Advisories
Please read our Vulnerability Disclosure Policy.
Full TextElastic Path - Administrative Session Hijacking through Embedded XSS
Apr 26, 2007
Elastic Path has been identified to be vulnerable to an embedded Cross Site Scripting (XSS) attack that could potentially allow remote attackers to hijack a legitimate administrator's session cookie. An attacker could exploit this vulnerability to gain unauthorised access to the Elastic Patch Commerce Manager and obtain administrative privileges.
Cache Sample Page XSS
Apr 04, 2007
The sample Cache Server pages shipped with the Cache database contain a number of Cross Site Scripting(XSS)vulnerabilities. These could enable an attacker to target users of a web application deployed on the same system.
Communigate XSS
Feb 27, 2007
The CommuniGate Pro application provides a web based application allowing users to retrieve emails using a web browser. However, email content is not sufficiently sanitised and can result in the execution of arbitrary scripts. On accessing the web interface of the application the user is assigned a session ID, by sending a specially crafted email an attacker would be able to trick the user into transmitting their session ID to the attacker.
Cisco IOS Invalid DLSw Handshake Denial of Service
Jan 10, 2007
Data Link Switching is primarily used for transporting SNA communications across an IP network. Support for this protocol is provided by Cisco networking devices as part of IOS although it is not enabled by default. In specific configurations an attacker could use the DLSw service to trigger a reload of the router's configuration resulting in a Denial of Service condition.
Crystal Reports Weak Sessions
Nov 28, 2006
Crystal Reports makes use of a cookie value called WCSID as a session identifier. This session identifier is not sufficiently random, not does it contain enough entropy. In addition, the session identifier is not tied to a user's IP address. This combination allows an attacker to hijack any currently authenticated users' sessions from any location.