Spring Boot Framework 1.2.7 provides a default error page (also known as "Whitelabel Error Page"), that's prone to Spring Expression Language injection when the type of a parameter expected is not expected to be a string but a string is provided. Applications based on Spring Boot that don't deactivate the feature, or customize it in such a way as to stop the injection, are thus susceptible to execution of some Java statements and, in particular, to OS command injections.



This module checks all the parameters in the given pages and, if at least one parameter is vulnerable to the injection, installs an OS Agent.

This module exploits a SQL Injection vulnerability in Joomla which allows gathering of users and password hashes by parsing SQL output errors

This module exploits a remote code execution vulnerability in Joomla. The session handling code is susceptible to PHP Object Injection attacks due to lack of sanitization in some HTTP headers that are saved to the database session backend.

This update introduces an OS Command Injection Exploit for the "Wordpress Landing Pages" plugin.

Magento eCommerce Web Sites suffers from a Authentication Bypass Vulnerability, a Blind SQL Injection Vulnerability and a Remote File Inclusion Vulnerability.



These 3 vulnerabilities, allows an attacker to gain arbitrary code execution on the affected system.

A cross-site scripting vulnerability exists in the comments rendering in Wordpress 4.1.1 and previous versions. This exploit abuses a persistent cross site scripting vulnerability in Wordpress to install an OS Agent in the server running the Wordpress installation. This update includes a module that posts a comment with the cross site scripting code as a comment in a Wordpress post. The javascript code will attempt to install a Wordpress plugin everytime the post comment is rendered. The plugin will in turn install an OS agent in the server running Wordpress.



This update adds the option to use the module in a verification mode, so a comment can be posted to verify if it would be moderated with the current webapps scenario in use.

This update is to add the exploit in order to attack Drupal core CMS 7.x versions prior to 7.32 using default configuration (CVE-2014-3704).

XAMPP suffers from multiple XSS issues in several scripts that use the 'PHP_SELF' variable. The vulnerabilities can be triggered in the 'xamppsecurity.php', 'cds.php' and 'perlinfo.pl' because there isn't any filtering to the mentioned variable in the affected scripts. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack. Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.

OpenEMR fails to sanitize the pc_category parameter in interface/main/calendar/index.php leading to a Cross-Site Scripting vulnerability.