xss


Joomla! is one of the world's most popular content management systems (CMS). It enables users to build Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share. As of July 2017, Joomla! has been downloaded over 82 million times. Over 7,800 free and commercial extensions are available from the official Joomla! Extension Directory, and more are available from other sources. In my last blog, I discovered 2 Cross-Site Scripting (XSS) vulnerabilities... [Read More]
by RSS Zhouyuan Yang  |  Jul 12, 2017  |  Filed in: Security Research
Joomla! is one of the world's most popular content management system (CMS) solutions. It enables users to build custom Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share. As of November 2016, Joomla! had been downloaded over 78 million times. Over 7,800 free and commercial extensions are also currently available from the official Joomla! Extension Directory, and more are available from other sources. This year, as a FortiGuard researcher... [Read More]
by RSS Zhouyuan Yang  |  May 04, 2017  |  Filed in: Security Research
Summary At the beginning of this year, I discovered and reported a Cross-Site Scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM). This month IBM released a security bulletin that contains the fix for this vulnerability. In this blog, I want to share the details of this vulnerability. How to Reproduce To reproduce this vulnerability, you can follow the steps below: Sign into CLM with a user account, such as “chbest2”, with the permission "JazzAdmins". Then create a new user... [Read More]
by RSS Honggang Ren  |  Oct 17, 2016  |  Filed in: Security Research
Fortinet has developed a talented group of security experts and veterans that work together to design, execute, and administer every conceivable type of networking and security infrastructure. These infrastructures serve the largest enterprises, university campuses, and industry conferences, to small and mid-sized businesses, inter-connected retail locations, and even storm-battered cargo ships. Designing and building any network infrastructure poses unique challenges, and requires extreme diligence in the planning, implementation, and administration.... [Read More]
by RSS Aamir Lakhani  |  Oct 03, 2016  |  Filed in: Industry Trends
In case you missed it, Fortinet recently introduced the Fortinet Network Security Academy (FNSA) with the objective of providing individuals with advanced cybersecurity skills in order to address the industry’s current skills shortage. To highlight the value of such a program, the team at our French offices regularly collaborate with students who work with us on a range of security projects. The following discovery is the product of one such student collaboration project. Summary After successfully gaining access to the File System... [Read More]
by RSS Ruchna Nigam  |  Mar 31, 2016  |  Filed in: Security Research
Overview WooCommerce is an open source e-commerce plugin for WordPress. It is designed for small to large-sized online merchants using WordPress. According to WooCommerce, the plugin now powers over 30% of all online stores running WordPress with over one million downloads. FortiGuard Labs discovered another Cross-Site Scripting (XSS) vulnerability in WooCommerce. FortiGuard disclosed a different XSS vulnerability in WooCommerce earlier this year, leading Fortinet’s Chris Dawson to ask if it was time to worry about WordPress. As... [Read More]
by RSS Peixue Li  |  Nov 17, 2015  |  Filed in: Industry Trends
Overview Infoblox is a network controller company that provides network automation and domain name system (DNS) security through appliance-based solutions. These products enable and secure dynamic network and data center infrastructures. It offers four product families: core network services, infrastructure security, cloud network automation and network change, and configuration management. Infoblox NetMRI provides automatic network discovery, switch port management, network change automation, and continuous security policy and configuration... [Read More]
by RSS Aamir Lakhani  |  Nov 12, 2015  |  Filed in: Security Research
Overview MantisBT is an open source issue tracker with nearly 110,000 downloads so far this year from its SourceForge repository. It is known for its ease of use and rapid collaboration capabilities.   Researchers with FortiGuard Labs have discovered a cross-site scripting (XSS) vulnerability in MantisBT caused by incorrect handling of a specially-crafted request which contains injected script code. This vulnerability could allow remote attackers to launch XSS attack.   Analysis The attack target can be MantisBT administrator.... [Read More]
by RSS Chris Dawson  |  Oct 30, 2015  |  Filed in: Industry Trends
Researchers with FortiGuard Labs recently discovered a persistent cross-site scripting vulnerability in Microsoft SharePoint 2013. SharePoint is a web application platform in the Microsoft Office server suite that combines intranet, extranet, content management, document management, personal cloud, enterprise social networking, enterprise search, business intelligence, workflow management, web content management, and an enterprise application store. It is frequently deployed for internal use in mid-size businesses and large departments... [Read More]
by RSS Aamir Lakhani  |  Sep 14, 2015  |  Filed in: Industry Trends
Researchers at FortiGuard Labs recently discovered a cross-site scripting vulnerability in Cacti, a powerful web-based tool for collecting and graphing time series data. Cacti is frequently used for monitoring and presenting a variety of metrics in IT, ranging from CPU fan speeds and temperatures to network traffic. It is free and open source and has been widely adopted due to its extensibility and complete set of monitoring and graphing tools. The vulnerability itself resulted from insufficient sanitization of user-supplied data sent to a particular... [Read More]
by RSS Aamir Lakhani  |  Jun 27, 2015  |  Filed in: Industry Trends