371 matches found
TinyMCE Image Manager 1.1 Cross Site Scripting
Hello list! These are Cross-Site Scripting and Content Spoofing vulnerabilities in TinyMCE Image Manager plugin for TinyMCE. ------------------------- Affected products: ------------------------- Vulnerable are TinyMCE Image Manager 1.1 and previous versions. ------------------------- Affected...
CS, XSS and FPD vulnerabilities in WordPress
Hello 3APA3A! These are Content Spoofing, Cross-Site Scripting and Full path disclosure vulnerabilities in WordPress. At WordPress 3.5.2 release the same at 3.5.1 release, WP developers mentioned about multiple fixed holes, but not about all - to make it looks like there were less fixed holes. So...
WordPress I Love It XSS / Content Spoofing / Path Disclosure
Hello list! These are Cross-Site Scripting, Content Spoofing and Full path disclosure vulnerabilities in I Love It theme for WordPress. This is commercial premium theme. ------------------------- Affected products: ------------------------- All versions of I Love It theme for WordPress. The theme...
XSS and FPD vulnerabilities in Search 'N Save for WordPress
Hello 3APA3A! I want to inform you about vulnerabilities in Search 'N Save plugin for WordPress. These are Cross-Site Scripting and Full path disclosure vulnerabilities. These XSS holes are in ZeroClipboard.swf, which is used in the plugin. In February I wrote about Cross-Site Scripting...
Content Spoofing vulnerabilities in TinyMCE and WordPress
Hello 3APA3A! This are Content Spoofing vulnerabilities in TinyMCE and WordPress. Which I've disclosed on Wednesday. In 2011 I already wrote about Content Spoofing in Moxieplayer, when I wrote concerning multiple vulnerabilities in TinyMCE http://securityvulns.ru/docs27349.html, which is a...
AFU vulnerabilities in MCImageManager for TinyMCE
Hello 3APA3A! I want to warn you about vulnerabilities in Moxiecode Image Manager MCImageManager. This is commercial plugin for TinyMCE. It concerns as MCImageManager, as all web applications which have MCImageManager in their bundle. These are Arbitrary File Uploading vulnerabilities, which lead...
WordPress Search N Save XSS / Path Disclosure
Hello list! I want to inform you about vulnerabilities in Search 'N Save plugin for WordPress. These are Cross-Site Scripting and Full path disclosure vulnerabilities. These XSS holes are in ZeroClipboard.swf, which is used in the plugin. In February I wrote about Cross-Site Scripting...
WordPress 3.5.1 Cross Site Scripting
Hello list! These are Cross-Site Scripting vulnerabilities in WordPress. Which I've disclosed last week. At WordPress 3.5.2 release, WP developers mentioned about three holes as "security hardenings" to decrease their importance and to make it looks like there were less fixed holes. One of these...
WordPress Slash Theme XSS / Spoofing / Disclosure Vulnerabilities
The Slash theme for WordPress suffers from cross site scripting, content spoofing, and path disclosure vulnerabilities. Hello list! I want to warn you about multiple vulnerabilities in Slash WP theme for WordPress. This is commercial theme for WP. These are Full path disclosure, Cross-Site...
aCMS 1.0 Shell Upload / Insufficient Authorization
Hello list! These are Insufficient Authorization and Arbitrary File Uploading vulnerabilities in aCMS. This is commercial CMS. There are multiple vulnerabilities in aCMS and it's the second part of them. ------------------------- Affected products: ------------------------- Vulnerable are aCMS 1....
aCMS 1.0 XSS / Content Spoofing / Information Leak
Hello list! These are Cross-Site Scripting, Content Spoofing and Information Leakage vulnerabilities in aCMS. This is commercial CMS. There are multiple vulnerabilities in aCMS and it's the first part of them. ------------------------- Affected products: ------------------------- Vulnerable are...
Moxiecode File Manager 3.1.5 Shell Upload
Hello list! I want to warn you about vulnerabilities in Moxiecode File Manager MCFileManager. This is commercial plugin for TinyMCE. It concerns as MCFileManager, as all web applications which have MCFileManager in their bundle. These are Arbitrary File Uploading vulnerabilities, which lead to Co...
VideoJS Cross Site Scripting
Hello list! I want to inform you about vulnerabilities in VideoJS. This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole related to this player, which...
Multiple vulnerabilities in Colormix theme for WordPress
Hello 3APA3A! Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which were fixed by the developers - JW Player developers fixed one hole and promised to fix others later and RokBox fixed all holes but it was questionable how they fixed holes related to JW Player. In December I'...
XSS vulnerability in JW Player and JW Player Pro
Hello 3APA3A! I want to warn you about new XSS vulnerability in JW Player and JW Player Pro. Last year I've written about multiple Content Spoofing and Cross-Site Scripting vulnerabilities in JW Player and JW Player Pro, and this is new Cross-Site Scripting vulnerability about which I've not wrot...
WordPress Colormix theme XSS / Full path disclosure Vulnerability
Exploit for php platform in category web applications Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which were fixed by the developers - JW Player developers fixed one hole and promised to fix others later and RokBox fixed all holes but it was questionable how they fixed...
WordPress Colormix XSS / Content Spoofing / Path Disclosure
Hello list! Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which were fixed by the developers - JW Player developers fixed one hole and promised to fix others later and RokBox fixed all holes but it was questionable how they fixed holes related to JW Player. In December I've...
DoS vulnerability in Internet Explorer (access violation)
Hello 3APA3A! I want to warn you about Denial of Service vulnerabilities in Internet Explorer. This is access violation. I've made the exploit and tested this vulnerability at 13.02.2013. This exploit is based on video by TheSecuritylab for IE7. As I've tested, it also works in IE6 and IE8...
Multiple XSS vulnerabilities in IBM Lotus Domino
Hello 3APA3A! I want to warn you about multiple Cross-Site Scripting vulnerabilities in IBM Lotus Domino. Last year I've announced multiple vulnerabilities in IBM software and after IBM fixed many of them, I've disclosed them. These are new vulnerabilities in Domino, which I've found at 03.05.201...
D-Link DAP 1150 Cross Site Request Forgery
Hello! Here is exploit for D-Link DAP 1150. About vulnerabilities in it, which were used in this exploit, I've wrote in 2011. I've presented this exploit in my article "CSRF Attacks on Network Devices" in the magazine PenTest Extra 02/2012 http://pentestmag.com/pentestextra022012/, released in...