Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read...

CVE-2016-3734

Cross-site request forgery CSRF vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read...

CVE-2016-3734

Cross-site request forgery CSRF vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read...

Shopify: Stored passive XSS at scheduled posts (kitcrm.com)

Hello! There is improper filtration of the website link field of scheduled post. Attacker can intercept the scheduled post creation/modifying request and change it content the following way: http POST /pages/175422/manualposts/31163 HTTP/1.1 Host: kitcrm.com...

WordPress 4.7 / 4.7.1 REST API Content Injection Exploit

Usage Info msf use auxiliary/scanner/http/wordpresscontentinjection msf auxiliarywordpresscontentinjection show actions ...actions... msf auxiliarywordpresscontentinjection set ACTION msf auxiliarywordpresscontentinjection show options ...show and set options... msf...

WordPress 'class-wp-rest-posts-controller.php' elevation of privilege vulnerability

WordPress is a blogging platform developed using the PHP language by the WordPress Software Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An elevation of privilege vulnerability exists in WordPress 'class-wp-rest-posts-controller.php'. An attacker...

WordPress class-wp-posts-list-table.php cross-site scripting vulnerability

WordPress is a blogging platform developed using the PHP language that allows users to set up their own websites on servers that support PHP and MySQL databases. A cross-site scripting vulnerability exists in WordPress wp-admin/includes/class-wp-posts-list-table.php, which allows remote attackers...

CVE-2017-5612

Cross-site scripting XSS vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt...

UBUNTU-CVE-2017-5612

Cross-site scripting XSS vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt...

CVE-2017-5612

Cross-site scripting XSS vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt...

CVE-2017-5612

Cross-site scripting XSS vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt...

WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table

...

GeniXCMS Posts.class.php Page id Parameter SQL Injection Vulnerability

MetalGenix GeniXCMS is a PHP-based content management system and framework CMSF from MetalGenix Indonesia, which provides modules for user management, content management and menu management. An SQL injection vulnerability exists in the id parameter of the GeniXCMS Posts.class.php page. A remote...

uninitialized random

libcurl's new internal function that returns a good 32-bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to. This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary...

cURL -- uninitialized random vulnerability

Project curl Security Advisory: libcurl's new internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to. This random value is used to generate nonces for Digest and NTLM...

TLS nonce-nse

Starting a series of blog posts on TLS 1.3, I published my notes on the landscape of cipher nonces in TLS across versions, to help me clean up the implementation. Comes with hand-drawn diagrams! TLS nonce-nse | CloudFlare Blog archive...

miniblog Cross-Site Request Forgery Vulnerability

miniblog is a lightweight blog and news system for websites written in PHP and MySQL. A cross-site request forgery vulnerability exists in the admin.php page of miniblog version 1.0.1, which can be exploited by attackers to add, delete, and edit posts...

Shopify: Deleted Post and Administrative Function Access in eCommerce Forum

Hi, I initially queried the following report as a comment in 165048, in which @juanbroullon confirmed the issue appeared valid and requested I open a new Shopify report. A selection of privileged information is provided upon appending /edit to a user profile URL on the eCommerce forum as an...

SecNews: Querying private posts and changing post meta

Summary --- Unauthenticated user can run arbitrary post queries and insert arbitrary numeric post meta via vulnerable /wp-content/themes/SecNews-NewCustom/functions/ajax.php file. I'm including two exploits in one report because the fix for both is the same, i.e. delete ajax.php. Run arbitrary po...

[SECURITY] Fedora 23 Update: drupal7-views-3.14-1.fc23

You need Views if: You like the default front page view, but you find you want to sort it differently. You like the default taxonomy/term view, but you find you want to sort it differently; for example, alphabetically. You use /tracker, but you want to restrict it to posts of a certain type. You...