Wednesday, 5 December 2007

Hanno Boeck has discovered a XSS vulnerability in gobi/helma.

Monday, 3 December 2007

Some vulnerabilities have been reported in F5 FirePass 4100 SSL VPN, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL to my.activation.php3 and my.logon.php3 is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in FirePass versions 5.4.1 to 5.5.2 and FirePass versions 6.0 to 6.0.1.

Monday, 3 December 2007

A vulnerability has been reported in IBM Tivoli Netcool Security Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Monday, 3 December 2007

PR07-37: XSS on Apache HTTP Server 413 error pages via malformed HTTP method Risk factor: N/A BID: 26663 The reason why we didn't consider this vulnerability a security risk is because the attacker needs to force the victim's browser to submit a malformed HTTP method. Header injection has been demonstrated to be possible using Flash [1] [2], but might be dependent on vulnerable Flash plugins. A relevant example published in the past is exploiting the Apache 'Expect' XSS [3] (CVE-2006-3918) using flash [4].

Friday, 9 November 2007

A vulnerability has been reported in UPDIR.NET, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to certain unspecified parameters in "updir.php" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Tuesday, 30 October 2007

Description: SAXON is a simple accessible online news publishing system for personal and small corporate site owners. Publish news, using configurable templates, on any .php page on your site. Publish news on a 'per author' basis. Edit and/or delete existing news items. Create multiple RSS news feeds automatically (RSS 0.9, RSS 2.0 and Atom). Post date news items for later public release. Multiple authors allowed. Ability to configure users as Standard or Administrators. Ability to add/delete users (Administrators only). Option to change any user password (Administrators only). Template creation/deletion/amendment interface. Online setup and configuration.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25