CVE-2018-5681

PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages Edit page" screen...

CVE-2018-5681

PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages Edit page" screen...

CVE-2018-5681

PrestaShop 1.7.2.4 is affected by a cross-site scripting (XSS) vulnerability that can be triggered via the Source Code editing option on the Pages > Edit page screen. The issue is documented in CVE-2018-5681 with notes that the vulnerability exists in the 1.7.2.4 release and is disclosed by mu...

DedeCMS V5.7 SP2 Has Arbitrary File Read Vulnerability

Weaving dream content management system DedeCms is a PHP open source website management system. DedeCMS V5.7 SP2 version of the filemanageview.php file there are arbitrary file reading vulnerability, attackers can use the vulnerability to obtain the site source code...

WordPress ACF Frontend Display File Upload

File upload vulnerability in WordPress ACF Frontend Display plugin Vulnerability Type: File Upload For the exploit source code contact DSquare Security sales team...

WordPress Service Finder Booking File Disclosure

File disclosure vulnerability in Service Finder Booking plugin Vulnerability Type: File Disclosure For the exploit source code contact DSquare Security sales team...

Cloudflare: // (double slash) inside es6 template literals interpreted as an inline comment by the auto-minifier

The following is valid javascript: var a = //; So is this: var url = https://hackerone.com; However, Cloudflare's auto-minifier removes the parts of both lines including and after the //, meaning in production, they look like this: var a = var url = https: This can either straight up break or...

Snapchat: Bitmoji source code is accessible

hi team, I'm starting my research on snapchat by scanning all sub-domains on all the domains in-scope: snapchat.com, bitmoji.com, etc. Let's look at one of the urls, https://rendering-service.prod.us-east.bitstrips.com/ When I request GET https://rendering-service.prod.us-east.bitstrips.com/ The...

[SECURITY] Fedora 27 Update: global-6.5.7-4.fc27

GNU GLOBAL is a source code tag system that works the same way across diverse environments. It supports C, C++, Yacc, Java, PHP and assembler source code...

Path traversal

Prior to 10.6.4, Symantec Messaging Gateway may be susceptible to a path traversal attack also known as directory traversal. These types of attacks aim to access files and directories that are stored outside the web root folder. By manipulating variables, it may be possible to access arbitrary...

Uber: Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication

Summary Configuration file and/or source code information leakage without Uber OneLogin SSO authentication. Security Impact Misconfiguration on the server results in information leakage without authentication. Reproduction Steps...

Uber: It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without

Summary Configuration file and/or source code information leakage without Uber OneLogin SSO authentication. Security Impact Misconfiguration on the server results in information leakage without authentication. Reproduction Steps...

OWASP ZAP 2.7.0 - Penetration Testing Tool for Testing Web Applications

The OWASP Zed Attack Proxy ZAP is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It...

Node.js third-party modules: [featurebook] Specification Server Directory Traversal via Crafted Browser Request

Hi, A crafted request can be leveraged to traverse the directory structure of a host using the featurebook server package, and request arbitrary files outside of the specified web root. Module specification Name: featurebook Version: 0.0.32 latest release build Verified conditions Test server:...

Code injection

Vivo modems allow remote attackers to obtain sensitive information by reading the index.cgi?page=wifi HTML source code, as demonstrated by ssid and pskwepkey fields...

CVE-2017-17463

Vivo modems allow remote attackers to obtain sensitive information by reading the index.cgi?page=wifi HTML source code, as demonstrated by ssid and pskwepkey fields...

CVE-2017-17463

CVE-2017-17463 affects Vivo modems. The vulnerability allows remote attackers to disclose sensitive information by reading the index.cgi?page=wifi HTML source code, with examples including ssid and psk_wepkey fields. Exploitation status, affected models/versions, root cause specifics, and remedia...

Syhunt ScanTools 6.0 - Console Web Vulnerability Scan Tools

Syhunt ScanTools 6.0 adds advanced fingerprinting capabilities, enhanced spidering, injection and code scan capabilities, and a large number of improved checks. Adds the display of Hybrid, Dynamic and Code detailed scan statistics to the command-line tools. New fingerprinting capabilities - Becau...

FreeBSD-SA-17:11.openssl

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-17:11.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2017-11-29 Affects: All...

Cohu 3960HD Multiple Vulnerabilities

Cohu 3960HD Series IP cameras are prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description...