Title: WEMS Enterprise Manager 2.58 (email) Reflected XSS Advisory ID: ZSL-2019-5551 Type: Local/Remote Impact: Cross-Site Scripting Risk: (3/5) Release Date: 29.12.2019SummaryWEMS Enterprise Manager is a centralised management and monitoringsystem for many WEMS equipped

Title: Carlo Gavazzi SmartHouse Webapp 6.5.33 CSRF/XSS Vulnerabilities Advisory ID: ZSL-2019-5543 Type: Local/Remote Impact: Cross-Site Scripting Risk: (3/5) Release Date: 30.11.2019SummaryCarlo Gavazzi is an international company that develops, manufacturesand sells elec

A researcher has earned $5,000 from Google for an interesting cross-site scripting (XSS) vulnerability found in the dynamic email feature added a few months ago to Gmail.The dynamic email feature, also known as Accelerated Mobile Pages (AMP) for email or AMP4Email, enables the use of dynamic HTML content in emails, allowing users to conduct various tasks dir

SEC Consult Vulnerability Lab Security Advisory < 20191014-0 >======================================================================= title: Reflected XSS vulnerability product: OpenProject vulnerable version: <= 9.0.3, <=10.0.1 fixed version: 9.0.4, 10.0.2 CVE number: CVE-2019-17092 impact: medium

Document Title===============Reflected XSS via `Broken Link Checker` v.1.11.8 WordPress plugin.Product Description===============Broken Link Checker will monitor your blog looking for broken links and letyou know if any are found.Homepage: https://managewp.com/WordPress Plugin: https://wordpress.org/plugins/broken-link-checker/PoC===============1) Login to y

お久しぶりです＆あけましておめでとうございます。昨年はブログを書く時間をうまく作ることができず、あまり記事を書けませんでした。今年はできるだけ月に1回程度何か書いていきたいと思っています。今年もよろしくお願いします！さて、ブログを書かなかった間にXSSからSQLインジェクションへ興味が移った、なんてことはありませんでしたので、今日もいつも通り大好きなXSSの話をしたいと思います！最近、正規表現にユーザ入力を使っていることに起因するDOM based XSSに連続して遭遇しました。あまり見慣れていない注意が必要な問題だと思うので、この記事では、見つけたもの2つがどのように生じたか、また、問題を起こさないためにどうすればよいかを紹介します。そのうちの1つはLINEのBug Bounty Programを通じて報告し

Title: V-SOL GPON/EPON OLT Platform v2.03 Reflected XSS Vulnerability Advisory ID: ZSL-2019-5537 Type: Local/Remote Impact: Cross-Site Scripting Risk: (3/5) Release Date: 26.09.2019SummaryGPON is currently the leading FTTH standard in broadband accesstechnology being wide

I noticed DOMPurify would let you use the title tag when injecting a self closing SVG. Normally it blocks title outside of SVG however using the self closing trick you could bypass that restriction. <svg/><title> Injecting the title tag is important because it mutates, as I’ve tweeted about in the past. In order for the mXSS to be effectiv

“Those who rule data will rule the entire world.” - 孫正義TLDR; Crafting Dataset Publishing Language bundles to get stored XSS in the context of www.google.com, and using the DSPL remote sources functionality to access local services (SSRF).The Google Public Data Explorer is a tool to make large datasets easy to explore and visualize. eg., Visualizing Hea

Yes, you heard correct Google Chromium devs announced the news about XSS auditor. The XSS auditor time and again bypassed by the client security researcher to execute the malicious javascript, and this may be the primary reason to be deprecated and removed from the Google Chrome browser. The anti-cross site scripting engine (XSS auditor) is not cove

Product: User Login History Wordpress Plugin - https://wordpress.org/plugins/user-login-history/Vendor: Er Faiyaz AlamTested version: 1.5.2CVE ID: CVE-2017-15867** CVE description **Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via

A security researcher discovered a number of embarrassing vulnerabilities in the popular anonymous feedback app Sarahah. The anonymous feedback app Sarahah makes the headlines once again, according to the according to security researcher Scott Helme, the web-based version of the app is plagued with security flaws. Sarahah mobile app allows users to receive a

=============================================- Release date: October 05th, 2017- Discovered by: Giovanni Cerrato, Giovanni Guido and BackBox team- Severity: Medium============================================= I. VULNERABILITY-------------------------Lansweeper XSS vulnerability. II. INTRODUCTION-------------------------Lansweeper an Asset Management and Netw

Details================Software: Content AuditVersion: 1.9.1Homepage: https://wordpress.org/plugins/content-audit/Advisory report: https://security.dxw.com/advisories/csrf-xss-content-audit/CVE: Awaiting assignmentCVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)Description================CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almo

The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in D-Link DIR 850L routers and invites users to stop using them. The security researcher Pierre Kim has discovered ten critical zero-day vulnerabilities in routers from networking equipment manufacturer D-Link that open owners to cyber attacks. The flawed devices are the