Twitter
LinkedIn
RSS

Posts Tagged ‘cert’


VU#657622: Xangati software release contains relative path traversal and command injection vulnerabilities

Vulnerability Note VU#657622 Xangati software release contains relative path traversal and command injection vulnerabilities Original Release date: 14 Apr 2014 | Last revised: 14 Apr 2014 Overview Xangati’s software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities. Description Xangati’s software release contains relative path traversal ( CWE-23 ) and command injection ( CWE-78 ) vulnerabilities. CWE-23: Relative Path Traversal – CVE-2014-0358 The reporter has provided the following as a proof-of-concept

Read More...

VU#437385: PaperThin CommonSpot CMS contains multiple vulnerabilities

Vulnerability Note VU#437385 PaperThin CommonSpot CMS contains multiple vulnerabilities Original Release date: 14 Apr 2014 | Last revised: 14 Apr 2014 Overview PaperThin CommonSpot contains multiple vulnerabilities, which may allow an unauthenticated remote attacker to execute arbitrary code on the server. Description PaperThin CommonSpot is a content management system (CMS) that is based on Adobe ColdFusion. CommonSpot is composed of over 3000 individual ColdFusion pages ( CFM files)

Read More...

VU#251628: AMTELCO miSecureMessages Server insecurely authenticates clients

Vulnerability Note VU#251628 AMTELCO miSecureMessages Server insecurely authenticates clients Original Release date: 11 Apr 2014 | Last revised: 18 Apr 2014 Overview AMTELCO miSecureMessages Server Release 6.2 performs weak authentication for access to user messages ( CWE-287 ).

Read More...

VU#667340: Fortinet FortiADC contains a cross-site scripting vulnerability

Vulnerability Note VU#667340 Fortinet FortiADC contains a cross-site scripting vulnerability Original Release date: 11 Apr 2014 | Last revised: 11 Apr 2014 Overview Fortinet FortiADC 3.2, and possibly earlier versions, contains a cross-site scripting vulnerability. ( CWE-79 ) Description CWE-79 : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) Fortinet FortiADC 3.2, and possibly earlier versions, contains a cross-site scripting vulnerability.

Read More...

VU#882841: Microsoft Office file format converter memory corruption vulnerability

Vulnerability Note VU#882841 Microsoft Office file format converter memory corruption vulnerability Original Release date: 10 Apr 2014 | Last revised: 10 Apr 2014 Overview The Microsoft Office file format converter contains a memory corruption vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user. Description Microsoft Office file format converter is a component that converts legacy Microsoft Office documents into newer file formats. Microsoft Office Isolated Conversion Environment (MOICE) , which is intended to increase the security of Microsoft Office, uses this capability

Read More...

VU#917700: Huawei Echo Life HG8247 optical router XSS vulnerability

Vulnerability Note VU#917700 Huawei Echo Life HG8247 optical router XSS vulnerability Original Release date: 02 Apr 2014 | Last revised: 02 Apr 2014 Overview Huawei Echo Life HG8247 optical router contains a stored cross-site scripting (XSS) vulnerability Description It has been reported that Huawei Echo Life HG8247 optical routers running software version V1R006C00S120 or earlier contain a stored cross-site scripting (XSS) vulnerability. An unauthenticated attacker can perform a stored cross-site scripting (XSS) attack against an authenticated user through the web interface by creating a malicious entry in the “failed log-in attempts over telnet” log view. When logging on to the device using telnet, an attacker can inject arbitrary HTML/Javascript code as a username

Read More...

UK launches first national CERT

UK launches first national CERT — 4 retweets 2 favorites

Read More...

VU#163188: Pearson eSIS Enterprise Student Information System XSS vulnerability

Vulnerability Note VU#163188 Pearson eSIS Enterprise Student Information System XSS vulnerability Original Release date: 01 Apr 2014 | Last revised: 01 Apr 2014 Overview Pearson eSIS Enterprise Student Information System contains a XSS vulnerability. Description CWE-79 : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) Pearson eSIS Enterprise Student Information System contains a reflected cross-site scripting vulnerability in the /aal/loginverification.aspx page. An attacker is able to load arbitrary script in the context of the user’s browser through the data passed to the website.

Read More...

VU#140886: ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities

Vulnerability Note VU#140886 ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities Original Release date: 27 Mar 2014 | Last revised: 27 Mar 2014 Overview ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities. Description CWE-472 : External Control of Assumed-Immutable Web Parameter It has been reported that the ‘Properties.do?name= ‘ module is vulnerable to an ‘unauthorized function call’ caused by server failing to properly verify the privilege level of user (ie; Admin, User, or Guest)

Read More...

VU#213046: Virtual Access GW6110A router privilege escalation vulnerability

Vulnerability Note VU#213046 Virtual Access GW6110A router privilege escalation vulnerability Original Release date: 25 Mar 2014 | Last revised: 25 Mar 2014 Overview Virtual Access GW6110A routers contain a privilege escalation vulnerability which could allow an authenticated user to escalate their privileges.

Read More...