An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that can add an admin account via index.php?m=admin&c=access&a=adduserhandle. Date published : 2018-06-01 https://www.exploit-db.com/exploits/44826/ https://github.com/GreenCMS/GreenCMS/issues/109
An issue was discovered in GreenCMS v2.3.0603. There is a CSRF vulnerability that allows attackers to execute arbitrary PHP code via the content parameter to index.php?m=admin&c=media&a=fileconnect. Date published : 2018-06-01 https://www.exploit-db.com/exploits/44825/ https://github.com/GreenCMS/GreenCMS/issues/108
ngiflib.c in MiniUPnP ngiflib 0.4 has an infinite loop in DecodeGifImg and LoadGif. Date published : 2018-06-01 https://github.com/miniupnp/ngiflib/issues/7
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file. Date published...
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function GetImagePixelCache in MagickCore/cache.c, which allows attackers to cause a denial of service via a crafted CALS image file. Date published...
CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers to inject arbitrary OS commands via the Server field in an HTTP response header, which is directly injected into a CSV report. Date...
Graylog before v2.4.4 has an XSS security issue with unescaped text in dashboard names, related to components/dashboard/Dashboard.jsx, components/dashboard/EditDashboardModal.jsx, and pages/ShowDashboardPage.jsx. Date published : 2018-06-01 https://github.com/Graylog2/graylog2-server/pull/4739 https://www.graylog.org/post/announcing-graylog-v2-4-4
Graylog before v2.4.4 has an XSS security issue with unescaped text in notifications, related to toastr and util/UserNotification.js. Date published : 2018-06-01 https://github.com/Graylog2/graylog2-server/pull/4727 Announcing Graylog v2.4.4
Hue 3.12 has XSS via the /pig/save/ name and script parameters. Date published : 2018-06-01 https://github.com/Blck4/HUE-Exploit
webkitFaviconDatabaseSetIconForPageURL and webkitFaviconDatabaseSetIconURLForPageURL in UIProcess/API/glib/WebKitFaviconDatabase.cpp in WebKit, as used in WebKitGTK+ through 2.21.3, mishandle an unset pageURL, leading to an application crash. Date published : 2018-06-01 https://www.exploit-db.com/exploits/44842/ https://www.exploit-db.com/exploits/44876/
psi/zfile.c in Artifex Ghostscript before 9.21rc1 permits the status command even if -dSAFER is used, which might allow remote attackers to determine the existence and size of arbitrary files, a similar issue to CVE-2016-7977....
Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for XSS. Date published : 2018-06-01 http://www.securityfocus.com/bid/104428 https://www.exploit-db.com/exploits/44831/
Cross-site scripting (XSS) vulnerability on Brother HL series printers allows remote attackers to inject arbitrary web script or HTML via the url parameter to etc/loginerror.html. Date published : 2018-06-01 https://support.brother.com/g/b/faqend.aspx?c=us_ot&lang=en&prod=group2&ftype3=100033&faqid=faq00100530_000 https://www.exploit-db.com/exploits/44839/
Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an...