CVE-2015-2807 – Navis DocumentCloud < 0.1.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-2807
Cross-site scripting (XSS) vulnerability in js/window.php in the Navis DocumentCloud plugin before 0.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter. Vulnerabilidad de XSS en js/windows.php en el plugin Navis DocummentCloud en versiones anteriores a 0.1.1 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro wpbase. WordPress Navis DocumentCloud plugin version 0.1 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/133350/WordPress-Navis-DocumentCloud-0.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Aug/78 https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud https://wordpress.org/plugins/navis-documentcloud/changelog https://wpvulndb.com/vulnerabilities/8164 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-1933 – Ruby Gem Karteek Docsplit 0.5.4 Command Injection
https://notcve.org/view.php?id=CVE-2013-1933
The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename. La función extract_from_ocr en lib/docsplit/text_extractor.rb en el Karteek Docsplit (karteek-docsplit) v0.5.4 para Ruby permite a atacantes dependientes de contexto para ejecutar comandos arbitrarios vía metacaracteres de shell en un nombre de archivo PDF. Ruby Gem Karteek Docsplit version 0.5.4 fails to sanitize user-supplied input. If a user is tricked into extracting a file with shell characters in the name, code can be executed remotely. • http://osvdb.org/92117 http://vapid.dhs.org/advisories/karteek-docsplit-cmd-inject.html http://www.openwall.com/lists/oss-security/2013/04/08/15 https://exchange.xforce.ibmcloud.com/vulnerabilities/83277 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •