CVE-2018-10296

MiniCMS V1.10 has XSS via the mc-admin/post-edit.php title parameter.

Leave a comment Continue Reading →

CVE-2018-10295

ChemCMS v1.0.6 has CSRF by using public/admin/user/addpost.html to add an administrator account.

Leave a comment Continue Reading →

CVE-2017-17902

SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI.

Leave a comment Continue Reading →

CVE-2017-17889

Kliqqi CMS 3.5.2 has XSS via a crafted group name in pligg/groups.php, a crafted Homepage string in a profile, or a crafted string in Tags or Description within pligg/submit.php.

Leave a comment Continue Reading →

CVE-2018-10297

Discuz! DiscuzX through X3.4 has stored XSS via the portal.php?mod=portalcp&ac=article URI, related to mishandling of IMG elements associated with remote images.

Leave a comment Continue Reading →

CVE-2018-10298

Discuz! DiscuzX through X3.4 has reflected XSS via forum.php?mod=post&action=newthread because data/template/1_diy_portal_view.tpl.php does not restrict the content.

Leave a comment Continue Reading →

CVE-2018-10286

The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to certain HTTP POST requests. In order to be able to see the credentials in cleartext, an attacker needs to be authenticated.

Leave a comment Continue Reading →

CVE-2018-10285

The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication.

Leave a comment Continue Reading →

CVE-2018-9245

The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating system.

Leave a comment Continue Reading →

CVE-2018-10289

In MuPDF 1.13.0, there is an infinite loop in the fz_skip_space function of the pdf/pdf-xref.c file. A remote adversary could leverage this vulnerability to cause a denial of service via a crafted pdf file.

Leave a comment Continue Reading →