There is a possible reflected Cross-Site Scripting attack. An attacker able to cause a user to follow a specially crafted malicious link may be able to recover session identifiers or exploit browser vulnerabilities. The template parameter is vulnerable to cross-site scripting. Affects MoinMoin 1.9.2 and prior.
The vulnerability exists due to failure in the "/_layouts/help.aspx" script to properly sanitize user-supplied input in "cid0" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
Jetty versions 6.1.16 and below are vulnerables. A Cross-Site scripting vulnerability has been reported in Jetty. This vulnerability can be induced whenever Jetty displays a web directory listing. Client-side script code can be included in the HTTP response by appending it next to directory listing's path, preceded by a ';' character.
A reflected cross-site scripting vulnerability was found in the generic exception handler of Hyperic, located in hq/web/common/GenericError.jsp.
A reflected cross-site scripting vulnerability in eyeOS 2.3 can be exploited to execute arbitrary JavaScript.
A Cross-Site Scripting (XSS) vulnerability in the Forum module in Drupal 6.x (prior to version 6.13) allows remote attackers to inject arbitrary web scripts or HTML by requesting a specially crafted tid. Forum module must be active in the attacked Drupal
The application fails to sanitize the bug_id parameter in several pages such as edit_comment and edit_bug, leading to a cross site scripting vulnerability.
A Reflected Cross Site Scripting vulnerability was found in the atksearch[contractnumber], atksearch_AE_customer[customer] and atksearchmode[contracttype] variables within the 'Organization Contracts' administration page. This is because the application does not properly sanitize the users input. Vulnerable version is = 1.3.4.
This module exploits an authentication vulnerability in Wordpress 2.5. An attacker, able to register a specially crafted username on a Wordpress 2.5 installation, will also be able to generate authentication cookies for other chosen accounts. This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection. The proper way to exploit this vulnerability is to use a Wordpress account which its username starts with the word "admin", for example "admin99".
A weakness has been reported in WordPress which can be exploited to bypass certain security restrictions. The weakness is due to a bug within the password reset functionality when verifying the secret key. This can be exploited to reset the password of the first user without a key in the database (usually administrator) without providing the correct secret key.