Monthly Archive: January 2015

Multiple cross-site scripting (XSS) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter in a search request, (2) username in a login...

SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote attackers to execute arbitrary SQL commands via the p parameter in an update action to admin.php. Date published : 2015-01-27 http://www.securityfocus.com/bid/72287 https://github.com/JRogaishio/ferretCMS/issues/63

Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in custom/uploads/....

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link. Date published : 2015-01-27 https://github.com/chjj/marked/issues/492 https://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba

SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter. Date published : 2015-01-27 https://github.com/sequelize/sequelize/pull/2919 https://nodesecurity.io/advisories/sequelize-sql-injection-order

Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) order_by parameter to credentials/, (2) inventories/, (3) projects/,...

SQL injection vulnerability in index.php in CatBot 0.4.2 allows remote attackers to execute arbitrary SQL commands via the lastcatbot parameter. Date published : 2015-01-27 http://www.securityfocus.com/archive/1/534490/100/0/threaded http://seclists.org/fulldisclosure/2015/Jan/63

Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter. Date published : 2015-01-27 http://www.securityfocus.com/bid/73931...

Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter. Date published :...

SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/. Date published : 2015-01-27 http://www.exploit-db.com/exploits/35857 http://seclists.org/fulldisclosure/2015/Jan/81

Cross-site scripting (XSS) vulnerability in Free Reprintables ArticleFR 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the q parameter to search/v/. Date published : 2015-01-27 http://seclists.org/fulldisclosure/2015/Jan/101 http://packetstormsecurity.com/files/130066/articleFR-CMS-3.0.5-Cross-Site-Scripting.html

Buffer overflow in the Customize 35mm tab in Two Pilots Exif Pilot 4.7.2 allows remote attackers to execute arbitrary code via a long string in the maker element in an XML file. Date published...

platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrome before 40.0.2214.91, does not initialize a variable that is used in calls to the Skia SkBitmap::setAlphaType function, which might allow remote attackers to cause a denial...

Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data that is improperly handled during text...