774 matches found
CVE-2018-5977
SQL Injection exists in Affiligator Affiliate Webshop Management System 2.1.0 via a search/?q=&pricetype=range&price= request...
UBUNTU-CVE-2017-7559
In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that als...
undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the...
undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the...
Reflected cross-site scripting vulnerability in FineCMS Security.php file
FineCMS is an efficient and simple small and medium-sized content management system based on PHP+MySql+CI framework. A reflective cross-site scripting vulnerability exists in the FineCMS Security.php file. The vulnerability is due to insufficient checking and filtering of user-submitted request...
CVE-2017-8044
In Pivotal Single Sign-On for PCF 1.3.x versions prior to 1.3.4 and 1.4.x versions prior to 1.4.3, certain pages allow code to be injected into the DOM environment through query parameters, leading to XSS attacks...
activerecord vulnerable to SQL Injection
The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via...
GHSA-FH39-V733-MXFR Active Record vulnerable to SQL Injection via nested query parameters
The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query...
activerecord vulnerable to SQL Injection
The Active Record component in Ruby on Rails efore 2.3.15, 3.0.x before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via...
SQL Injection Vulnerability in Ruby on Rails
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query...
Apache Hadoop Cross-Site Scripting Vulnerability
Apache Hadoop is a software framework that supports data-intensive distributed applications and is released under the Apache 2.0 license. A cross-site scripting vulnerability exists in Apache Hadoop versions prior to 2.7.0. A remote attacker can exploit this vulnerability to perform cross-site...
Sensitive Data in URL GET Query Parameters
PMASA-2016-14 Announcement-ID: PMASA-2016-14 Date: 2016-05-25 Updated: 2016-05-30 Summary Sensitive Data in URL GET Query Parameters Description Because user SQL queries are part of the URL, sensitive information made as part of a user query can be exposed by clicking on external links to attacke...
search.ub.ua XSS vulnerability
Vulnerable URL: http://search.ub.ua/ru/?terms=1=ru=4=31536000='"...
CVE-2014-1869
Multiple cross-site scripting XSS vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2, as maintained by Jon Rohan and James M. Greene, allow remote attackers to inject arbitrary web script or HTML via vectors related to certain SWF query parameters aka loaderInfo.parameters...
Cross site scripting
Multiple cross-site scripting XSS vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2, as maintained by Jon Rohan and James M. Greene, allow remote attackers to inject arbitrary web script or HTML via vectors related to certain SWF query parameters aka loaderInfo.parameters...
CVE-2014-1869
Multiple cross-site scripting XSS vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2, as maintained by Jon Rohan and James M. Greene, allow remote attackers to inject arbitrary web script or HTML via vectors related to certain SWF query parameters aka loaderInfo.parameters...
CVE-2014-1869
Multiple cross-site scripting XSS vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2, as maintained by Jon Rohan and James M. Greene, allow remote attackers to inject arbitrary web script or HTML via vectors related to certain SWF query parameters aka loaderInfo.parameters...
Double free
queryparams.cpp in cxxtools before 2.2.1 allows remote attackers to cause a denial of service infinite recursion and crash via an HTTP query that contains %% double percent characters...
CVE-2013-2138
The 1 uploadify and 2 flowplayer SWF files in Gallery 3 before 3.0.8 do not properly remove query parameters and fragments, which allows remote attackers to have an unspecified impact via a replay attack...
CVE-2013-2138
The 1 uploadify and 2 flowplayer SWF files in Gallery 3 before 3.0.8 do not properly remove query parameters and fragments, which allows remote attackers to have an unspecified impact via a replay attack...