Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a “404 Not Found” response. NOTE: this vulnerability might exist because of a CVE-2010-2429 regression.
Monthly Archives: October 2014
CVE-2014-8379
Multiple cross-site scripting (XSS) vulnerabilities in the Marketo MA module before 7.x-1.5 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to field titles to the (1) Webform or (2) User sub-modules.
CVE-2014-8376
Cross-site scripting (XSS) vulnerability in the context administration sub-panel in the Site Banner module before 7.x-4.1 for Drupal allows remote authenticated users with the “Administer contexts” Context UI module permission to inject arbitrary web script or HTML via vectors related to context settings.
CVE-2014-8377
Cross-site scripting (XSS) vulnerability in Webasyst Shop-Script 5.2.2.30933 allows remote attackers to inject arbitrary web script or HTML via the phone number field in a new contact to phpecom/index.php/webasyst/contacts/.
CVE-2014-8378
Cross-site scripting (XSS) vulnerability in the TableField module 7.x-2.x before 7.x-2.3 allows remote authenticated users with the “administer content types” or “administer taxonomy” permission to inject arbitrary web script or HTML via vectors related to the field help text in an entity edit form.
Continuous Release (CR) Repository updates arereleased for CentOS-6.6
We have released the following updates into the 6.5/cr repository: http://lists.centos.org/pipermail/centos-cr-announce/2014-October/thread.html The updates include everything that will be on the 6.6 ISO Sets and also everything to date that will be in 6.6 Updates. We will continue to put updates into 6.5 CR until we actually release CentOS-6.6. For information on the CR repository, see this link: http://wiki.centos.org/AdditionalResources/Repositories/CR Thanks, Johnny Hughes
CVE-2012-5702
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to index.php. NOTE: the date parameter vector is already covered by CVE-2008-3886.
CVE-2012-5242
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.
CVE-2013-7406
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2012-5243
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.