A persistent Cross-Site Scripting (XSS) vulnerability has been found in the WordPress NewStatPress plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.
A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This vulnerablity allows attackers to add and modify scripting code that will target authenticated WordPress admins or visitors that see the popup generated by this plugin. Before exploitation of this issue succeeds, and scripting code is therefore injected, a victim WordPress admin to click a specially crafted link or visit a malicious attacker-controlled webpage.
A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. This vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php.
It was discovered that Contact Form Manager does not protect against Cross-Site Request Forgery. This allows an attacker to change arbitrary Contact Form Manager settings. In addtion, the plugin also fails to apply proper output encoding, rendering it vulnerable to stored Cross-Site Scripting. The username input field on the XYZ Contact > SMTP Settings is vulnerabile to stored Cross-Site Scripting.
Aruba Airwave before version 8.2.3.1 is vulnerable to reflected cross-site scripting.
WiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password. Once the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account. This account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).
A vulnerability in Synchronet BBS 3.16c for Windows allows an attacker to cause a denial of service (DoS) condition by sending a specially crafted HTTP request. The vulnerability is due to improper handling of certain HTTP requests. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable server. Successful exploitation of this vulnerability could result in a DoS condition.
Start this fake FTP server and create an FTP connection in the software. Use the 'Test' button to trigger the vulnerability.
A quite dangerous CSRF was discovered on all DGN2200 firmwares. When chained with either CVE-2017-6077 or CVE-2017-6334, allows for unauthenticated (sic!) RCE after tricking somebody logged in to the router to view a website.
A SQL injection vulnerability exists in Joomla! Component OneVote! v1.0, which allows an attacker to execute arbitrary SQL commands via the 'election_id' parameter in the 'results.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable application.
Services By CQR