index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS. Date published : 2020-02-10 http://packetstormsecurity.com/files/156281/Vanilla-Forum-2.6.3-Cross-Site-Scripting.html https://github.com/hacky1997/CVE-2020-8825
participants-database.php in the Participants Database plugin 1.9.5.5 and previous versions for WordPress has a time-based SQL injection vulnerability via the ascdesc, list_filter_count, or sortBy parameters. It is possible to exfiltrate data and potentially execute...
Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to the group_list page. Date published : 2020-02-10 https://github.com/Piwigo/Piwigo/issues/1150 https://piwigo.org/forum/viewforum.php?id=23
An ni_dhcp4_fsm_process_dhcp4_packet memory leak in openSUSE wicked 0.6.55 and earlier allows network attackers to cause a denial of service by sending DHCP4 packets with a different client-id. Date published : 2020-02-10 https://bugzilla.suse.com/show_bug.cgi?id=1160906 https://github.com/openSUSE/wicked/releases
When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function mbfl_filt_conv_big5_wchar to...
When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function...
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user...
In LXC 2.0, many template scripts download code over cleartext HTTP, and omit a digital-signature check, before running it to bootstrap containers. Date published : 2020-02-09 https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447
htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c (aka callback) parameter. Date published : 2020-02-09 https://github.com/theyiyibest/Reflected-XSS-on-SockJS https://github.com/theyiyibest/Reflected-XSS-on-SockJS/issues/1
Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices allow stored XSS in the web application. Date published : 2020-02-09 https://sku11army.blogspot.com/2020/02/digi-transport-stored-xss-on-wr-family.html
Cross-site scripting (XSS) vulnerability in Flowplayer Flash 3.2.7 through 3.2.16, as used in the News system (news) extension for TYPO3 and Mahara, allows remote attackers to inject arbitrary web script or HTML via the...
The Basic webmail module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with the "access basic_webmail" permission to read arbitrary users’ email addresses. Date published : 2020-02-08 https://www.drupal.org/node/1808852 http://www.openwall.com/lists/oss-security/2012/11/20/4
The CSS parser (khtml/css/cssparser.cpp) in Konqueror in KDE 4.7.3 allows remote attackers to cause a denial of service (crash) and possibly read memory via a crafted font face source, related to "type confusion." Date...
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 saves passwords in the local database, (1) which could make it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack or, (2) when an...