Magnolia is an open source headless enterprise CMS, used by leading global brands to power digital experiences. ITAS Team has found several security gaps on Magnolia CMS during our security testing for client. The vulnerabilities include stored cross site scripting and reflected cross site scripting. Hackers could take advantage of ... Read More
Blog
18
Apr2019
Itas Security Team has found several security gaps on Open EDX. Open EDX is an online education system developed by Harvard and MIT in 2012. It is used by many international organizations, including Microsoft, IBM, Harvard University, Stanford University, and other organizations. During our security testing for clients using the ... Read More
April 18, 2019admin
12
Dec2018
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. ... Read More
December 12, 2018admin
10
Dec2018
ITAS Team has just found out a Cross-Site Scripting vulnerability in Zeuscard CMS. ITAS Team recommend that any individual or company is using this CMS should note and fix as soon as posible.
1. Vulnerability information:
– Vulnerability: Cross-Site Scripting
– Vendor: http://www.zeuscart.com
– Download link: http://zeuscart.com/download/
– Affected version: Zeuscart V4
– CVSS v3.0 ... Read More
December 10, 2018admin
10
Dec2018
For the second time in 2 years, the ITAS Security Team has discovered vulnerabilities on the Hakin9 Magazine platform and informed the administrators of the risks. As a token of their appreciation, Hakin9 has awarded the ITAS Team a lifetime subscription of the Magazine.
Established in 2005 by Software Media LLC ... Read More
December 10, 2018admin
10
Dec2018
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise begin and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team found out a SQL Injection vulnerability in ProjectSend r561. The issue is due to using the function to sanitize user-supplied input-data from ‘id’ parameter incorrectly. This may allows remote attackers to execute arbitrary SQL commands via that parameter.
Individuals and organizations are using this should note and give the ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team found out multiple SQL Injection vulnerabilities in Sefrengo CMS v1.6.1. The issues are due to the some scripts not properly sanitizing user-supplied input-data. These SQL injection vulnerabilities allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team found out a SQL Injection vulnerability in articleFR CMS. The issue is due to the some scripts not properly sanitizing user-supplied input-data. This may allows remote attackers to execute arbitrary SQL commands via that parameter…
Individuals and organizations are using this CMS should note and give the solution to ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team found out a Arbitrary File Upload vulnerability in articleFR CMS. Vulnerabilities related to the upload of unexpected file types is unique in that the upload should quickly reject a file if it does not have a specific extension. Additionally, this is different from uploading malicious files in that ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team found out a SQL Injection vulnerability in Redaxscript 2.2.0 CMS . The issue is due to the some scripts not properly sanitizing user-supplied input-data. This may allows remote attackers to execute arbitrary SQL commands via that parameter.
Individuals and organizations are using this should update the latest patch Redaxscript ... Read More
December 10, 2018admin
10
Dec2018
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team found out a SQL Injection vulnerability in Microweber CMS. The issue is due to the some scripts not properly sanitizing user-supplied input-data. This may allows remote attackers to execute arbitrary SQL commands via that parameter…
Individuals and organizations are using this CMS should update the latest patch (version 0.95 ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team discovered multiple SQL Injection vulnerabilities in PBBoard CMS. The issue is due to the some scripts not properly sanitizing user-supplied input-data. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data…
Individuals and organizations ... Read More
December 10, 2018admin
10
Dec2018
SP Client Document Manager plugin (https://wordpress.org/plugins/sp-client-document-manager/) contains some flaws that may allow carrying out SQL injection attacks. The issue is due to the some scripts not properly sanitizing user-supplied input-data. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team discovered a Code Injection vulnerability in CM Download Manager plugin (https://wordpress.org/plugins/cm-download-manager/). This code injection vulnerability was found and confirmed by vendor. A successful attack could allow an anonymous attacker to run OS command, execute PHP code and gain full control of the application. This vulnerability exists in free ... Read More
December 10, 2018admin
10
Dec2018
ITAS Team discovered multiple vulnerabilities in ProjectSend (a self-hosted application) as Blind SQL injection, insecure Direct Object Reference, Privilege Escalation, XSS, …
– The application constructs all or part of an SQL command using externally-influenced input from an frontend component, but it does not neutralize or incorrectly neutralizes special elements that ... Read More
December 10, 2018admin
10
Dec2018
YourMembers plugin (https://github.com/YourMembers/yourmembers/tree/master/ym_trunk) contains a flaw that may allow carrying out a blind SQL injection attack. The issue is due to the ym_trunk/includes/ym-download_functions.include.php script not properly sanitizing user-supplied input to the ‘ym_download_id’ parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing ... Read More
December 10, 2018admin
16
Jan2014
Currently, the demand for network security companies are very high, especially for the commercial sector demand electronics such as banking, insurance, finance ... Therefore, these companies also claim asked a staff capable administrator and have the practical work experience, have the ability to adapt quickly to the constantly changes of ... Read More
January 16, 2014admin