The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to reflected as well as persistent XSS. A privileged user account is required to exploit the persistent XSS vulnerability but this can be bypassed via CSRF.
The web interface of the VDSL Client Modem ALL-BM100VDSL2 is vulnerable to CSRF. Because of this it is possible to add a new admin user.
The authentication of the web interface of the VDSL Client Modem ALL-BM100VDSL2 relies on local IP addresses and can thus be bypassed by an attacker with access to the local network as long as any user is currently authenticated. Additionally, the system contains an undocumented default user with a hardcoded password who has root access to the device.
pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the setup wizard is vulnerable to code execution. It should be noted that by default, only an administrator can access the setup wizard. By default, administrators have far-reaching permissions via the wizard and via other functionality. There are however some custom configurations where this vulnerability could lead to privilege escalation or undesired code execution.
pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), it is vulnerable to reflected XSS. XSS can lead to disclosure of cookies, session tokens etc.
pfsense is an open source firewall. The web interface is written in PHP. In version 2.3.2-RELEASE (amd64), the actions of creating and deleting firewall rules are vulnerable to CSRF, enabling an Attacker to edit these rules with a little bit of social engineering.
HumHub is a social media platform written in PHP. In version 0.20.1 as well as 1.0.0-beta.3, it is vulnerable to Code Execution as some functionality allows the uploading of PHP files. Successfull exploitation requires specific server settings. A user account is required as well, but registration is open by default.
HumHub is a social media platform written in PHP. In version 1.0.1 and earlier, it is vulnerable to a reflected XSS attack if debugging is enabled, as well as a self-XSS attack. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.
phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to reflected and persitent Cross Site Scripting vulnerabilities. The persistent XSS vulnerability is only exploitable by users with specific privileges and may be used for escalating privileges.
phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to SQL injection. The application contains two SQL injections, one of which is in the administration area and one which requires no credentials. Additionally, at least one query is not properly protected against injections. Furthermore, a query in the administration area discloses some information on the password hashes of users.
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to multiple persistent as well as a reflected XSS issue. To exploit these vulnerabilities a user account is required most of the time but registration is open by default. XSS allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to various low to medium impact issues, namely open redirect, host header injection, and the leakage of password hashes. Open redirect and host header injection can be used for phishing attacks. The leakage of password hashes is restricted to users with an admin account.
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to cross site request forgery. If a victim visits a website that contains specifically crafted code while logged into Elefant, an attacker can for example create a new admin account without the victims knowledge.
Elefant is a content managment system written in PHP. In version 1.3.12-RC, it is vulnerable to code execution because of two different vulnerabilities. It allows the upload of files with dangerous type, as well as PHP code injection. To exploit this a editor or admin account is required.
Plone is an open source CMS written in python. In version 5.0.5, the Zope Management Interface (ZMI) component is vulnerable to reflected XSS as it does not properly encode double quotes.
In this article we are going to have a closer look on a Smart Plug from TP-Link together with its control app. In the process of investigating the product, we reverse engineered the firmware and the app, managed to control the Smart Plug and steal login credentials.
MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to reflected cross site scripting as well as relative path overwrite. XSS can be used to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection, and RPO may lead to CSS injection.
SPIP is a content management system written in PHP. In version 3.1, it is vulnerable to a persistent as well as reflected cross site scripting vulnerability as it allows users to enter URLs containing the JavaScript protocol, which an attacker can exploit to steal cookies, inject JavaScript keylogger, or bypass CSRF protection. Additionally, it contains a Host Header Injection which may lead to the leakage of password reset tokens and thus the compromisation of user accounts. Finally, the application discloses httpOnly cookies, making exploitation of XSS issues slightly easier.
Mezzanine is an open source CMS written in python. In version 4.2.0, it is vulnerable to two persistent XSS attacks, one of which requires extended privileges, the other one does not. These issues allow an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.
MyLittleForum is forum software written in PHP. In version 2.3.6.1, it is vulnerable to cross site request forgery. An attacker could exploit this issue to add new users or change the status of existing users to administrator if a victim visits a website containing a specifically crafted payload while logged into MyLittleForum.
MoinMoin is an open source Wiki application written in python. In version 1.9.8, it is vulnerable to two persistent XSS issues. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection.
Lepton is a content management system written in PHP. In version 2.2.2, it is vulnerable to multiple SQL injections. The injections require a user account with elevated privileges.
Lepton is a content management system written in PHP. In version 2.2.2, it contains various low to medium impact issues. The functionality that operates on files and folders is vulnerable to CSRF which may lead to XSS, the logout is vulnerable to Open Redirect, the in-build bruteforce protection can be easily bypassed, and passwords are hashed with md5 and send out via email in plaintext.
Lepton is a content management system written in PHP. In version 2.2.2, it is vulnerable to code execution as it is possible to upload files with dangerous type via the media manager.
Jaws is a content management system written in PHP. In version 1.1.1, it is vulnerable to code execution as it allows the upload of files with a dangerous type. An account with extended privileges is required.
FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable to multiple persistent XSS issues. This allows an attacker to steal cookies, inject JavaScript keyloggers, or bypass CSRF protection. Additionally, FUDforum is vulnerable to Login-CSRF.
Jaws is a content management system written in PHP. In version 1.1.1, it is vulnerable to various low to medium impact issues. It contains an Object Injection, which does not seem to be currently exploitable without custom changes made by users; its session cookies are not set to httpOnly, which may make it easier to exploit XSS issues; and it contains an Open Redirect issue.
FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable to local file inclusion. This allows an attacker to read arbitrary files that the webuser has access to. Admin credentials are required.
Peel Shopping is ecommerce software written in PHP. In version 8.0.2, it is vulnerable to Object Injection. Peel Shopping stores a PHP object in a cookie, which is then unserialized when received by the application. An attacker can send arbitrary PHP objects, and has thus a limited influence on the control flow of the application. This can for example lead to DOS attacks by creating an infinite loop.
Kajona is an open source CMS written in PHP. In version 4.7, it is vulnerable to multiple XSS attacks and limited directory traveral. The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection. The directory travseral issue gives information about which files exist on a system, and thus allows an attacker to gather information about a system.
MyBB 1.8.6 is vulnerable to login CSRF. Additionally, it stores passwords using weak hashing, and sends passwords via email in plaintext.
MyBB is forum software written in PHP. In version 1.8.6, it contains various XSS vulnerabilities, some of which are reflected and some of which are persistent. Some of them depend on custom forum or server settings. These issues may lead to the injection of JavaScript keyloggers, injection of content such as ads, or the bypassing of CSRF protection, which would for example allow the creation of a new admin user.
MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a second order SQL injection by an authenticated admin user, allowing the extraction of data from the database.
MyBB is forum software written in PHP. In version 1.8.6, it improperly validates templates that are passed to eval, allowing for the disclosure of the database password. If the database is writable from remote, it may also lead to code execution. An admin account is required.
Oxwall is a social networking software written in PHP. In version 1.8.0, it is vulnerable to multiple XSS attacks and a persistent open redirect. The XSS vulnerabilities are reflected as well as persistent, and can lead to the stealing of cookies, injection of keyloggers, or the bypassing of CSRF protection.
Zenphoto is vulnerable to remote file inclusion. An admin account is required.
PivotX is vulnerable to reflected XSS.
PivotX is vulnerable to Directory Traversal, allowing authenticated users to read and delete files outside of the PivotX directory.
PivotX is vulnerable to code execution by authenticated users as it does not check the extension of files when renaming them.
BigTree 4.2.8 is vulnerable to object injection. The impact on the CMS itself is rather small, but installed plugins may increase the risk the vulnerability poses.
There are various HTML Injection vulnerabilities in opendocman 1.3.4, leading to XSS, Phishing, and Privilege Escalation.
Opendocman 1.3.4 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user.
There are various XSS vulnerabilities in Atutor 2.2.
There is an SQL injection in Bigace. A user account with the lowest privilege level is required.
Bigace 3.0 allows the uploading of media file, but there is no verification, allowing the upload of PHP files by editors and administrators.
There are multiple XSS vulnerabilities in DYNPG 4.6.
DYNPG 4.6 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user. In this case, this may lead to code execution by allowing the upload of PHP files.
There is a reflected XSS vulnerability in Wolf CMS v0.8.3.1.
There is a code execution vulnerability in Wolf CMS v0.8.3.1. A user account with the Editor role is required.
There are multiple XSS vulnerabilities in Xoops 2.5.7.1.
There is a Blind SQL Injection vulnerability in Xoops 2.5.7.1. An admin account is required to exploit this issue.
There is a code execution vulnerability in Xoops 2.5.7.1. An admin account is required to exploit this issue, but the request is not protected against CSRF.
PhpSocial v2.0.0304 is vulnerable to persistent XSS.
PhpSocial v2.0.0304 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example adding a new admin user.
There is a reflected XSS vulnerability in Arastta 1.1.5.
There are two SQL Injections in Arastta 1.1.5, which both require a user with special privileges to trigger.
Grawlix 1.0.3 has multiple reflected XSS vulnerabilities.
Grawlix 1.0.3 does not have CSRF protection, allowing an attacker to execute actions for a victim - for example changing the password of an admin user.
Grawlix 1.0.3 does not check the file type or extension when an admin uploads an icon, leading to code execution.
There are two reflected XSS and one open redirect vulnerability in CouchCMS 1.4.5.
The file extension whitelist of CouchCMS 1.4.5 misses pht, which may lead to code execution under certain circumstances.
There is a reflected XSS vulnerability in the search of esoTalk 1.0.0g4.
There are multiple XSS vulnerabilities in 4images 1.7.12.
There is an SQL Injection vulnerability in the admin area of 4images 1.7.11.
There is a Path Traversal vulnerability in the admin area of 4images 1.7.11 which allows the reading of arbitrary files.
There is a code execution vulnerability in the admin area of 4images 1.7.11.
There is an XSS vulnerability in CodoForum 3.4.
There is a CSRF vulnerability in phpwcms 1.7.9.
There are two Code Execution vulnerabilities in phpwcms 1.7.9. A registered user is required to exploit these issues.
There is a reflected XSS vulnerability in the installation script of Geeklog 2.1.0.
There are two code execution vulnerability in the admin area of Geeklog 2.1.0.
There is a persistent XSS vulnerability in redaxscript 2.5.0. It requires the victim to hover over a link to trigger.
There is a Code Execution vulnerability in the admin area of redaxscript 2.5.0.
There are two reflected XSS vulnerabilities in appRain 4.0.3.
There is a Path Traversal vulnerability in appRain 4.0.3.
None of the forms of appRain 4.0.3 have CSRF protection.
There is an SQL Injection vulnerability in the admin area of AlegroCart 1.2.8.
There is an LFI/RFI vulnerability in the admin area of AlegroCart 1.2.8.
There are multiple XSS vulnerabilities in LiteCart 1.3.2.
There are multiple XSS vulnerabilities in ClipperCMS 1.3.0.
There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0.
There is a Path Traversal vulnerability in ClipperCMS 1.3.0
ClipperCMS 1.3.0 has as only CSRF protection a referer check, which can be disabled by an admin.
There is a Code Execution vulnerability in ClipperCMS 1.3.0
There is a persistent XSS vulnerability in dotclear 2.8.1.
There is a Code Execution vulnerability in dotclear 2.8.1.
There are two reflected XSS vulnerabilities in Open Source Social Network 3.5.
There is a reflected XSS vulnerability in Sitemagic CMS 4.1.
There is a reflected XSS vulnerability in Thelia 2.2.1.
There are two XSS vulnerabilities in TomatoCart v1.1.8.6.1.
There are two Code Execution vulnerabilities in TomatoCart v1.1.8.6.1.
There is a Code Execution vulnerability in the admin area of XCart 5.2.6.
There is a Path Traversal vulnerability in the admin area of XCart 5.2.6. It makes it possible to list directories and download arbitrary files.
There are multiple XSS vulnerabilities in XCart 5.2.6.
There are multiple XSS vulnerabilities in TheHostingTool 1.2.6.
There are multiple SQL Injection vulnerabilities in the admin area of TheHostingTool 1.2.6.
There is a Code Execution vulnerability in the admin area of TheHostingTool 1.2.6.
There are multiple XSS vulnerabilities in Quick.Cart 6.6.
There are multiple CSRF vulnerabilities in Quick.Cart 6.6.
There are multiple XSS vulnerabilities in the admin area of CubeCart 6.0.7.
There is a Code Execution vulnerability in the admin area of CubeCart 6.0.7.
There is an XSS vulnerability in Supercali Event Calendar 1.0.8. This issue has not been fixed.
There is no CSRF protection in Supercali Event Calendar 1.0.8.
There are multiple XSS vulnerabilities in SQLiteManager 1.2.4. This issue has not been fixed.
OpenCart 2.0.3.1 does not have CSRF protection for customers.
MyWebSQL 3.6 does not have CSRF protection.
There is an XSS vulnerability in MiniBB 3.1.1.
There is an XSS vulnerability in Chyrp CMS 2.5.2. This issue has not been fixed.
There is an XSS vulnerability in SQL Buddy 1.3.3. This issue has not been fixed.
The CSRF protection in SQL Buddy 1.3.3. does not work properly. This issue has not been fixed.
There is a Code Execution vulnerability in the admin area of Pligg CMS 2.0.2. It can be exploited via CSRF. This issue has not been fixed.
There is a Directory Traversal vulnerability in the admin area of Pligg CMS 2.0.2. This issue has not been fixed.
There is a Code Execution vulnerability in the admin area of Pligg CMS 2.0.2. It can be exploited via CSRF. This issue has not been fixed.
ZeusCart 4.0 does not have CSRF protection. Because of this, it is for example possible to add additional admin accounts. This issue has not been fixed.
There is an arbitrary file upload vulnerability in the admin area of ZeusCart 4.0. This issue has not been fixed.
There are multiple SQL Injection vulnerabilities in ZeusCart 4.0. This issue has not been fixed.
There is an XSS vulnerability in ZeusCart 4.0. This issue has not been fixed.
There is an arbitrary file upload vulnerability in the admin area of Zen Cart 1.5.4 as well as an information leak. This issue has only been partially fixed.
There is an XSS vulnerability in Anchor CMS 0.9.2. The issue is not yet fixed.
There is a Blind SQL Injection vulnerability in the admin area of Serendipity 2.0.1.
There is a Persistent XSS vulnerability in Serendipity 2.0.1 when using the default 2k11 theme. It requires a click to trigger.
There is a code execution vulnerability in Serendipity 2.0.1. It requires a registered user to exploit.
There is a Code Execution vulnerability in the admin area of NibbleBlog 4.0.3. The issue is not yet fixed.
There is a CSRF vulnerability in NibbleBlog 4.0.3 which can lead to the creating of new posts and thus XSS. The issue is not yet fixed.
The file editor of the admin area of Bolt 2.2.4 allows for the editing of file extensions, which leads to code execution once an attacker has gained admin credentials.
There is an XSS vulnerability in version 2.3.5 of ModX. As of now, this issue has not been fixed.
