xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)

It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of...

CVE-2013-7285

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON...

InvoicePlane Arbitrary File Upload Vulnerability

InvoicePlane is an open source financial system. The system has features to manage quotes, invoices and payments. An arbitrary file upload vulnerability exists in InvoicePlane version 1.4.10. An attacker could exploit this vulnerability to upload a malicious file to the web server or possibly...

InvoicePlane Cross-Site Scripting Vulnerability

InvoicePlane is an open source financial system. The system has features to manage quotes, invoices and payments. A cross-site scripting vulnerability exists in InvoicePlane version 1.4.10. A remote attacker could exploit this vulnerability to inject malicious client-side script...

CVE-2017-1000239

InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject malicious client side script which will be executed in the browser of users if they visit the manipulated site...

CVE-2017-1000239

InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scripting resulting in allowing an authenticated user to inject malicious client side script which will be executed in the browser of users if they visit the manipulated site...

WordPress Simple Fields Plugin <= 1.4.10 - Cross Site Scripting

Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Solution Update the plugin...

gnupg security update

Package : gnupg Version : 1.4.10-4+squeeze5 CVE ID : CVE-2014-4617 Debian Bug : 752497 Jean-Rene Reinhard, Olivier Levillain and Florian Maury reported that GnuPG, the GNU Privacy Guard, did not properly parse certain garbled compressed data packets. A remote attacker could use this flaw to mount...

SquirrelMail vulnerable to cross-site scripting

Overview SquirrelMail contains a cross-site scripting vulnerability. SquirrelMail from SquirrelMail Project is an open source webmail web-based email. SquirrelMail contains an issue in handling specific character encoding and processing "data:" URL, which may result in cross-site scripting. Yosuk...

JVN#09157962: SquirrelMail vulnerable to cross-site scripting

SquirrelMail from SquirrelMail Project is an open source webmail web-based email. SquirrelMail contains an issue in handling specific character encoding and processing "data:" URL, which may result in cross-site scripting. Impact An arbitrary script may be executed on the user's web browser...

Gentoo Security Advisory GLSA 200903-34 (amarok)

The remote host is missing updates announced in advisory GLSA 200903-34. OpenVAS Vulnerability Test $ Description: Auto generated from Gentoo's XML based advisory Authors: Thomas Reinke Copyright: Copyright c 2009 E-Soft Inc. http://www.securityspace.com Text descriptions are largely excerpted fr...