>> ARCHIVE: 2016-03

SySS GmbH found out that the request new user and translation functionalities of the web application perfact::mpa are prone to reflected cross-site scripting attacks.

SySS GmbH found out that unauthorized users are able to download arbitrary files of other users that have been uploaded via the file upload functionality. As the file names of…

The tested web application perfact::mpa offers no protection against cross-site request forgery (CSRF) attacks. This kind of attack forces end users respectively their web browsers to perform unwanted actions in…

The SySS GmbH found out that any logged in user is able to download valid VPN configuration files of arbitrary existing remote sessions. All an intruder needs to know is…

The SySS GmbH found out that the web application perfact:mpa accepts user-controlled input via the URL parameter “redir” that can be used to redirect victims to an arbitrary site which…

The SySS GmbH found out that different resources of the web application perfact::mpa can be directly accessed by the correct URL due to improper user authorization checks. That is, unauthorized…

The SySS GmbH found out that different functions of the web application perfact::mpa are prone to persistent cross-site scripting attacks due to insufficient user input validation.

WordPress GravityForms plugin version 1.9.15.11 suffers from a cross site scripting vulnerability.

Inserting an HTML ‘script’ tag into the URL of a web site protected by Sophos UTM 525 yields an error page which contains the ‘script’ tag unfiltered. Executing malicious JavaScript…

em4 soft suffers from a division by zero attack when handling Crouzet Logic Software Document ‘.pm4’ files, resulting in denial of service vulnerability and possibly loss of data.