Geeklog version 2.2.1 suffers from a cross site scripting vulnerability.

POS PHP version 17.5 suffers from a persistent cross site scripting vulnerability.

Easy Transfer version 1.7 for iOS suffers from cross site scripting and directory traversal vulnerabilities.

ChemInv version 1 suffers from a persistent cross site scripting vulnerability.

Online Scheduling System version 1.0 suffers from a persistent cross site scripting vulnerability.

PHP-Fusion version 9.03.50 suffers from a persistent cross site scripting vulnerability.

osTicket version 1.14.1 suffers from a persistent cross site scripting vulnerability.

WordPress WooCommerce Advanced Order Export plugin version 3.1.3 suffers from a cross site scripting vulnerability.

Online Clothing Store version 1.0 suffers from a persistent cross site scripting vulnerability.

Sentrifugo CMS version 3.2 suffers from a persistent cross site scripting vulnerability.

iChat version 1.6 suffers from a cross site scripting vulnerability.

OpenZ ERP version 3.6.60 suffers from a persistent cross site scripting vulnerability.

Draytek VigorAP suffers from a persistent cross site scripting vulnerability. Multiple different versions are affected.

Tiny MySQL suffers from a cross site scripting vulnerability.

WebTareas version 2.0p8 suffers from a cross site scripting vulnerability.

WordPress Dosimple theme version 2.0 suffers from a cross site scripting vulnerability.

Phrack: Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622.

Phrack Viewer Discretion Advised write up called (De)coding an iOS Kernel Vulnerability.

CHIYU BF430 TCP IP Converter suffers from a persistent cross site scripting vulnerability.

Juniper Secure Access suffers from a cross site scripting vulnerability. SA Appliances running Juniper IVE OS 6.0 or higher are affected.

This is a list of older cross site scripting and bypass vulnerabilities associated with older Juniper IVE releases.

Juniper Secure Access software suffers from a reflective cross site scripting vulnerability.

Juniper JunOS version 9.x suffers from a html injection vulnerability that allows for cross site scripting attacks.

The Swift File Transfer mobile application for ios, blackberry and android suffers from cross site scripting and information disclosure vulnerabilities.

Create-Project Manager version 1.07 suffers from cross site scripting and html injection vulnerabilities.

LANCOM WLAN Controller suffers from multiple cross site scripting vulnerabilities. Multiple versions and firmware are affected.

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur.

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur.

Solaris version 11.4 xscreensaver local privilege escalation exploit.

This Metasploit module exploits a vulnerability in xscreensaver versions since 5.06 on unpatched Solaris 11 systems which allows users to gain root privileges. xscreensaver allows users to create a user-owned file at any location on the filesystem using the -log command line argument introduced in version 5.06. This module uses xscreensaver to create a log file in /usr/lib/secure/, overwrites the log file with a shared object, and executes the shared object using the LD_PRELOAD environment variable. This module has been tested successfully on xscreensaver version 5.15 on Solaris 11.1 (x86) and xscreensaver version 5.15 on Solaris 11.3 (x86).

Open-Xchange OX App Suite suffers from a content spoofing, cross site scripting, and information disclosure vulnerabilities. Versions affected vary depending on the vulnerability.

PTP-RAT is a proof of concept that allows data theft via screen-share protocols. Each screen flash starts with a header. This contains a magic string, "PTP-RAT-CHUNK" followed by a sequence number. When the receiver is activated, it starts taking screenshots at twice the transmission frequency (the Nyquist rate). When it detects a valid header, it decodes the pixel colour information and waits on the next flash. As soon as a valid header is not detected, it reconstructs all the flashes and saves the result to a file. To transfer a file, you run an instance of the Rat locally on your hacktop, and set that up as a receiver. Another instance is run on the remote server and this acts as a sender. You simply click on send file, and select a file to send. The mouse pointer disappears and the screen begins to flash as the file is transmitted via the pixel colour values. At the end of the transfer, a file-save dialog appears on the receiver, and the file is saved.

Macs Framework version 1.14f suffers from cross site scripting and remote SQL injection vulnerabilities.

Project Open CMS version 5.0.3 suffers from cross site scripting and remote SQL injection vulnerabilities.

hits script version 1.0 suffers from a remote SQL injection vulnerability.

Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to cross site scripting vulnerabilities in hotspotlogin.cgi due to insufficient user input sanitization.

An exploitable cross-site scripting vulnerability exists in the ACEManager ping_result.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP ping request can cause reflected javascript code execution, resulting in the execution of javascript code running on the victim's browser. An attacker can get a victim to click a link, or embedded URL, that redirects to the reflected cross-site scripting vulnerability to trigger this vulnerability.

Investors in France will face greater scrutiny under extended legislation.

Authorities in the US, the EU and across the developed world are stepping up efforts to scrutinise foreign investment on the grounds of both national security and tech sovereignty.

This Metasploit module exploits a vulnerability in Total.js CMS. The issue is that a user with admin permission can embed a malicious JavaScript payload in a widget, which is evaluated server side, and gain remote code execution.

The trend towards the vetting of foreign investment, especially projects that involve advanced technology and national data or pose potential security threats, is on the rise. David Gabathuler and Matthew T West give a trans-Atlantic perspective.

Last week India finally held its national solar auction, the first in two years, seen as the least risky of several national and state-level solar auctions held over the past few years.

Malwarebytes Researchers Say Attacks Appear Related to Magecart
Cybercriminals are hiding malicious JavaScript skimmers in the "favicon" icons of several ecommerce websites in an effort to steal payment card data from customers, researchers at Malwarebytes say.