Nodes Studio CMS XSS / Path Disclosure / SQL Injection

Hello list! There are SQL Injection, Cross-Site Scripting and Full Path Disclosure vulnerabilities in Nodes Studio CMS. This is Russian commercial CMS, which I found at one site of Russian terrorists and propagandists. ------------------------- Affected vendors: ------------------------- Nodes...

BF and XSS vulnerabilities in D-Link DCS-2103

Hello 3APA3A! There are Brute Force and Cross-Site Scripting vulnerabilities in D-Link DCS-2103 IP camera. If previous Path Traversal and Full path disclosure vulnerabilities were post-auth, then these BF and XSS vulnerabilities are pre-auth. ------------------------- Affected products:...

mp3-player 2.5 Cross Site Scripting / Content Spoofing

Hello list! These are Cross-Site Scripting and Content Spoofing vulnerabilities in mp3-player. ------------------------- Affected products: ------------------------- Vulnerable are mp3-player 2.5 and previous versions. ------------------------- Affected vendors: ------------------------- U-Studio...

Multiple vulnerabilities in flv-player

Hello 3APA3A! These are Cross-Site Scripting and Content Spoofing vulnerabilities in flv-player. ------------------------- Affected products: ------------------------- Vulnerable are flv-player 3.5 and previous versions. ------------------------- Affected vendors: ------------------------- U-Stud...

Multiple vulnerabilities in mp3-player

Hello 3APA3A! These are Cross-Site Scripting and Content Spoofing vulnerabilities in mp3-player. ------------------------- Affected products: ------------------------- Vulnerable are mp3-player 2.5 and previous versions. ------------------------- Affected vendors: ------------------------- U-Stud...

XSS and CS vulnerabilities in aCMS

Hello 3APA3A! After previous Cross-Site Scripting, Content Spoofing, Information Leakage, Insufficient Authorization and Arbitrary File Uploading vulnerabilities in aCMS, here are new ones. These are Cross-Site Scripting and Content Spoofing vulnerabilities in aCMS. This is commercial CMS...

Vulnerabilities in multiple web applications with GDD FLVPlayer

Hello 3APA3A! These are Content Spoofing and Cross-Site Scripting vulnerabilities in multiple web applications with GDD FLVPlayer. Earlier I've wrote about vulnerabilities in GDD FLVPlayer http://seclists.org/fulldisclosure/2013/Aug/247. This is video and audio player, which is used at thousands...

CS, XSS and FPD vulnerabilities in MCImageManager for TinyMCE

Hello 3APA3A! I want to warn you about vulnerabilities in Moxiecode Image Manager MCImageManager. This is commercial plugin for TinyMCE. It concerns as MCImageManager, as all web applications which have MCImageManager in their bundle. These are Content Spoofing, Cross-Site Scripting and Full Path...

GDD FLVPlayer 3.635 Cross Site Scripting / Content Spoofing

Hello list! These are Content Spoofing and Cross-Site Scripting vulnerabilities in GDD FLVPlayer. ------------------------- Affected products: ------------------------- Vulnerable are GDD FLVPlayer v3.635 and previous versions. ------------------------- Affected vendors: -------------------------...

Joomla Googlemaps 3.2 Cross Site Scripting / Denial Of Service

Hello list! Earlier I wrote about multiple vulnerabilities in Googlemaps plugin for Joomla http://securityvulns.ru/docs29645.html. After my informing, the developer fixed these vulnerabilities in versions 2.19 and 3.1 of the plugin - by removing proxy functionality. And in version 3.2 of the plug...

TinyMCE Image Manager 1.1 XSS / File Upload

Hello list! These are Arbitrary File Uploading and Cross-Site Scripting vulnerabilities in TinyMCE Image Manager plugin for TinyMCE. ------------------------- Affected products: ------------------------- Vulnerable are TinyMCE Image Manager 1.1 and previous versions. -------------------------...

Joomla Googlemaps XSS / XML Injection / Path Disclosure / DoS

Hello list! These are Denial of Service, XML Injection, Cross-Site Scripting and Full path disclosure vulnerabilities in Googlemaps plugin for Joomla. ------------------------- Affected products: ------------------------- Vulnerable are Googlemaps plugin for Joomla versions 2.x and 3.x and...

CS, XSS and FPD vulnerabilities in WordPress

Hello 3APA3A! These are Content Spoofing, Cross-Site Scripting and Full path disclosure vulnerabilities in WordPress. At WordPress 3.5.2 release the same at 3.5.1 release, WP developers mentioned about multiple fixed holes, but not about all - to make it looks like there were less fixed holes. So...

XSS and FPD vulnerabilities in ZeroClipboard in multiple themes for WordPress

Hello 3APA3A! These are Cross-Site Scripting and Full path disclosure vulnerabilities in multiple themes for WordPress with ZeroClipboard.swf. Earlier I've wrote about Cross-Site Scripting vulnerabilities in ZeroClipboard http://seclists.org/fulldisclosure/2013/Feb/103. I wrote that this is very...

XSS and CS vulnerabilities in Dotclear

Hello 3APA3A! These are Cross-Site Scripting and Content Spoofing vulnerabilities in Dotclear. CMS Dotclear has three vulnerable flash-files: swfupload.swf, playerflv.swf and playermp3.swf. File swfupload.swf it's Swfupload. I've wrote about vulnerabilities in Swfupload in November 2012...

XSS vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS

Hello 3APA3A! After my previous list of vulnerable software with ZeroClipboard.swf, here is a list of software with ZeroClipboard10.swf. These are Cross-Site Scripting vulnerabilities in em-shorty, RepRapCalculator, Fulcrum, Django and aCMS. Earlier I've wrote about Cross-Site Scripting...

Multiple vulnerabilities in TinyBrowser

Hello 3APA3A! I want to warn you about multiple vulnerabilities in TinyBrowser for TinyMCE. These are new vulnerabilities in addition to my 2009 and 2011 advisories about Arbitrary File Upload and Code Execution vulnerabilities in TinyBrowser. It concerns as TinyBrowser, as all web applications...

XSS vulnerability in swfupload in ExpressionEngine

Hello 3APA3A! Here is information about Cross-Site Scripting vulnerability in swfupload in ExpressionEngine. After publication of my advisory XSS vulnerability in web applications with swfupload: AionWeb, Magento, Liferay Portal, SurgeMail, symfony http://securityvulns.ru/docs28761.html and after...

Libsyn Cross Site Scripting Vulnerability

Libsync suffers from a cross site scripting vulnerability. As you can see from my publications for last five years, I like holes which are placed at hundreds or millions of web sites. Since my 2008's article XSS vulnerabilities in 215000 flash files...

XSS vulnerability in web applications with swfupload: Dotclear, XenForo, InstantCMS, AionWeb, Dolphin

Hello 3APA3A! I will draw your attention to XSS vulnerability in other web applications with swfupload. Earlier I've wrote about swfupload in WordPress CVE-2012-3414 and that this hole is available in many web applications. In previous letter I've wrote the information about different versions of...