Exploit the possiblities
Showing 101 - 125 of 638 RSS Feed

JavaScript Files

rexx Recruitment Cross Site Scripting
Posted Mar 27, 2014
Site redteam-pentesting.de

RedTeam Pentesting discovered a cross site scripting vulnerability in rexx Recruitment's user registration page during a penetration test. If attackers can persuade users to click on a prepared link or redirected them to such a link from an attacker-controlled website, they are able to run arbitrary JavaScript code in the context of the rexx Recruitment installation's domain.

tags | exploit, arbitrary, javascript, xss
advisories | CVE-2014-1224
MD5 | 97986366cde5127bc8b94ed55a77a95a
1XTRA Browser 1.0 Remote Code Execution
Posted Mar 18, 2014
Authored by Keith Makan

XTRA Browser suffers from a remote code execution vulnerability stemming from insecure use of the addJavascriptInterface functionality. The vulnerability allows attackers to execute code through targeted browsing attacks to pages hosting malicious JavaScript or by loading up a malicious file into the affected application from the local storage.

tags | advisory, remote, local, javascript, code execution
MD5 | 2906e8ed19c4fdac9dd8b1b4f2ae65c5
Mandriva Linux Security Advisory 2014-054
Posted Mar 13, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-054 - An attacker could send a specially prepared HTML email to OTRS. If he can then trick an agent into following a special link to display this email, JavaScript code would be executed.

tags | advisory, javascript
systems | linux, mandriva
advisories | CVE-2014-1695
MD5 | 883e7585cdbf880fb1bf60b0b1eb6713
Mandriva Linux Security Advisory 2014-057
Posted Mar 13, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-057 - MediaWiki user Michael M reported that the fix for CVE-2013-4568 allowed insertion of escaped CSS values which could pass the CSS validation checks, resulting in XSS. Chris from RationalWiki reported that SVG files could be uploaded that include external stylesheets, which could lead to XSS when an XSL was used to include JavaScript. During internal review, it was discovered that MediaWiki's SVG sanitization could be bypassed when the XML was considered invalid. During internal review, it was discovered that MediaWiki displayed some information about deleted pages in the log API, enhanced RecentChanges, and user watchlists. Netanel Rubin from Check Point discovered a remote code execution vulnerability in MediaWiki's thumbnail generation for DjVu files. Internal review also discovered similar logic in the PdfHandler extension, which could be exploited in a similar way. MediaWiki before 1.22.3 does not block unsafe namespaces, such as a W3C XHTML namespace, in uploaded SVG files. Some client software may use these namespaces in a way that results in XSS. This was fixed by disallowing uploading SVG files using non-whitelisted namespaces. MediaWiki before 1.22.3 performs token comparison that may be vulnerable to timing attacks. This was fixed by making token comparison use constant time. MediaWiki before 1.22.3 could allow an attacker to perform XSS attacks, due to flaw with link handling in api.php. This was fixed such that it won't find links in the middle of api.php links. MediaWiki has been updated to version 1.22.3, which fixes these issues, as well as several others. Also, the mediawiki-ldapauthentication and mediawiki-math extensions have been updated to newer versions that are compatible with MediaWiki 1.22. Additionally, the mediawiki-graphviz extension has been obsoleted, due to the fact that it is unmaintained upstream and is vulnerable to cross-site scripting attacks. Note: if you were using the instances feature in these packages to support multiple wiki instances, this feature has now been removed. You will need to maintain separate wiki instances manually.

tags | advisory, remote, php, javascript, code execution, xss
systems | linux, mandriva
advisories | CVE-2013-6451, CVE-2013-6452, CVE-2013-6453, CVE-2013-6472, CVE-2014-1610, CVE-2014-2242, CVE-2014-2243, CVE-2014-2244
MD5 | 45e737dcfa0c42c94baa431905ea05d2
Firefox Exec Shellcode From Privileged Javascript Shell
Posted Mar 13, 2014
Authored by joev | Site metasploit.com

This Metasploit module allows execution of native payloads from a privileged Firefox Javascript shell. It puts the specified payload into memory, adds the necessary protection flags, and calls it. Useful for upgrading a Firefox javascript shell to a Meterpreter session without touching the disk.

tags | exploit, shell, javascript
MD5 | d41a7beebd334541e6643cd39ede1caf
Open-Xchange 7.4.1 Script Insertion
Posted Feb 11, 2014
Authored by joernchen, Martin Braun

Open-Xchange AppSuite version 7.4.1 fails to properly neutralize javascript inserted at the header of an SVG image file.

tags | advisory, javascript
advisories | CVE-2014-1679
MD5 | bc21012775f1fb67c09ffbca640ce011
Android Browser / WebView addJavascriptInterface Code Execution
Posted Feb 7, 2014
Authored by jduck, joev | Site metasploit.com

This Metasploit module exploits a privilege escalation issue in Android versions prior 4.2's WebView component that arises when untrusted Javascript code is executed by a WebView that has one or more Interfaces added to it. The untrusted Javascript code can call into the Java Reflection APIs exposed by the Interface and execute arbitrary commands. Some distributions of the Android Browser app have an addJavascriptInterface call tacked on, and thus are vulnerable to RCE. The Browser app in the Google APIs 4.1.2 release of Android is known to be vulnerable. A secondary attack vector involves the WebViews embedded inside a large number of Android applications. Ad integrations are perhaps the worst offender here. If you can MITM the WebView's HTTP connection, or if you can get a persistent XSS into the page displayed in the WebView, then you can inject the html/js served by this module and get a shell. Note: Adding a .js to the URL will return plain javascript (no HTML markup).

tags | exploit, web, arbitrary, shell, javascript
MD5 | b1f0b039cf8acfc93ca30fa9147f1966
Vega Web Security Scanner 1.0 Build 108 (Mac 32-bit)
Posted Jan 4, 2014
Authored by Subgraph | Site subgraph.com

Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting proxy for interactive web application debugging that can also do active scanning (NEW in 1.0). Vega attack modules are written in Javascript, users can easily modify them or write their own. Mac OS X 32-bit release.

tags | tool, web, scanner, javascript, vulnerability, xss, sql injection
systems | unix, apple, osx
MD5 | 437a08bf6f3217cf2db24846ab6c33fe
Vega Web Security Scanner 1.0 Build 108 (Mac 64-bit)
Posted Jan 4, 2014
Authored by Subgraph | Site subgraph.com

Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting proxy for interactive web application debugging that can also do active scanning (NEW in 1.0). Vega attack modules are written in Javascript, users can easily modify them or write their own. Mac OS X 64-bit release.

tags | tool, web, scanner, javascript, vulnerability, xss, sql injection
systems | unix, apple, osx
MD5 | 549327de9a8629af4fba1c262d90aa79
Vega Web Security Scanner 1.0 Build 108 (Linux 64-bit)
Posted Jan 4, 2014
Authored by Subgraph | Site subgraph.com

Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting proxy for interactive web application debugging that can also do active scanning (NEW in 1.0). Vega attack modules are written in Javascript, users can easily modify them or write their own. Linux 64-bit release.

tags | tool, web, scanner, javascript, vulnerability, xss, sql injection
systems | linux, unix
MD5 | 1fb18ba012653f484add1b445da8f13d
Vega Web Security Scanner 1.0 Build 108 (Linux 32-bit)
Posted Jan 4, 2014
Authored by Subgraph | Site subgraph.com

Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting proxy for interactive web application debugging that can also do active scanning (NEW in 1.0). Vega attack modules are written in Javascript, users can easily modify them or write their own. Linux 32-bit release.

tags | tool, web, scanner, javascript, vulnerability, xss, sql injection
systems | linux, unix
MD5 | 7568ef30a44a2328ac254a6e0858cc2b
Vega Web Security Scanner 1.0 Build 108 (Windows 32-bit)
Posted Jan 4, 2014
Authored by Subgraph | Site subgraph.com

Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting proxy for interactive web application debugging that can also do active scanning (NEW in 1.0). Vega attack modules are written in Javascript, users can easily modify them or write their own. Microsoft Windows 32-bit release.

tags | tool, web, scanner, javascript, vulnerability, xss, sql injection
systems | windows, unix
MD5 | 47f99288eecf8c3ca1c17d28420b37cd
Vega Web Security Scanner 1.0 Build 108 (Windows 64-bit)
Posted Jan 4, 2014
Authored by Subgraph | Site subgraph.com

Vega is a GUI-based, multi-platform, free and open source web security scanner that can be used to find instances of SQL injection, cross-site scripting (XSS), and other vulnerabilities in your web applications. Vega also includes an intercepting proxy for interactive web application debugging that can also do active scanning (NEW in 1.0). Vega attack modules are written in Javascript, users can easily modify them or write their own. Microsoft Windows 64-bit release.

tags | tool, web, scanner, javascript, vulnerability, xss, sql injection
systems | windows, unix
MD5 | 29c0e96a4e1d53903d71afff2c3babc0
Mandriva Linux Security Advisory 2013-290
Posted Dec 19, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-290 - Kevin Israel identified and reported two vectors for injecting Javascript in CSS that bypassed MediaWiki's blacklist. Internal review while debugging a site issue discovered that MediaWiki and the CentralNotice extension were incorrectly setting cache headers when a user was autocreated, causing the user's session cookies to be cached, and returned to other users.

tags | advisory, javascript
systems | linux, mandriva
advisories | CVE-2013-4567, CVE-2013-4568, CVE-2013-4572
MD5 | b148020f2878bd2fcf94ec15125260d7
Mandriva Linux Security Advisory 2013-287-1
Posted Dec 18, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-287 - Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive. Drupal's form API has built-in cross-site request forgery validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances. Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability. A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS. The Overlay module displays administrative pages as a layer over the current page , rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability. The updated packages has been upgraded to the 7.24 version which is unaffected by these security flaws. Additional apache ACL restrictions has been added to fully conform to the SA-CORE-2013-003 advisory.

tags | advisory, javascript, xss, csrf
systems | linux, mandriva
advisories | CVE-2013-0316, CVE-2013-6385, CVE-2013-6386, CVE-2013-6387, CVE-2013-6388, CVE-2013-6389
MD5 | 95c6c9210b39646db094d3cebe807168
Red Hat Security Advisory 2013-1842-01
Posted Dec 17, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1842-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. A denial of service flaw was found in the way Node.js handled pipelined HTTP requests. A remote attacker could use this flaw to send an excessive amount of HTTP requests over a network connection, causing Node.js to use an excessive amount of memory and possibly exit when all available memory is exhausted. Node.js is included in Red Hat Software Collections 1.0 as a Technology Preview.

tags | advisory, remote, web, denial of service, javascript
systems | linux, redhat
advisories | CVE-2013-4450
MD5 | 38e4b813706d3223fe06418bfbec7ea6
LiveZilla 5.1.2.0 Insecure Password Storage
Posted Dec 16, 2013
Authored by Jakub Zoczek

LiveZilla version 5.1.2.0 stores a user's login and password in javascript.

tags | exploit, javascript
advisories | CVE-2013-7033
MD5 | 6790fe1429627fc77da1740e194a77a9
ZoneDirector Cross Site Scripting
Posted Nov 13, 2013
Authored by Ruckus Product Security Team

A persistent cross site scripting weakness has been discovered in the guest pass provisioning web interface of the ZoneDirector controller devices. An attacker with access to an authenticated user session with privileges for guest pass generation may cause certain malicious javascript code to execute in the user's browser with privileges of the user or the admin. ZoneDirector Controllers versions 9.3.x, 9.4.x, 9.5.x, and 9.6.x are affected.

tags | advisory, web, javascript, xss
MD5 | 0bfe45d312ae0aa56f3f9376b3bd7697
Red Hat Security Advisory 2013-1480-01
Posted Oct 30, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1480-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. It was found that the Thunderbird JavaScript engine incorrectly allocated memory for certain functions. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Thunderbird.

tags | advisory, arbitrary, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2013-5590, CVE-2013-5595, CVE-2013-5597, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5604
MD5 | c85780837dfcd3b0c46e2a61dc9a0f49
Red Hat Security Advisory 2013-1476-01
Posted Oct 29, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1476-01 - Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to terminate unexpectedly or, potentially, execute arbitrary code with the privileges of the user running Firefox. It was found that the Firefox JavaScript engine incorrectly allocated memory for certain functions. An attacker could combine this flaw with other vulnerabilities to execute arbitrary code with the privileges of the user running Firefox.

tags | advisory, web, arbitrary, javascript, vulnerability
systems | linux, redhat
advisories | CVE-2013-5590, CVE-2013-5595, CVE-2013-5597, CVE-2013-5599, CVE-2013-5600, CVE-2013-5601, CVE-2013-5602, CVE-2013-5604
MD5 | 0670605d5acaaae6a3c2623c7347d636
Nodejs js-yaml load() Code Execution
Posted Sep 25, 2013
Authored by joev | Site metasploit.com

For node.js applications that parse user-supplied YAML input using the load() function from the 'js-yaml' package versions below 2.0.5, specifying a self-executing function allows us to execute arbitrary javascript code. This Metasploit module demonstrates that behavior.

tags | exploit, arbitrary, javascript
advisories | CVE-2013-4660
MD5 | 13ebdbf55dfc348a60df26ecc83b7575
Mental JS Sandbox Bypass
Posted Sep 20, 2013
Authored by Rafay Baloch, Giuseppe Trotta

Mental JS suffers from a sandbox bypass due to the ability to still execute javascript via document.inner.HTML.

tags | exploit, javascript, bypass
MD5 | 9c4162c118fa0355c9c61252196d47be
Red Hat Security Advisory 2013-1269-01
Posted Sep 17, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1269-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. A flaw was found in the way Thunderbird handled certain DOM JavaScript objects. An attacker could use this flaw to make JavaScript client or add-on code make incorrect, security sensitive decisions.

tags | advisory, arbitrary, javascript
systems | linux, redhat
advisories | CVE-2013-1718, CVE-2013-1722, CVE-2013-1725, CVE-2013-1730, CVE-2013-1732, CVE-2013-1735, CVE-2013-1736, CVE-2013-1737
MD5 | eb678f2e42c293330434bc964f3f1732
Red Hat Security Advisory 2013-1268-01
Posted Sep 17, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1268-01 - Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. A flaw was found in the way Firefox handled certain DOM JavaScript objects. An attacker could use this flaw to make JavaScript client or add-on code make incorrect, security sensitive decisions.

tags | advisory, web, arbitrary, javascript
systems | linux, redhat
advisories | CVE-2013-1718, CVE-2013-1722, CVE-2013-1725, CVE-2013-1730, CVE-2013-1732, CVE-2013-1735, CVE-2013-1736, CVE-2013-1737
MD5 | edf3c236d712998ac9beac8678a79f4a
Moodle 2.3.9 / 2.4.9 Javascript Insertion
Posted Sep 9, 2013
Authored by Ciaran McNally

Moodle versions 2.3.9 and below and 2.4.6 suffer from a javascript insertion vulnerability that allows for the addition of an RSS blog.

tags | exploit, javascript
MD5 | 283f28e20043f8734598d1baeb57972f
Page 5 of 26
Back34567Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close