Recent Curesec Publications

Wolf CMS v0.8.3.1: XSS
2016 Jan 28

Wolf CMS v0.8.3.1: XSS

There is a reflected XSS vulnerability in Wolf CMS v0.8.3.1.  

Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation
2016 Jan 28

Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation

There is a code execution vulnerability in Wolf CMS v0.8.3.1. A user account with the Editor role is required.   

Xoops 2.5.7.1: XSS
2016 Jan 28

Xoops 2.5.7.1: XSS

There are multiple XSS vulnerabilities in Xoops 2.5.7.1.  

Xoops 2.5.7.1: Blind SQL Injection
2016 Jan 28

Xoops 2.5.7.1: Blind SQL Injection

There is a Blind SQL Injection vulnerability in Xoops 2.5.7.1. An admin account is required to exploit this issue.  

Xoops 2.5.7.1: Code Execution
2016 Jan 28

Xoops 2.5.7.1: Code Execution

There is a code execution vulnerability in Xoops 2.5.7.1. An admin account is required to exploit this issue, but the request is not protected against CSRF.  

PhpSocial v2.0.0304: XSS
2015 Dec 21

PhpSocial v2.0.0304: XSS

PhpSocial v2.0.0304 is vulnerable to persistent XSS.  

PhpSocial v2.0.0304: CSRF
2015 Dec 21

PhpSocial v2.0.0304: CSRF

PhpSocial v2.0.0304 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user.  

Arastta 1.1.5: XSS
2015 Dec 21

Arastta 1.1.5: XSS

There is a reflected XSS vulnerability in Arastta 1.1.5.  

Arastta 1.1.5: SQL Injection
2015 Dec 21

Arastta 1.1.5: SQL Injection

There are two SQL Injections in Arastta 1.1.5, which both require a user with special privileges to trigger.  

Grawlix 1.0.3: XSS
2015 Dec 21

Grawlix 1.0.3: XSS

Grawlix 1.0.3 has multiple reflected XSS vulnerabilities.