The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Read More


The BlackBerry World app before on BlackBerry 10 OS 10.2.0, before on BlackBerry 10 OS 10.2.1, and before on BlackBerry 10 OS 10.3.0 does not properly validate download/update requests, which allows user-assisted man-in-the-middle attackers to spoof servers and trigger the download of a crafted app by modifying the client-server data stream.

Read More

Yourls XSS Stored

Posted by Alvaro Diaz on Oct 25

Hello, I found a xss stored vulnerability in Yourls 1.7 script (latest

The attacker can steal the admin’s cookies and login in the admin panel.

Note: Only the admin can see this.

Steps to perform the vulnerability:

1. Create a new url to shorten –> In the inputs you need write this
payload –> anything”><img src=x onerror=prompt(1)>*

* Javascript code to inject.

2. Click in the button “Shorten”…

Read more


Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Read More

CVE-2014-3604 in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Read More

Software and Security Information