dapurappsapp_configcontrollerbackuper.php in Fiyo CMS 2.0.7 allows remote attackers to delete arbitrary files via directory traversal sequences in the file parameter in a type=database request, a different vulnerability than CVE-2017-8853. Date published : 2017-07-26 https://github.com/FiyoCMS/FiyoCMS/issues/6
dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in controllers/api.php via the function parameter in a c=api&m=data2 request. Date published : 2017-07-26 http://lorexxar.cn/2017/07/20/FineCMS%20multi%20vulnerablity%20before%20v5.0.9/#api-php-Reflected-XSS
A sandbox escape in the Lua interface in Wube Factorio before 0.15.31 allows remote game servers or user-assisted attackers to execute arbitrary C code by including and loading a C library. Date published :...
In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The...
In Joomla! before 3.7.4, inadequate filtering of potentially malicious HTML tags leads to XSS vulnerabilities in various components. Date published : 2017-07-26 https://developer.joomla.org/security-centre/701-20170605-core-xss-vulnerability.html http://www.securitytracker.com/id/1039014
s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically...
The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use...
aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allows local users to hijack the IPC by pre-creating the temporary directory. Date published : 2017-07-25 https://bugzilla.redhat.com/show_bug.cgi?id=1280543
hwpapp.dll in Hangul Word Processor allows remote attackers to execute arbitrary code via a crafted heap spray, and by leveraging a "type confusion" via an HWPX file containing a crafted para text tag. Date...
The sanitize_string function in ZenPhoto before 1.4.9 utilized the html_entity_decode function after input sanitation, which might allow remote attackers to perform a cross-site scripting (XSS) via a crafted string. Date published : 2017-07-25 http://www.zenphoto.org/news/zenphoto-1.4.9...
Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file. Date published...
Candlepin allows remote attackers to obtain sensitive information by obtaining Java exception statements as a result of excessive web traffic. Date published : 2017-07-25 https://bugzilla.redhat.com/show_bug.cgi?id=1252147
The file_manager component in eFront CMS before 3.6.15.5 allows remote authenticated users to bypass intended file-upload restrictions by appending a crafted parameter to the file URL. Date published : 2017-07-25 http://forum.efrontlearning.net/viewtopic.php?f=15&t=9841 http://mohankallepalli.blogspot.in/2015/05/eFront-cms-multiple-bugs.html
Absolute path traversal vulnerability in the file_manager component of eFront CMS before 3.6.15.5 allows remote authenticated users to read arbitrary files via a full pathname in the "Upload file from url" field in the...