The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the ‘People You May Know’ mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to users.
An Insecure Redirect vulnerability in the .NET Form Authentication (redirect from login mechanism) allows an attacker to craft links with redirects in the ReturnURL parameter to malicious sites. The exploitation technique bypasses the CrossAppRedirects restriction and executes successfully on applications that do not have EnableCrossAppRedirects in web.config (false by default), or have the EnableCrossAppRedirects attribute explicitly set to false.
By luring an unsuspecting user into submitting a specially crafted form, an attacker causes the victim to send the malicious script to the vulnerable SharePoint 2007 instance. The malicious script is then reflected back to the user and executed on his browser.
An Insecure Redirect vulnerability in Microsoft SharePoint shared infrastructure allows an attacker to craft links that contain redirects to malicious sites in the source parameter used throughout SharePoint portal.
The exploitation technique bypasses the cross application redirection restriction which normally limits such redirects restricting access to external sites.
A persistent cross-site scripting vulnerability in the SharePoint document handling module allows attackers to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more.
The detailed error page in an Oracle E-Business Suite is vulnerable to reflected cross site scripting attacks. An attacker can send a malicious link to users or administrators causing an error and containing a malicious script. The link lures them to the details page, causing the malicious script to be executed.
Vulnerabilities in the Oracle eBusiness Suite deployment that, when combined, can allow an unauthenticated remote user to take over and gain full control over the administrative web user account.
When attempting to access a non existent Struts action URL, the Struts infrastructure generates an error echoing the path of the requested action. The mechanism generating this error does not perform sufficient input validation nor perform HTML encoding of the output, thus exposing the system, in some environments, to a Cross Site Scripting attack.