Recent Curesec Publications

Bigace 3.0: Code Execution
2016 Jan 28

Bigace 3.0: Code Execution

Bigace 3.0 allows the uploading of media file, but there is no verification, allowing the upload of PHP files by editors and administrators.  

DYNPG 4.6: XSS
2016 Jan 28

DYNPG 4.6: XSS

There are multiple XSS vulnerabilities in DYNPG 4.6.  

DYNPG 4.6: CSRF
2016 Jan 28

DYNPG 4.6: CSRF

DYNPG 4.6 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user. In this case, this may lead to code execution by allowing the upload of PHP files.  

Wolf CMS v0.8.3.1: XSS
2016 Jan 28

Wolf CMS v0.8.3.1: XSS

There is a reflected XSS vulnerability in Wolf CMS v0.8.3.1.  

Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation
2016 Jan 28

Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation

There is a code execution vulnerability in Wolf CMS v0.8.3.1. A user account with the Editor role is required.   

Xoops 2.5.7.1: XSS
2016 Jan 28

Xoops 2.5.7.1: XSS

There are multiple XSS vulnerabilities in Xoops 2.5.7.1.  

Xoops 2.5.7.1: Blind SQL Injection
2016 Jan 28

Xoops 2.5.7.1: Blind SQL Injection

There is a Blind SQL Injection vulnerability in Xoops 2.5.7.1. An admin account is required to exploit this issue.  

Xoops 2.5.7.1: Code Execution
2016 Jan 28

Xoops 2.5.7.1: Code Execution

There is a code execution vulnerability in Xoops 2.5.7.1. An admin account is required to exploit this issue, but the request is not protected against CSRF.  

PhpSocial v2.0.0304: XSS
2015 Dec 21

PhpSocial v2.0.0304: XSS

PhpSocial v2.0.0304 is vulnerable to persistent XSS.  

PhpSocial v2.0.0304: CSRF
2015 Dec 21

PhpSocial v2.0.0304: CSRF

PhpSocial v2.0.0304 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user.