Full Disclosure
Posted by Pietro Oliva on Jan 12
Vulnerability title: WordPress plugin Pods <= 2.4.3 XSS and CSRF vulnerabilities
vulnerabilities
Author: Pietro Oliva
CVE: CVE-2014-7956, CVE-2014-7957
Product: pods
Affected version: pods <= 2.4.3
Vulnerabilities fixed in version: 2.5
XSS vulnerability (CVE-2014-7956, authentication is needed):
http://localhost/wp-admin/admin.php?page=pods&action=edit&id=4"…
Posted by Steffen Rösemann on Jan 12
Advisory: Reflecting XSS vulnerability in CMS PHPKit WCMS v. 1.6.6
Advisory ID: SROEADV-2014-07
Author: Steffen Rösemann
Affected Software: CMS PHPKit WCMS v. 1.6.6 [Build: 1660014]
Vendor URL: http://www.phpkit.com/de/
Vendor Status: did not respond to issue
CVE-ID: –
==========================
Vulnerability Description:
==========================
The poll archive in the administrative backend of CMS PHPKit WCMS v. 1.6.6
is prone to…
Posted by Steffen Rösemann on Jan 12
Advisory: Reflecting XSS vulnerability in CMS Croogo v.2.2.0
Advisory ID: SROEADV-2015-02
Author: Steffen Rösemann
Affected Software: CMS Croogo v.2.20
Vendor URL: https://croogo.org
Vendor Status: solved
CVE-ID: –
==========================
Vulnerability Description:
==========================
The filemanager functionality in the administrative backend of CMS Croogo
v. 2.2.0 is prone to reflecting XSS attacks.
==================
Technical…
Posted by Jing Wang on Jan 12
*Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust
& kindlepost.com <http://kindlepost.com> omnivoracious.com
<http://omnivoracious.com> carlustblog.com <http://carlustblog.com> Open
Redirect *
*Discover:*
Wang Jing, School of Physical and Mathematical Sciences (SPMS), Nanyang
Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
*Domains:*
http://www.amazon.com
All…
Posted by Jing Wang on Jan 12
*Facebook Old Generated URLs Still Vulnerable to Open Redirect Attacks & A
New Open Redirect Security Vulnerability*
*Domain:*
http://www.facebook.com
*Discover:*
Wang Jing, School of Physical and Mathematical Sciences (SPMS), Nanyang
Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
*(1) General Vulnerabilities Description:*
*(1.1)* Two Facebook vulnerabilities are introduced in this article.
Facebook has a…
Posted by Jing Wang on Jan 10
*CVE-2014-9560 Softbb.net SoftBB SQL Injection Security Vulnerability*
Exploit Title: Softbb.net SoftBB /redir_last_post_list.php post Parameter
SQL Injection
Product: SoftBB (mods)
Vendor: Softbb.net
Vulnerable Versions: v0.1.3
Tested Version: v0.1.3
Advisory Publication: Jan 10, 2015
Latest Update: Jan 10, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) (CWE-89)
CVE…
Posted by Antonio Quina on Jan 10
SPARTA is a python GUI application which simplifies network
infrastructure penetration testing by aiding the penetration tester in
the scanning and enumeration phase. It allows the tester to save time by
having point-and-click access to his toolkit and by displaying all tool
output in a convenient way. If little time is spent setting up commands
and tools, more time can be spent focusing on analysing results.
Features:
– Run nmap from SPARTA…
Posted by Jing Wang on Jan 10
CVE-2014-9561 Softbb.net SoftBB XSS (Cross-Site Scripting) Security
Vulnerability
Exploit Title: Softbb.net SoftBB /redir_last_post_list.php post Parameter
XSS
Product: SoftBB (mods)
Vendor: Softbb.net
Vulnerable Versions: v0.1.3
Tested Version: v0.1.3
Advisory Publication: Jan 10, 2015
Latest Update: Jan 10, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9561
Credit: Wang Jing [Mathematics, Nanyang Technological…
Posted by Steffen Rösemann on Jan 09
Advisory: Reflecting XSS vulnerability in CMS e107 v. 1.0.4
Advisory ID: SROEADV-2014-05
Author: Steffen Rösemann
Affected Software: CMS e107 v. 1.0.4
Vendor URL: http://e107.org
Vendor Status: did not respond to issue
CVE-ID: –
==========================
Vulnerability Description:
==========================
The CMS e107 v. 1.0.4 has a reflecting XSS vulnerability in its
administrative backend which can be exploited by bypassing an XSS filter….
Posted by Cláudio André on Jan 08
https://labs.integrity.pt/articles/good-for-enterprise-android-html-injection-cve-2014-4925/
1. Vulnerability Properties
Title: HTML Injection in Good for Enterprise Android
CVE ID: CVE-2014-4925
CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Vendor: Good Technology (http://www1.good.com/)
Products: Good for Enterprise Android (possibly others)
Advisory Release Date: 8 January 2015
Advisory URL:…