129 matches found
CVE-2021-32697
The CVE-2021-32697 issue affects the Neos Form framework (neos/forms) where a crafted GET request with a valid form state can submit a form without triggering validators. The form state is protected by an HMAC that is still verified, so exploitation requires that Form Finishers may run actions ev...
IcedID Circulates Via Web Forms, Google URLs
Website contact forms and Google URLs are being used to spread the IcedID trojan, according to researchers at Microsoft. Attackers are using “contact us” forms on websites to send emails targeting organizations with trumped-up legal threats, researchers said. The messages consistently mention a...
Malicious Package in pensi-scheduler
Version 1.1.3 of pensi-scheduler contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's also...
The vulnerability of the SiTex development platform’s SiTex-Gosuslu component, which stems from the absence of a CSRF token in web forms, allows actions to be performed on behalf of users, including administrators.
The vulnerability of the SiTex-Service component of the distributed application development platform involves the absence of a CSRF token in web forms. Exploiting this vulnerability allows an attacker to execute cross-site requests on behalf of users, including administrators, through a specially...
Cross site scripting
A number of stored Cross-site Scripting XSS vulnerabilities were identified in NETSAS Enigma NMS 65.0.0 and prior that could allow a threat actor to inject malicious code directly into the application through web application form inputs...
The vulnerability of the platform for automating operations in healthcare institutions of the Russian Federation’s entity Tra: The lack of a CSRF token in web forms allows actions to be performed on behalf of users, including administrators.
The vulnerability of the platform for automating operations in healthcare institutions of the Russian Federation’s Tra: Pharmaceutical Supply relates to the absence of a CSRF token in web forms. Exploiting this vulnerability allows a malicious actor to execute cross-site requests on behalf of...
Malicious Package
radic-util contains malicious code. The code when executed in the browser would get password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl=...
D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting
Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524 Date: April 6, 2019 Exploit Author: Semen Alexandrovich Lyhin https://www.linkedin.com/in/semenlyhin/ Vendor Homepage: https://www.dlink.com Version: D-Link DI-524 - V2.06RU CVE : CVE-2019-11017 To re-create Reflect...
WordPress Ninja Forms 3.3.17 Cross Site Scripting
Exploit Title: Wordpress Plugin Ninja Forms 3.3.17 - Cross-Site Scripting Date: 2018-11-15 Exploit Author: MTK Vendor Homepage: https://ninjaforms.com Softwae Link: https://wordpress.org/plugins/ninja-forms/ Version: Up to V3.3.17 Tested on: Debian 9 - Apache2 - Wordpress 4.9.8 - Firefox CVE :...
Jobs Factory SQL Injection Vulnerability in Joomla!
Joomla! is the United States Open Source Matters team developed a set of open source content management system CMS. A SQL injection vulnerability exists in the Jobs Factory component of Joomla! The vulnerability is caused by inserting SQL commands into the query string of a web form submission or...
CVE-2016-9483 PHP FormMail Generator generates PHP code for standard web forms, and the code generated is vulnerable to unsafe deserialization of untrusted data
The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmgfilmandownload function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with CVE-2016-9484 to perform local file inclusion attacks and obta...
Security Bulletin: Cross Site Scripting vulnerability in responsive coach view of IBM Business Process Manager (CVE-2016-9731)
Summary One of the responsive coach views that can be used by customers to build responsive web forms that interact with business processes is vulnerable to cross site scripting. Vulnerability Details CVEID: CVE-2016-9731 DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site...
Dumpzilla - Extract All Forensic Interesting Information Of Firefox, Iceweasel And Seamonkey Browsers
Dumpzilla official site : www.dumpzilla.org http://www.dumpzilla.org "Mozilla browser forensic tool" Manual : Español http://dumpzilla.org/Manualdumpzillaes.txt "Manual en español de dumpzilla" / English http://dumpzilla.org/Manualdumpzillaen.txt "Dumpzilla english Manual" SO : Unix / Win...
Schneider Electric PLCs Cross Site Request Forgery
Exploit Title: Schneider Electric PLCs - Cross-Site Request Forgery Date: 2018-05-12 Exploit Author: t4rkd3vilz Vendor Homepage: http://www.schneider-electric.com/ Tested on: Windows CVE: CVE-2013-0663 Version: Schneider Electric Quantum PLC: 140NOE77111, 140NOE77101, 140NWM10000 Modicon M340 PLC...
CVE-2017-14092
The absence of Anti-CSRF tokens in Trend Micro ScanMail for Exchange 12.0 web interface forms could allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain...
CVE-2017-9810
There are no Anti-CSRF tokens in any forms on the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 version 8.0.4.312. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain...
Reflected Cross-Site Scripting Vulnerability in 'keyword' Parameter of Qibo B2B Commerce System
Qibo B2B business system is an open source content management system . Qibo B2B Commerce System 'keyword' parameter reflects cross-site scripting vulnerability. Allows attackers to insert XSS execution code into web forms, there are phishing attacks, user cookie theft and other security risks...
CVE-2016-8726
An exploitable null pointer dereference vulnerability exists in the Web Application /forms/webrunScript iwfilename functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. An HTTP POST request with a blank line in the header will cause a segmentation fault in the web server...
CVE-2017-6180
Keekoon KK002 devices 1.8.12 HD have a Cross Site Request Forgery Vulnerability affecting goform/formChnUserPwd and goform/formUserMng and the entire set of other pages...
Sawef - Send Attack Web Forms
SAWEF - Send Attack Web Forms DESCRIPTION The purpose of this tool is to be a Swiss army knife for anyone who works with HTTP, so far it she is basic, bringing only some of the few features that want her to have, but we can already see in this tool: - Email Crawler in sites - Crawler forms on the...