Packet Storm - Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
Updated: 16 hours 12 min ago
Omeka version 2.2 suffers from cross site request forgery and cross site scripting vulnerabilities.
Trixbox suffers from cross site scripting, local file inclusion, SQL injection, and remote code execution vulnerabilities.
OL-Commerce version 2.1.1 suffers from cross site scripting and remote SQL injection vulnerabilities.
Bitdefender GravityZone versions prior to 126.96.36.1992 suffer from local file disclosure, insecure service configuration, and missing authentication vulnerabilities.
e107 version 2.0 alpha2 suffers from a reflective cross site scripting vulnerability.
Citrix NetScaler Application Delivery Controller and Citrix NetScaler Gateway are susceptible to cookie disclosure and reflective cross site scripting vulnerabilities.
Alfresco Community Edition versions 4.2.f and below suffer from multiple server side request forgery vulnerabilities.
Joomla Youtube Gallery component version 4.1.7 suffers from a remote SQL injection vulnerability.
Concrete version 188.8.131.52 suffers from a REFERER header-based cross site scripting vulnerability.
Open Web Analytics version 1.5.7 suffers from cross site scripting and remote file inclusion vulnerabilities.
Proof of concept code to exploit an NTP amplification attack. Written in Python.
Boat Browser versions 8.0 and 8.0.1 suffer from a remote code execution vulnerability.
The Wordpress WPTouch plugin contains an authenticated file upload vulnerability. A wp-nonce (CSRF token) is created on the backend index page and the same token is used on handling ajax file uploads through the plugin. By sending the captured nonce with the upload, we can upload arbitrary files to the upload folder. Because the plugin also uses it's own file upload mechanism instead of the wordpress api it's possible to upload any file type. The user provided does not need special rights. Also users with "Contributer" role can be abused.
Browserify versions 4.2.0 and below suffer from a remote command execution vulnerability.
A vulnerability within VBoxGuest module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. Oracle VirtualBox Guest Additions versions 4.3.8 through 4.3.10 are affected.
OctavoCMS suffers from cross site scripting vulnerabilities in its administrative panel functionality.
HP Data Protection manager version 8.10 suffers from a remote command execution.
HTTP requests flooding an Elipse E3 Scada PLC triggers a denial of service condition.
Sqlbuddy versions 1.3.2 and 1.3.3 suffer from a reflective cross site scripting vulnerability.
OpenCart versions 184.108.40.206 and below suffer from a PHP objection injection vulnerability.