Archiv pro měsíc: Březen 2015

SecuritTeam.com: Drupal Services Module ‚callback‘ Parameter Cross Site Scripting Vulnerabilities

Cross-site scripting (XSS) vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response.

SecuritTeam.com: IPCop Ipinfo.cgi Cross-Site Scripting Vulnerabilities

Cross-site scripting (XSS) vulnerability in cgi-bin/ipinfo.cgi in IPCop (aka IPCop Firewall) before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING. NOTE: this can be used to bypass the cross-site request forgery (CSRF) protection mechanism by setting the Referer.

SecuritTeam.com: Django ‚django.views.static.serve()‘ Function Denial Of Service Vulnerabilities

The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.

SecuritTeam.com: Contenido Front_content.php Cross-Site Scripting Vulnerabilities

Multiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) idart, (2) lang, or (3) idcat parameter.

SecuritTeam.com: Libxml2 Entity Substituton Denial Of Service Vulnerabilities

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a craf

číst dál

SecuritTeam.com: Another WordPress Classifieds Plugin For WordPress Cross-Site Scripting Vulnerabilities

Cross-site scripting (XSS) vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI.

SecuritTeam.com: Cart66 Lite WordPress Ecommerce Plugin For WordPress SQL Injection Vulnerabilities

SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_products_table action to wp-admin/admin-ajax.php.