phpSocial (formerly phpDolphin) before 3.0.1 has XSS in the PATH_INFO to the search/tag/ URI. Date published : 2017-07-19 https://phpsocial.com/page/changelog https://www.seekurity.com/blog/advisories/cross-sitescripting-vulnerability-in-phpsocial-aka-phpdolphin-social-network-script/
On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was found in the form2userconfig.cgi username parameter. Date published : 2017-07-19 ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-600M/REVC/DIR-600M_REVC_FIRMWARE_PATCH_NOTES_3.05B01_EN.pdf https://iscouncil.blogspot.com/2017/07/stored-xss-in-d-link-dir-600m-router.html
The Google News and Weather application before 3.3.1 for Android allows remote attackers to read OAuth tokens by sniffing the network and leveraging the lack of SSL. Date published : 2017-07-18 http://www.securityfocus.com/bid/99892 http://seclists.org/fulldisclosure/2017/Jul/36
spice versions though 0.13 are vulnerable to out-of-bounds memory access when processing specially crafted messages from authenticated attacker to the spice server resulting into crash and/or server memory leak. Date published : 2017-07-18 http://www.securityfocus.com/bid/99583...
A remote command injection vulnerability exists in the Barracuda Load Balancer product line (confirmed on v5.4.0.004 (2015-11-26) and v6.0.1.006 (2016-08-19); fixed in 6.1.0.003 (2017-01-17)) in which an authenticated user can execute arbitrary shell commands...
Biscom Secure File Transfer is vulnerable to cross-site scripting in the File Name field. An authenticated user with permissions to upload or send files can populate this field with a filename that contains standard...
Biscom Secure File Transfer is vulnerable to AngularJS expression injection in the Display Name field. An authenticated user can populate this field with a valid AngularJS expression, wrapped in double curly-braces ({{ }}). This...
IBM MQ Appliance 8.0 and 9.0 could allow an authenticated messaging administrator to execute arbitrary commands on the system, caused by command execution. IBM X-Force ID: 125730. Date published : 2017-07-18 http://www.securityfocus.com/bid/99594 http://www.ibm.com/support/docview.wss?uid=swg22003815
The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2 and other products, allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted...
gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection when generating thumbnails for MSI files, aka the "Bad Taste" issue. There is a local attack if the victim uses the GNOME Files file manager,...
Stack-based buffer overflow in ASUS_Discovery.c in networkmap in Asuswrt-Merlin firmware for ASUS devices and ASUS firmware for ASUS RT-AC5300, RT_AC1900P, RT-AC68U, RT-AC68P, RT-AC88U, RT-AC66U, RT-AC66U_B1, RT-AC58U, RT-AC56U, RT-AC55U, RT-AC52U, RT-AC51U, RT-N18U, RT-N66U, RT-N56U, RT-AC3200,...
Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/editor.php via $_POST[‘id’] and $_POST[‘art_title’]. Date published : 2017-07-18 https://github.com/FiyoCMS/FiyoCMS/issues/5
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_list.php via $_GET[‘cat’], $_GET[‘user’], $_GET[‘level’], and $_GET[‘iSortCol_’.$i]. Date published : 2017-07-18 https://github.com/FiyoCMS/FiyoCMS/issues/5
Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/article_status.php via $_GET[‘id’]. Date published : 2017-07-18 https://github.com/FiyoCMS/FiyoCMS/issues/5