nodejs-qs: Prototype override protection bypass

It was found that ljharb's qs module for Node.js did not properly parse query strings. An attacker could send a specially crafted query that overwrites the resulting object's prototype properties such as toString or hasOwnProperty, resulting in a denial of service when the overwritten function...

MODX Revolution Cross-Site Scripting Vulnerability

MODX Revolution is a collection of easy-to-use content management systems CMS and application frameworks. A cross-site scripting vulnerability exists in login-fsp.html in MODX Revolution, which can be exploited by remote attackers to inject arbitrary web script or HTML via QUERYSTRING...

CVE-2017-12865

Stack-based buffer overflow in "dnsproxy.c" in connman 1.34 and earlier allows remote attackers to cause a denial of service crash or execute arbitrary code via a crafted response query string passed to the "name" variable...

IBM WebSphere Application Server 7.0 < 7.0.0.45 / 8.0 < 8.0.0.14 / 8.5 < 8.5.5.13 / 9.0 < 9.0.0.5 Information Disclosure (PI82630)

The version of IBM WebSphere Application Server running on the remote host is 7.0 prior to 7.0.0.45, 8.0 prior to 8.0.0.14, 8.5 prior to 8.5.5.13, or 9.0 prior to 9.0.0.5. It is, therefore, affected by an unspecified information disclosure flaw due to sensitive information being cached insecurely...

Cross-site Scripting (XSS)

Magmi is vulnerable to cross-site scripting XSS attacks. A malicious user can inject and execute arbitrary webscript through the profile parameter of web/magmi.php or through querystring to web/magmiimportrun.php...

CVE-2017-11677

Cross-site scripting XSS vulnerability in Hashtopus 1.5g allows remote attackers to inject arbitrary web script or HTML via the query string to admin.php...

REDCap Cross-Site Scripting Vulnerability

REDCap is a free, secure, web-based application. It is designed to support data mining research. A cross-site scripting vulnerability exists in versions of REDCap prior to 7.5.1. A remote attacker can exploit this vulnerability to inject arbitrary Web script or HTML with the help of a query strin...

CVE-2017-10962

REDCap before 7.5.1 has XSS via the query string...

Spoofing

REDCap before 7.5.1 has XSS via the query string...

CVE-2017-10962

REDCap before 7.5.1 is affected by a Cross-Site Scripting (XSS) vulnerability via the query string. The issue affects REDCap versions prior to 7.5.1; exploitation details are not expanded beyond the XSS via query parameters. Remediation guidance within the connected documents points to upgrading ...

CVE-2017-10962

REDCap before 7.5.1 has XSS via the query string...

Samsung SM-N9005 and SM-G920F Samsung kernel for Android secfilter input validation vulnerability

Samsung kernel for Android on SM-N9005 Note 3 and SM-G920F Galaxy S6 are kernels for Android running in the SM-N9005 Note 3 and SM-G920F Galaxy S6 smartphones from Samsung, South Korea. secfilter is one of the URL resolution filtering plugins. secfilter is a URL parsing and filtering plug-in for...

CaseAware Cross Site Scripting

Exploit Title: CaseAware Cross Site Scripting Vulnerability Date: 20th May 2017 Exploit Author: justpentest Vendor Homepage: https://caseaware.com/ Version: All the versions Contact: [email protected] CVE : 2017-5631 Source:...

Cross site scripting

An issue was discovered in KMCIS CaseAware. Reflected cross site scripting is present in the user parameter i.e., "usr" that is transmitted in the login.php query string...

CVE-2016-2567

secfilter in the Samsung kernel for Android on SM-N9005 build N9005XXUGBOB6 Note 3 and SM-G920F build G920FXXU2COH2 Galaxy S6 devices allows attackers to bypass URL filtering by inserting an "exceptional URL" in the query string, as demonstrated by the...

swagger-ui: cross-site scripting in key names

It was found that swagger-ui contains a cross site scripting XSS vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files...

CVE-2015-8010

Cross-site scripting XSS vulnerability in the Classic-UI with the CSV export link and pagination feature in Icinga before 1.14 allows remote attackers to inject arbitrary web script or HTML via the query string to cgi-bin/status.cgi...

CVE-2015-8010

Removed by vendor...

HP Smart Storage Administrator command injection

Added: 02/16/2017 CVE: CVE-2016-8523 BID: 95868 Background HP Smart Storage Administrator HP SSA is a web-based application that helps an administrator configure, manage, diagnose, and monitor HP ProLiant Smart Array Controllers and other storage devices such as host bus adapters HBAs and HP...

Informatica: [kb.informatica.com] DOM based XSS in the bindBreadCrumb function

The bindBreadCrumb function, which is called after the document is loaded: javascript $document.readyfunction bindBreadCrumb; ; has the following insecure link assignments, that use non-encoded URL values: javascript strChild = "Search Results"; strChild = "Search Results"; strChild = "Search...