In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. Date published : 2019-03-17 https://seclists.org/bugtraq/2019/May/76 https://security.netapp.com/advisory/ntap-20190411-0006/
internal/advanced_comment_system/index.php and internal/advanced_comment_system/admin.php in Advanced Comment System, version 1.0, contain a reflected cross-site scripting vulnerability via ACS_path. A remote unauthenticated attacker could potentially exploit this vulnerability to supply malicious HTML or JavaScript code to...
Attendance Monitoring System 1.0 has SQL Injection via the ‘id’ parameter to student/index.php?view=view, event/index.php?view=view, and user/index.php?view=view. Date published : 2019-03-17 https://www.exploit-db.com/exploits/45727/ http://packetstormsecurity.com/files/150010/School-Attendance-Monitoring-System-1.0-SQL-Injection.html
SaltOS 3.1 r8126 contains a database download vulnerability. Date published : 2019-03-17 https://www.exploit-db.com/exploits/45734/ http://packetstormsecurity.com/files/150005/SaltOS-Erp-Crm-3.1-r8126-Database-Download.html
KioWare Server version 4.9.6 and older installs by default to "C:kioware_com" with weak folder permissions granting any user full permission "Everyone: (F)" to the contents of the directory and it’s sub-folders. In addition, the...
LayerBB 1.1.1 allows XSS via the titles of conversations (PMs). Date published : 2019-03-17 https://github.com/AndyRixon/LayerBB/commits/master https://www.exploit-db.com/exploits/46079/
LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/. Date published : 2019-03-17 https://www.exploit-db.com/exploits/46379/ http://packetstormsecurity.com/files/151694/LayerBB-1.1.2-Cross-Site-Request-Forgery.html
libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop,...
COYO 9.0.8, 10.0.11 and 12.0.4 has cross-site scripting (XSS) via URLs used by "iFrame" widgets. Date published : 2019-03-17 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-032.txt http://packetstormsecurity.com/files/151467/COYO-9.0.8-10.0.11-12.0.4-Cross-Site-Scripting.html
SolarWinds Serv-U FTP Server 15.1.6 allows remote authenticated users to execute arbitrary code by leveraging the Import feature and modifying a CSV file. Date published : 2019-03-17 http://packetstormsecurity.com/files/151473/SolarWinds-Serv-U-FTP-15.1.6-Privilege-Escalation.html http://seclists.org/fulldisclosure/2019/Feb/4
An issue was discovered in Repute ARForms 3.5.1 and prior. An attacker is able to delete any file on the server with web server privileges by sending a malicious request to admin-ajax.php. Date published...
SynTP.sys in Synaptics Touchpad drivers before 2018-06-06 allows local users to obtain sensitive information about freed kernel addresses. Date published : 2019-03-17 https://www.synaptics.com/sites/default/files/touchpad-driver-security-brief-20190124.pdf http://www.securityfocus.com/bid/106799
Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject. Date published : 2019-03-17 http://packetstormsecurity.com/files/151704/MyBB-Trash-Bin-1.1.3-Cross-Site-Request-Forgery-Cross-Site-Scripting.html https://community.mybb.com/mods.php?action=view&pid=957
DNN (formerly DotNetNuke) 9.1.1 allows cross-site scripting (XSS) via XML. Date published : 2019-03-17 http://packetstormsecurity.com/files/151304/DNN-9.1-XML-Related-Cross-Site-Scripting.html http://www.dnnsoftware.com/community/security/security-center