News aggregator

CVE-2017-16008

National Vulnerability Database - Mon, 06/04/2018 - 15:29
i18next is a language translation framework. Because of how the interpolation is implemented, making replacements from the dictionary one at a time, untrusted user input can use the name of one of the dictionary keys to inject script into the browser. This affects i18next <=1.10.2.
Categories: Security News

CVE-2017-16009

National Vulnerability Database - Mon, 06/04/2018 - 15:29
ag-grid is an advanced data grid that is library agnostic. ag-grid is vulnerable to Cross-site Scripting (XSS) via Angular Expressions, if AngularJS is used in combination with ag-grid.
Categories: Security News

CVE-2017-16011

National Vulnerability Database - Mon, 06/04/2018 - 15:29
jQuery is a javascript library for DOM manipulation. jQuery's main method in affected versions (>=1.7.1 <=1.8.3) contains an unreliable way of detecting whether the input to the `jQuery(strInput)` function is intended to be a selector or HTML.
Categories: Security News

CVE-2017-16012

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Jquery is a javascript library for DOM traversal and manipulation, event handling, animation, and Ajax. When text/javascript responses are received from cross-origin ajax requests not containing the option `dataType`, the result is executed in `jQuery.globalEval` potentially allowing an attacker to execute arbitrary code on the origin. This affects Jquery >=1.4.0 <=1.11.3 || >=1.12.4 <=2.2.4.
Categories: Security News

CVE-2017-16013

National Vulnerability Database - Mon, 06/04/2018 - 15:29
hapi is a web and services application framework. When hapi >= 15.0.0 <= 16.1.0 encounters a malformed `accept-encoding` header an uncaught exception is thrown. This may cause hapi to crash or to hang the client connection until the timeout period is reached.
Categories: Security News

CVE-2017-16014

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Http-proxy is a proxying library. Because of the way errors are handled in versions before 0.7.0, an attacker that forces an error can crash the server, causing a denial of service.
Categories: Security News

CVE-2017-16015

National Vulnerability Database - Mon, 06/04/2018 - 15:29
Forms is a library for easily creating HTML forms. Versions before 1.3.0 did not have proper html escaping. This means that if the application did not sanitize html on behalf of forms, use of forms may be vulnerable to cross site scripting
Categories: Security News

CVE-2017-1748

National Vulnerability Database - Mon, 06/04/2018 - 13:29
IBM Connections 5.0, 5.5, and 6.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 135521.
Categories: Security News

CVE-2018-11715

National Vulnerability Database - Mon, 06/04/2018 - 13:29
The Recent Threads plugin before 1.1 for MyBB allows XSS via a thread subject.
Categories: Security News

CVE-2018-1600

National Vulnerability Database - Mon, 06/04/2018 - 13:29
IBM BigFix Platform 9.2 and 9.5 transmits sensitive or security-critical data in clear text in a communication channel that can be sniffed by unauthorized actors. IBM X-Force ID: 143745.
Categories: Security News

CVE-2016-10676

National Vulnerability Database - Mon, 06/04/2018 - 12:29
rs-brightcove is a wrapper around brightcove's web api rs-brightcove downloads source file resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10677

National Vulnerability Database - Mon, 06/04/2018 - 12:29
google-closure-tools-latest is a Node.js module wrapper for downloading the latest version of the Google Closure tools google-closure-tools-latest downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10678

National Vulnerability Database - Mon, 06/04/2018 - 12:29
serc.js is a Selenium RC process wrapper serc.js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10683

National Vulnerability Database - Mon, 06/04/2018 - 12:29
arcanist downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10684

National Vulnerability Database - Mon, 06/04/2018 - 12:29
healthcenter - IBM Monitoring and Diagnostic Tools health Center agent healthcenter downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10685

National Vulnerability Database - Mon, 06/04/2018 - 12:29
pk-app-wonderbox is an integration with wonderbox pk-app-wonderbox downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10686

National Vulnerability Database - Mon, 06/04/2018 - 12:29
fis-sass-all is another libsass wrapper for node. fis-sass-all downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10687

National Vulnerability Database - Mon, 06/04/2018 - 12:29
windows-selenium-chromedriver is a module that downloads the Selenium Jar file. windows-selenium-chromedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10688

National Vulnerability Database - Mon, 06/04/2018 - 12:29
Haxe 3 : The Cross-Platform Toolkit (a fork from David Mouton's damoebius/haxe-npm) haxe3 downloads resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

CVE-2016-10689

National Vulnerability Database - Mon, 06/04/2018 - 12:29
The windows-iedriver module downloads fixed version of iedriverserver.exe windows-iedriver downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.
Categories: Security News

Pages