authenticated Persistent XSS & XFS vulnerabilities discovered by m0ze in WordPress Content Copy Protection & Prevent Image Save plugin versions = 1.3. Solution This plugin has been closed as of April 5, 2021 and is not available for download. This closure is temporary, pending a full review...

WordPress WP Login Security and History plugin <= 1.0 - Authenticated Persistent XSS & XFS vulnerabilities

Authenticated Persistent XSS & XFS vulnerabilities discovered by m0ze in WordPress WP Login Security and History plugin versions = 1.0. Solution This plugin has been closed as of April 5, 2021 and is not available for download. This closure is temporary, pending a full review...

CVE-2021-20080

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting XSS attacks by uploading a crafted XML asset file...

Cross site scripting

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting XSS attacks by uploading a crafted XML asset file...

CVE-2021-20080

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting XSS attacks by uploading a crafted XML asset file...

Design/Logic Flaw

The fix for XSA-365 includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in...