Recent Curesec Publications
2016 Sep 15
Oxwall is a social networking software written in PHP. In version 1.8.0, it is vulnerable to multiple XSS attacks and a persistent open redirect.
The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection.
2016 Mar 15
Zenphoto is vulnerable to remote file inclusion. An admin account is required.
2016 Mar 15
PivotX is vulnerable to reflected XSS.
2016 Mar 15
PivotX is vulnerable to Directory Traversal, allowing authenticated users to read and delete files outside of the PivotX directory.
2016 Mar 15
PivotX is vulnerable to code execution by authenticated users as it does not check the extension of files when renaming them.
2016 Mar 15
BigTree 4.2.8 is vulnerable to object injection. The impact on the CMS itself is rather small, but installed plugins may increase the risk the vulnerability poses.
2016 Feb 01
There are various HTML Injection vulnerabilities in opendocman 1.3.4, leading to XSS, Phishing, and Privilege Escalation.
2016 Feb 01
Opendocman 1.3.4 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user.
2016 Feb 01
There are various XSS vulnerabilities in Atutor 2.2.
2016 Jan 28
There is an SQL injection in Bigace. A user account with the lowest privilege level is required.