CVE-2018-19275

The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow remote attackers to gain unauthorized access and execute arbitrary scripts with potential impacts to the confidentiality, integrity and availability of the system...

Apple iTunes Security Updates (HT209604)

Apple iTunes is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apple:itunes"; ifdescription...

LibreOffice Macro Code Execution

It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script i...

Columbia Weather Systems Weather MicroServer Cross-Site Scripting Vulnerability

Columbia Weather Systems Weather MicroServer is a weather monitoring device from Columbia Weather Systems, USA. A cross-site scripting vulnerability exists in Columbia Weather Systems Weather MicroServer MS2.6.9900 and prior versions, which arises from the program failing to properly validate...

Exposure of Sensitive Information to an Unauthorized Actor in Apache Spark via crafted URL

In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tricked into accessing the URL, can be used to cause script to execute and expose information from the...

Automattic: DOM based XSS in the WooCommerce plugin

I have found a stored DOM based XSS in the order page at WooCommerce 3.5.6. The Data input from HTML element name shippingstate and billingstate in order page outputs data without escaping.When the victim read the page containing the payload, it executes the script. Steps to reproduce 1. From a...

CVE-2019-3776

Pivotal Operations Manager, 2.1.x versions prior to 2.1.20, 2.2.x versions prior to 2.2.16, 2.3.x versions prior to 2.3.10, 2.4.x versions prior to 2.4.3, contains a reflected cross site scripting vulnerability. A remote user that is able to convince an Operations Manager user to interact with...

Dradis Cross-Site Scripting Vulnerability

Dradis is a suite of reporting and collaboration tools for information security teams. A cross-site scripting vulnerability exists in Dradis Community Edition version 3.11 and earlier. A remote attacker can exploit this vulnerability to execute arbitrary script in a user's browser...

Dradis Community Edition and Dradis Professional Edition vulnerable to cross-site scripting

Overview Dradis Community Edition and Dradis Professional Edition provided by Security Roots Ltd contain a cross-site scripting vulnerability CWE-79. Ohji Kashiwazaki of Ierae Security, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security...

HT-WPS Breaker - High Touch WPS Breaker

High Touch WPS Breaker HT-WB is a small tool based on the bash script language, it can help you to extract the WPS pin of many vulnerable routers and get the password, in the last you want to notice that HT-WPS Breaker in its process is using these tools : "Piexiewps" "Reaver" "Bully" "Aircrack...

MGASA-2019-0102 Updated libreoffice packages fix security vulnerability

Alex Infuehr discovered a directory traversal vulnerability which could result in the execution of Python script code when opening a malformed document CVE-2018-16858. The libreoffice package has been updated to version 6.1.5.2, fixing this issue, and including several other bug fixes and...

CloudBees Jenkins Script Security Plugin Sandbox Bypass Vulnerability

CloudBees Jenkins Hudson Labs is the United States CloudBees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed execution of the task . A sandbox bypass vulnerabilit...

Multiple Cross-Site Scripting Vulnerabilities in Ericsson Active Library Explorer

Ericsson Active Library Explorer is server-based software that allows users to browse Ericsson document libraries and documents using a standard Web browser. Ericsson Active Library Explorer has multiple cross-site scripting vulnerabilities. Due to the program failing to adequately filter...

Cisco HyperFlex Cross-Site Scripting Vulnerability

Cisco HyperFlex Software is the United States Cisco Cisco company's set of scalable distributed file system. The system provides unified computing, storage and networking through cloud management, and provides enterprise-class data management and optimization services. A cross-site scripting...

prometheus: Stored DOM cross-site scripting (XSS) attack via crafted URL

A stored, DOM based, cross-site scripting XSS flaw was found in Prometheus. An attacker could exploit this by convincing an authenticated user to visit a crafted URL on a Prometheus server, allowing for the execution and persistent storage of arbitrary scripts...

Microsoft Team Foundation Server Cross-Site Scripting Vulnerability (CNVD-2019-24386)

Microsoft Team Foundation Server is a source code management, project management, and team collaboration platform within an application lifecycle management ALM tool suite. A cross-site scripting vulnerability in Microsoft Team Foundation Server 2018 Update version 3.2, which stems from the progr...

SAP Web Intelligence BI LaunchPad Cross-Site Scripting Vulnerability

SAP Web Intelligence BI LaunchPad is a Java- or HTML-based user interface for use in BusinessObjects tools from SAP, Germany. The product is mainly used to perform analytical reporting and data analysis. A cross-site scripting vulnerability in SAP Web Intelligence BI LaunchPad versions 4.10 and...

CVE-2019-3923

Nessus versions 8.2.1 and earlier were found to contain a stored XSS vulnerability due to improper validation of user-supplied input. An authenticated, remote attacker could potentially exploit this vulnerability via a specially crafted request to execute arbitrary script code in a user's browser...

Cisco Firepower Management Center Cross-Site Scripting Vulnerability (CNVD-2019-04919)

Cisco Firepower Management Center is a Cisco device management application. A cross-site scripting vulnerability exists in the web-based management interface in Cisco FMC, which arises from a program that fails to adequately validate user-submitted input, and can be exploited by a remote attacker...

Cisco Identity Services Engine Cross-Site Scripting Vulnerability (CNVD-2019-16512)

Cisco Identity Services Engine ISE is an identity-based environment awareness platform ISE Identity Services Engine from Cisco. The platform collects real-time information from the network, users and devices, and develops and enforces policies to regulate the network. A cross-site scripting...