Passbolt API Stored XSS on first/last name during setup

Description An administrator can craft a user with a malicious first name and last name, using a payload such as '; ? The user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS. Impact of issue An administrator could us...

Weblate: HttpOnly Flag not set

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this application then the cookie will be accessible and can be transmitted to another site. HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Apr 2017 08:27:17...

Backup Directory

A common practice when administering web applications is to create a copy/backup of a particular directory prior to making any modification. Another common practice is to add an extension or change the name of the original directory to signify that it is a backup examples include .bak, .orig,...

Red Hat JBoss Enterprise Application Platform HTTP Header Injection Vulnerability

Red Hat JBoss Enterprise Application Platform EAP is the United States Red Hat Red Hat company's set of open source, J2EE-based middleware platform. The platform is mainly used to build, deploy and host Java applications and services. An HTTP header injection vulnerability exists in Red Hat JBoss...