Posted by Jing Wang on Sep 25
*VuFind 1.0 **Web Application **Reflected XSS (Cross-site Scripting) 0-Day
Bug Security Issue*
Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web
Security Vulnerability
Product: VuFind
Vendor: VuFind
Vulnerable Versions: 1.0
Tested Version: 1.0
Advisory Publication: September 20, 2015
Latest Update: September 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2…
Posted by Manuel Garcia Cardenas on Sep 25
=============================================
MGC ALERT 2015-001
– Original release date: September 08, 2015
– Last revised: September 24, 2015
– Discovered by: Manuel Garcia Cardenas
– Severity: 4,8/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
————————-
Stored XSS in 4images <= v1.7.11
II. BACKGROUND
————————-
4images is a powerful web-based image gallery management…
Posted by 1n3 on Sep 25
Gr33tz. I’m disclosing details for a potential 0day RCE vulnerability
in a number of common routers which may allow full control of affected
devices. I haven’t found an existing vulnerability for this and this
appears to be a new trend in my ModSecurity logs. Hoping to get some
feedback from the community and see if anyone can confirm…
After researching RomPager, it appears to be the underlying web server
used by a number of common…
Apache Cordova Android File Transfer plugin versions 1.2.1 and below suffer from an HTTP header injection vulnerability.
Developers at Mozilla pushed out Firefox 41 this week and brought some much needed relief to AdBlockPlus users by finally fixing a 14-year old bug in the browser.
DHS CERT published an alert prompted by a paper delivered at USENIX regarding the security of browser cookies.
The Remote Agent component in Schneider Electric InduSoft Web Studio before 8.0 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-2649.