XSS vulnerability in JW Player and JW Player Pro

Hello 3APA3A! I want to warn you about new XSS vulnerability in JW Player and JW Player Pro. Last year I've written about multiple Content Spoofing and Cross-Site Scripting vulnerabilities in JW Player and JW Player Pro, and this is new Cross-Site Scripting vulnerability about which I've not wrot...

VideoJS Cross Site Scripting

Hello list! I want to inform you about vulnerabilities in VideoJS. This is popular video and audio player, which is used at hundreds thousands of web sites and in multiple web applications. This is Cross-Site Scripting vulnerability in VideoJS. There is also DoS hole related to this player, which...

WordPress Colormix theme XSS / Full path disclosure Vulnerability

Exploit for php platform in category web applications Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which were fixed by the developers - JW Player developers fixed one hole and promised to fix others later and RokBox fixed all holes but it was questionable how they fixed...

WordPress Colormix XSS / Content Spoofing / Path Disclosure

Hello list! Last year I've disclosed vulnerabilities in JW Player and in RokBox. Which were fixed by the developers - JW Player developers fixed one hole and promised to fix others later and RokBox fixed all holes but it was questionable how they fixed holes related to JW Player. In December I've...

Various Applications Include ZeroClipboard XSS

Hello list! These are Cross-Site Scripting vulnerabilities in YAML, MultiProject extension for Trac, UserCollections extension for Piwigo, TAO and TableTools plugin for DataTables plugin for jQuery with ZeroClipboard.swf. Earlier I've wrote about Cross-Site Scripting vulnerabilities in...

WordPress Daily Edition Mouss XSS / Disclosure / Shell Upload

Hello list! I want to warn you about multiple vulnerabilities in Daily Edition Mouss theme for WordPress. In 2011 when I wrote about Cross-Site Scripting WASC-08, Full path disclosure WASC-13, Abuse of Functionality WASC-42 and Denial of Service WASC-10 vulnerabilities in TimThumb and multiple...

BF, CSRF, AoF and IAA vulnerabilities in MODx Revolution

Hello 3APA3A! I want to warn you about multiple vulnerabilities in MODx Revolution. These are Brute Force, Cross-Site Request Forgery, Abuse of Functionality and Insufficient Anti-automation vulnerabilities in MODx. It's about 2.x Revolution versions of MODx. In 0.x and 1.x Evolution versions of...

XSS and CS vulnerabilities in BuddyPress for WordPress

Hello 3APA3A! I want to warn you about multiple security vulnerabilities in plugin BuddyPress for WordPress. I've disclosed vulnerabilities in JW Player in June and August including in commercial version JW Player Pro and disclosed vulnerabilities in Rokbox in December. And BuddyPress uses this...

Persistent XSS vulnerability in WP-UserOnline

Hello 3APA3A! in 2010 I've disclosed multiple vulnerabilities Cross-Site Scripting and Full path disclosure in WordPress plugin WP-UserOnline http://securityvulns.ru/Ydocument162.html, http://seclists.org/fulldisclosure/2010/Jul/8. And recently I've disclosed the exploit for persistent XSS...

WordPress BuddyPress Cross Site Scripting / Content Spoofing

Hello list! I want to warn you about multiple security vulnerabilities in plugin BuddyPress for WordPress. I've disclosed vulnerabilities in JW Player in June and August including in commercial version JW Player Pro and disclosed vulnerabilities in Rokbox in December. And BuddyPress uses this...

TinyBrowser Upload Shell Vulnerability

Hello guys! I'll draw your attention to one exploit at 1337day.com and other their domains: http://1337day.com/exploit/19732. I've wrote to 1337day.com about it already at 19.11.2012. So it should concern every list, which posted that exploit from 1337day.com. This is AFU vulnerability in...

Microsoft Internet Explorer 7

Hello 3APA3A! I want to warn you about Denial of Service vulnerabilities in Internet Explorer. I've found these DoS holes in IE7 already in August 2010. ------------------------- Affected products: ------------------------- Vulnerable are Internet Explorer 7 7.00.5730.13 and other versions of IE7...

Libsyn Cross Site Scripting

Hello list! As you can see from my publications for last five years, I like holes which are placed at hundreds or millions of web sites. Since my 2008's article XSS vulnerabilities in 215000 flash files http://lists.webappsec.org/pipermail/websecuritylists.webappsec.org/2008-November/004655.html...

DoS vulnerabilities in Firefox, Internet Explorer and Opera

Hello 3APA3A! I want to warn you about Denial of Service vulnerability in Mozilla Firefox, Internet Explorer and Opera. Earlier there was published DoS vulnerability in browser Opera 10.10 found by Inj3ct0r http://securityvulns.com/news/Opera/1002.html. And some time ago I've checked this exploit...

WordPress Organizer 1.2.1 Cross Site Scripting / Path Disclosure

Hello list! I want to warn you about multiple security vulnerabilities in plugin Organizer for WordPress. This is the first in series of advisories concerning vulnerabilities in this plugin. These are Cross-Site Scripting reflected and persistent and Full path disclosure vulnerabilities...

Многочисленные уязвимости в EJBCA

Здравствуйте 3APA3A! Сообщаю вам о найденных мною 17.01.2012 многочисленных уязвимостях в Enterprise Java Beans Certificate Authority EJBCA. Это Cross-Site Scripting, Brute Force и Abuse of Functionality уязвимости. EJBCA - это PKI сервер. По информации из официального сайта: A Certification...

CSRF, DT and AB vulnerabilities in D-Link DSL-500T ADSL Router

Hello 3APA3A! I want to warn you about new security vulnerabilities in D-Link DSL-500T ADSL Router. Which I've found and disclosed last week. These are Cross-Site Request Forgery, Directory Traversal and Authentication Bypass vulnerabilities. This is my fifth advisory 3 and 4 were announced and...

Vulnerabilities in D-Link DSL-500T ADSL Router

Hello 3APA3A! I want to warn you about security vulnerabilities in D-Link DSL-500T ADSL Router. These are Predictable Resource Location, Brute Force and Cross-Site Request Forgery vulnerabilities. This is my first advisory from series of advisories about vulnerabilities in D-Link products...

Новые уязвимости в poMMo

Здравствуйте 3APA3A! Сообщаю вам о найденных мною Information Leakage, Insufficient Anti-automation и Abuse of Functionality уязвимостях в poMMo. Information Leakage WASC-13: После введения емайла на subscribe.php, на странице http://site/pommo/user/process.php выводится pendingcode в качестве...

Strictly social XSS уязвимость в WordPress

Здравствуйте 3APA3A! Сообщаю вам о найденной мною Cross-Site Scripting уязвимости в WordPress. Которую я нашёл ещё 15.10.2008 и к которой уязвимы все версии WordPress. В WordPress имеет место Cross-Site Scripting уязвимость, в данном случае Strictly social XSS http://websecurity.com.ua/5469/, на...