Re: [FD] Ignite Realtime Openfire Version 3.7.1 Reflected Cross Site Scripting (CVE-2018-11688)

2018-06-08 Thread Simon Waters
Thanks Yavuz, this appears to have been addressed in 3.9.2 release of OpenFire in May 2014. I'm unable to reproduce in OpenFire 4.2.3. I would strongly suggest running the latest version of OpenFire (4.2.3 at time of writing) as there were multiple XSS and other security issues (missing CSRF

[FD] Open-Xchange Security Advisory 2018-06-08

2018-06-08 Thread Open-Xchange GmbH
Dear subscribers, we've migrated our public disclosure workflow to full-disclosure and are catching up on publishing recent vulnerabilities through this channel. Feel free to join our bug bounty programs (open-xchange, dovecot, powerdns) at HackerOne. Yours sincerely, Martin Heiland,

[FD] ESPN Reflected XSS

2018-06-08 Thread Ismail Doe
Document Title: === Reflected XSS on ESPN site PoC: === 1) Navigate to the following URL: http://cdn.espn.com/core/standalone/webview?partial=%22%3E%3Cimg%20src%3D1%20onerror%3Dalert(1337)%3E%2F%2F=sc=en=us=ios 2) Note that the form alerts with the payload

[FD] ClassLink browser extension vulnerable to UXSS; ClassLink Agent vulnerable to Remote Code Execution.

2018-06-08 Thread EdTech Secure via Fulldisclosure
The ClassLink OneClick Browser Extension and the ClassLink Agent are vulnerable to Universal XSS and Remote Code Execution. Vendor has released software updates to fix both vulnerabilities on 3 June 2018. === Vendor === ClassLink: https://www.classlink.com === Vulnerability #1: Universal XSS

[FD] DefenseCode ThunderScan SAST Advisory: WordPress Contact Form Maker Plugin Multiple Security Vulnerabilities

2018-06-08 Thread Defense Code
DefenseCode ThunderScan SAST Advisory: WordPress Contact Form Maker Plugin Multiple Security Vulnerabilities Advisory ID:DC-2018-05-004 Advisory Title: WordPress Contact Form Maker Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software:

[FD] DefenseCode ThunderScan SAST Advisory: WordPress Form Maker Plugin Multiple Security Vulnerabilities

2018-06-08 Thread Defense Code
DefenseCode ThunderScan SAST Advisory: WordPress Form Maker Plugin Multiple Security Vulnerabilities Advisory ID:DC-2018-05-001 Advisory Title: WordPress Form Maker Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Form Maker

[FD] libfsntfs 20180420 vulns

2018-06-08 Thread 熊文彬
libfsntfs multiple vulnerabilities Author : Webin security lab - dbapp security Ltd === Introduction: = libfsntfs is a library to access the New Technology File System (NTFS). Affected version: = 20180420 Vulnerability Description:

[FD] libpff 20180428 vulnerability

2018-06-08 Thread 熊文彬
libpff vulnerability Author : Webin security lab - dbapp security Ltd === Introduction: = libpff is a library to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. These format are used by Microsoft Outlook to store email,

[FD] [SRP-2018-01] Reverse engineering tools for ST DVB chipsets (public release)

2018-06-08 Thread Security Explorations
Hello All, We have decided to release to the public domain our SRP-2018-01 security research project related to the security of STMicroelectronics chipsets. The research material (70+ pages long technical paper accompanied by two reverse engineering tools) can be downloaded from the SRP