Monthly Archive: January 2015

Cross-site scripting (XSS) vulnerability in readme.php in the April’s Super Functions Pack plugin before 1.4.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: some of...

Cross-site request forgery (CSRF) vulnerability in index.php/user_data/insert_user in Savsoft Quiz allows remote attackers to hijack the authentication of administrators for requests that create an administrator account via a crafted request. Date published : 2015-01-13...

Cross-site scripting (XSS) vulnerability in Seo Panel before 3.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Date published : 2015-01-13 http://blog.seopanel.in/2014/01/seo-panel-3-4-0-released/ http://osvdb.org/102462

Multiple cross-site scripting (XSS) vulnerabilities in question.php in the mTouch Quiz before 3.0.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the quiz parameter to wp-admin/edit.php. Date published :...

SQL injection vulnerability in question.php in the mTouch Quiz before 3.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the quiz parameter to wp-admin/edit.php. Date published : 2015-01-13 https://wordpress.org/plugins/mtouch-quiz/changelog/ https://security.dxw.com/advisories/admin-xss-and-sqli-in-mtouch-quiz-3-0-6/

Cross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter. Date published : 2015-01-13 http://www.securityfocus.com/bid/65904 http://sourceforge.net/projects/orangehrm/files/stable/3.1.2/

SQL injection vulnerability in ChangeEmail.php in iTechClassifieds 3.03.057 allows remote attackers to execute arbitrary SQL commands via the PreviewNum parameter. NOTE: the CatID parameter is already covered by CVE-2008-0685. Date published : 2015-01-13 http://www.securityfocus.com/bid/65089...

Unspecified vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to obtain sensitive information via unknown vectors. Date published : 2015-01-13 http://confluence.jetbrains.com/display/TCD8/What%27s+New+in+TeamCity+8.1 http://secunia.com/advisories/57221

SQL injection vulnerability in the LTree converter in Pomm before 1.1.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Date published : 2015-01-13 http://www.securityfocus.com/bid/65711 http://www.pomm-project.org/news/pomm-1-1-5-is-out.html

Cross-site scripting (XSS) vulnerability in the Unconfirmed plugin before 1.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter in the unconfirmed page to wp-admin/network/users.php. Date published...

Cross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlineChat 3.0 allows remote attackers to inject arbitrary web script or HTML via the message field. Date published : 2015-01-13 http://www.securityfocus.com/bid/69669 http://www.exploit-db.com/exploits/34555

Cross-site scripting (XSS) vulnerability in photocrati-gallery/ecomm-sizes.php in the Photocrati theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the prod_id parameter. Date published : 2015-01-13 http://www.securityfocus.com/bid/65238 http://packetstormsecurity.com/files/124986/WordPress-Photocrati-Cross-Site-Scripting.html

Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in the filename in a file upload. Date published : 2015-01-13...

Multiple stack-based buffer overflows in pdmwService.exe in SolidWorks Workgroup PDM 2014 SP2 allow remote attackers to execute arbitrary code via a long string in a (1) 2001, (2) 2002, or (3) 2003 opcode to...