Monthly Archive: February 2018

The Calendar component in Tiki 17.1 allows HTML injection. Date published : 2018-02-21 https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html

Tiki 17.1 allows upload of a .PNG file that actually has SVG content, leading to XSS. Date published : 2018-02-21 https://websecnerd.blogspot.in/2018/01/tiki-wiki-cms-groupware-17.html

An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is...

An issue was discovered in res_http_websocket.c in Asterisk 15.x through 15.2.1. If the HTTP server is enabled (default is disabled), WebSocket payloads of size 0 are mishandled (with a busy loop). Date published :...

An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number...

A NULL pointer access issue was discovered in Asterisk 15.x through 15.2.1. The RTP support in Asterisk maintains its own registry of dynamic codecs and desired payload numbers. While an SDP negotiation may result...

A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats...

CactusVPN 5.3.6 for macOS contains a root privilege escalation vulnerability through a setuid root binary called runme. The binary takes a single command line argument and passes this argument to a system() call, thus...

The Ninja Forms plugin before 3.2.14 for WordPress has XSS. Date published : 2018-02-21 Ninja Forms – The Contact Form Builder That Grows With You

There are multiple Persistent XSS vulnerabilities in Radiant CMS 1.1.4. They affect Personal Preferences (Name and Username) and Configuration (Site Title, Dev Site Domain, Page Parts, and Page Fields). Date published : 2018-02-21 http://www.securityfocus.com/bid/103080...

Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. Date published : 2018-02-21 http://www.securityfocus.com/bid/103099 https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3

Cross Site Scripting (XSS) exists on the D-Link DIR-600M C1 3.01 via the SSID or the name of a user account. Date published : 2018-02-21 https://www.exploit-db.com/exploits/44219/ https://0day4u.wordpress.com/2018/02/21/d-link-dir-600m-wireless-stored-xss/

An issue was discovered in Reprise License Manager 11.0. This vulnerability is a Path Traversal where the attacker, by changing a field in the Web Request, can have access to files on the File...

This vulnerability allows local attackers to escalate privileges on vulnerable installations of ABB MicroSCADA 9.3 with FP 1-2-3. An attacker must first obtain the ability to execute low-privileged code on the target system in...