The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter. Date published : 2018-09-05...
An issue was discovered in Jorani 0.6.5. SQL Injection (error-based) allows a user of the application without permissions to read and modify sensitive information from the database used by the application via the startdate...
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language. Date published : 2018-09-05 https://www.exploit-db.com/exploits/45338/ https://github.com/bbalet/jorani/issues/254
An issue was discovered in BTITeam XBTIT. PHP error logs are stored in an open directory (/include/logs) using predictable file names, which can lead to full path disclosure and leakage of sensitive data. Date...
An issue was discovered in BTITeam XBTIT. The "returnto" parameter of the login page is vulnerable to an open redirect due to a lack of validation. If a user is already logged in when...
An issue was discovered in BTITeam XBTIT. Due to a lack of cross-site request forgery protection, it is possible to automate the action of sending private messages to users by luring an authenticated user...
An issue was discovered in BTITeam XBTIT 2.5.4. When a user logs in, their password hash is rehashed using a predictable salt and stored in the "pass" cookie, which is not flagged as HTTPOnly....
An issue was discovered in BTITeam XBTIT 2.5.4. The hashed passwords stored in the xbtit_users table are stored as unsalted MD5 hashes, which makes it easier for context-dependent attackers to obtain cleartext values via...
An issue was discovered in BTITeam XBTIT 2.5.4. The "keywords" parameter in the search function available at /index.php?page=forums&action=search is vulnerable to reflected cross-site scripting. Date published : 2018-09-05 https://github.com/btiteam/xbtit/pull/58 https://rastating.github.io/xbtit-multiple-vulnerabilities/
An issue was discovered in BTITeam XBTIT 2.5.4. The "act" parameter in the sign-up page available at /index.php?page=signup is vulnerable to reflected cross-site scripting. Date published : 2018-09-05 https://github.com/btiteam/xbtit/pull/58 https://rastating.github.io/xbtit-multiple-vulnerabilities/
The newsfeed (aka /index.php?page=viewnews) in BTITeam XBTIT 2.5.4 has stored XSS via the title of a news item. This is also exploitable via CSRF. Date published : 2018-09-05 https://github.com/btiteam/xbtit/pull/58 https://rastating.github.io/xbtit-multiple-vulnerabilities/
An issue was discovered in BTITeam XBTIT. By using String.replace and eval, it is possible to bypass the includes/crk_protection.php anti-XSS mechanism that looks for a number of dangerous fingerprints. Date published : 2018-09-05 https://rastating.github.io/xbtit-multiple-vulnerabilities/
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 2 of 2) via eventscript.cgi. Date published : 2018-09-05 http://download.vivotek.com/downloadfile/support/cyber-security/vvtk-sa-2018-003-v1.pdf https://www.vivotek.com/website/support/cybersecurity/
VIVOTEK FD8177 devices before XXXXXX-VVTK-xx06a allow remote attackers to execute arbitrary code (issue 1 of 2) via the ONVIF interface, (/onvif/device_service). Date published : 2018-09-05 http://download.vivotek.com/downloadfile/support/cyber-security/vvtk-sa-2018-003-v1.pdf https://www.vivotek.com/website/support/cybersecurity/