Re: [FD] a xss vulnerability in Jforum 2.7.0

4-21 announce the developer of Jforum by e-mail > 2021-04-22 Jforum fixed the vulnerability, and will include this fix in > next release > 2021-09-02 send this mail to bugtraq&fulldisclosure CVE-2021-40509 has been assigned for this vulnerability. https://cve.m

Re: [FD] Multiple Cross-site Scripting Vulnerabilities in Shopware 5.5.6

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Fri, May 31, 2019 at 10:48:05AM +0200, Daniel Bishtawi wrote: > Netsparker Advisory Reference: NS-19-004 Please use CVE-2019-12935 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdF

Re: [FD] WordPress plugin Contact Form by WD [CSRF → LFI]

;     value="nopriv_frontend_show_map_fmc">nopriv_frontend_show_map_fmc >     show_matrix_fmc >     value="nopriv_frontend_show_matrix_fmc">nopriv_frontend_show_matrix_fmc >     value="frontend_paypal_inf

Re: [FD] WordPress Plugin Form Maker by WD [CSRF → LFI]

   paypal_info >     checkpaypal >     value="get_frontend_stats">get_frontend_stats >     frontend_show_map >     value="frontend_show_matrix">frontend_show_matrix >     value="frontend_paypal_info">frontend_payp

Re: [FD] WordPress Plugin Contact Form Builder [CSRF → LFI]

are Link: https://wordpress.org/plugins/contact-form-builder > # Version: 1.0.67 > # Tested on: WordPress 5.1.1 MITRE assigned CVE-2019-11557 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAlzDe4kACgkQJ633pE6q dXRxjg//V58

Re: [FD] YOP Poll 6.0.2 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:31:24PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-yop-poll-xss/ MITRE assigned CVE-2019-9914 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdF

Re: [FD] WP Live Chat Support 8.0.17 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:30:37PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-wp-livechat-xss/ MITRE assigned CVE-2019-9913 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNAT

Re: [FD] wpGoogleMaps 7.10.41 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:29:38PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-wpgooglemaps-xss/ MITRE assigned CVE-2019-9912 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNAT

Re: [FD] NextScripts: Social Networks Auto-Poster 4.2.7 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:28:42PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-social-networks-auto-poster-xss/ MITRE assigned CVE-2019-9911 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNAT

Re: [FD] KingComposer 2.7.6 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:27:46PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-kingcomposer-xss/ MITRE assigned CVE-2019-9910 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNAT

Re: [FD] Give 2.3.0 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:26:55PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-give-xss/ MITRE assigned CVE-2019-9909 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdF

Re: [FD] Font_Organizer 2.1.1 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:26:09PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-font-organizer-xss/ Please use CVE-2019-9908. - -- Henri Salo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdF

Re: [FD] WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion

se of WordPress plugins your solution is not correct. This vulnerability can be exploited even plugin is disabled. Plugin must be deleted in order to mitigate this. - -- Henri Salo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAlyOVtMACgkQJ633pE6q dXTdBA/+J/m

Re: [FD] Contact Form Email 7.10.41 - Reflected XSS & CSRF (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:25:25PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-contact-form-email-xss-csrf/ MITRE assigned CVE-2019-9646 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNAT

Re: [FD] Blog2Social 5.0.2 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:22:05PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-blog2social-xss/ MITRE assigned CVE-2019-9576 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNAT

Re: [FD] Quiz And Survey Master 6.0.4 - Reflected XSS (WordPress Plugin)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Tue, Feb 05, 2019 at 04:21:06PM +0100, Tim Coen wrote: > https://security-consulting.icu/blog/2019/02/wordpress-quiz-and-survey-master-xss/ MITRE assigned CVE-2019-9575 for this vulnerability. - -- Henri Salo -BEGIN PGP SIGNAT

Re: [FD] Forminator 1.5.4 - Unauthenticated Persistent XSS, Blind SQL Injection (WordPress Plugin)

ion vulnerability. - -- Henri Salo -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAlx9zwAACgkQJ633pE6q dXScdQ/+NVNYUW7vnrffGyXzEN1sL/A+R+VUGbAoLTSE/Dex6U0eur+0QviumgwY r77Z4BANUCzO6YXckNRVkQiQB4fD/P5IKwQlrsepaEija2ez6fizCLMHJxlevGMa cWex/Lv0iGZkggt0q+gdmRDV

Re: [FD] Reflected Cross-site Scripting Vulnerability in Collabtive 3.1

On Wed, Jan 30, 2019 at 09:28:15AM +0100, Daniel Bishtawi wrote: > https://www.netsparker.com/web-applications-advisories/ns-18-052-reflected-cross-site-scripting-in-collabtive/ CVE-2019-8935 has been assigned for this vulnerability. -- Henri S

Re: [FD] Multiple Reflected Cross-site Scripting Vulnerabilities in Coppermine 1.5.46

ting-in-coppermine/ Fixed in 1.5.48. Vendor advisory: http://forum.coppermine-gallery.net/index.php/topic,79577.0.html You might want to repeat your security testing on modified parts of the application. -- Henri Salo ___ Sent through the Full Discl

Re: [FD] Reflected Cross-site Scripting Vulnerability in CubeCart 6.2.2

On Wed, Jan 09, 2019 at 10:45:51AM +0200, Henri Salo wrote: > On Mon, Dec 03, 2018 at 03:37:25PM +0100, Daniel Bishtawi wrote: > > https://www.netsparker.com/web-applications-advisories/ns-18-025-reflected-cross-site-scripting-in-cubecart/ Please use CVE-2018-20703. -- H

Re: [FD] Reflected Cross-site Scripting in Mantis 2.11.1

commit/4efac90ed89a5c009108b641e2e95683791a165a Is this correct? -- Henri Salo signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Reflected Cross-site Scripting Vulnerability in CubeCart 6.2.2

ixed in what version or commit? Did you request CVE identifier for this vulnerability? -- Henri Salo signature.asc Description: PGP signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Ar

Re: [FD] Vulnerabilities in Zurmo 2.3.4

ct vendor? -- Henri Salo ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Reflected Cross-site Scripting Vulnerability in Microweber 1.0.8

anuary 2019 - Advisory Released How did you contact vendor? Are you sure that they didn't fix this? Latest version is 1.1.2 according to https://microweber.com/download. Do you plan to follow-up on this or is this case closed from your point of view? -- Henri Salo

Re: [FD] LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)

n be found from https://gitlab.com/libtiff/libtiff. -- Henri Salo ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Information Exposure Vulnerability in WordPress Mobile Pack Wordpress Plugin v2.1.2 and below

3 > # Link to code diff: https://plugins.trac.wordpress.org/changeset/1173611/ > # Changelog: https://wordpress.org/plugins/wordpress-mobile-pack/changelog/ > # CVE Status: None/Unassigned/Fresh CVE-2015-9269 has been assigned for this vulnerability. -- Henri Salo s

Re: [FD] Full Disclosure - Responsive File Manager

.txt "fix vulnerability that permits to see server files", which was released 2018-08-04. Didn't manually verify. -- Henri Salo ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure

Re: [FD] libao memory corruption vulnerability

in distros. Did you report this to the upstream? -- Henri Salo ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] LiteCart 1.3.2: Multiple XSS

ast to version 1.3.3: This seems to be the same vulnerability as CVE-2014-7183[1] found by Netsparker[2]. CVE-2014-7183 was fixed in version 1.2 according to the changelog. 1: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7183 2: https://www.netsparker.com/xss-vulnerabilities-in-li

Re: [FD] SQLiteManager 1.2.4: Multiple XSS

go, but never received any response. These issues look similar to CVE-2007-1231. Please see: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1231 - -- Henri Salo -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJWQIopAAoJECet96ROqnV0RVYQAMl+kf/u586FYo5ck4brx

Re: [FD] CVE Request -Post Authentication SQLi Vulnerability fixed in Cacti

On Mon, Jul 20, 2015 at 05:16:00AM +, Shi,Tong wrote: > http://bugs.cacti.net/view.php?id=2582 > Will a CVE number be assigned for it? CVE requested already in: http://www.openwall.com/lists/oss-security/2015/07/18/4 -- Henri Salo __

[FD] Multiple Vulnerabilities in Openlitespeed <= 1.3.10 - CVE-b045-73d a.k.a. Analbleed.

David from litespeedtech.com replied: "These are two bugs used to be in v1.3.10 and we fixed all of them in 1.3.11 now." -- Henri Salo ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure We

[FD] Hue 3.7.1 Local Privilege Escalation

nymore since Hue 3 so indeed we should remove the part warning about not being run as root """ -- Henri Salo ___ Sent through the Full Disclosure mailing list https://nmap.

[FD] 0day Mailbird XSS

n the latest version, please update your Mailbird. Latest version after downloading the application is 2.0.16.0 dated as May 15, which is still vulnerable to this cross-site scripting vulnerability. Nothing in changelog about this case. Mitigation: use different application :) -- Henri

Re: [FD] CVE-2013-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2021 says: "pdf.c in ClamAV 0.97.1 through 0.97.7 allows remote attackers to cause a denial of service (out-of-bounds-read) via a crafted length value in an encrypted PDF file." - --- Henri Salo -BEGIN PGP SIGNATURE- Versio

[FD] TrueCrypt

Site http://truecrypt.sourceforge.net/ says "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" does someone have any information about this? --- Henri Salo signature.asc Description: Digital signature ___ Se

Re: [FD] Legality of Open Source Tools

to list vulnerable systems. I can't for example list all non-updated WordPress installations with their version numbers even this information is available to anyone. --- Henri Salo signature.asc Description: Digital signature ___ Sent through the