Vulnerability Note VU#693036 Datalex airline booking software allowed authorization bypass for arbitrary users Original Release date: 30 Sep 2015 | Last revised: 30 Sep 2015 Overview Datalex provides a suite of software offerings for the airline industry which supports a customizable flight browsing, booking, payment, and analytics.
VU#630872: Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N contains multiple vulnerabilities
Vulnerability Note VU#630872 Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N contains multiple vulnerabilities Original Release date: 03 Sep 2015 | Last revised: 03 Sep 2015 Overview Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N, firmware version 5.07.50 and possibly earlier, uses non-unique default credentials and is vulnerable to universal authentication bypass and cross-site request forgery (CSRF). Description CWE-255 : Credentials Management – CVE-2015-5994 Medialink MWN-WAPR300N by default uses the common admin:admin credentials for the web management interface and uses medialink:password for the wireless network. An attacker within range of a wireless network using default settings can connect and gain privileged access to the web management interface
Vulnerability Note VU#276148 Dedicated Micros DVR products use plaintext protocols and require no password by default Original Release date: 20 Aug 2015 | Last revised: 20 Aug 2015 Overview Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password. Description CWE-311 : Missing Encryption of Sensitive Data Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers
Vulnerability Note VU#300820 Cisco Prime Infrastructure contains SUID root binaries Original Release date: 17 Aug 2015 | Last revised: 17 Aug 2015 Overview The Cisco Prime Infrastructure version 2.2 contains two binaries with SUID root world-executable privileges, allowing any local user to execute arbitrary commands as root. Description CWE-276 : Incorrect Default Permissions Two binaries are included in Cisco Prime version 2.2 that run as SUID root with world-executable privileges. The commands are /opt/CSCOlumos/bin/runShellCommand /opt/CSCOlumos/bin/runShellAsRoot These commands may be used to run arbitrary commands as root by any local user
Vulnerability Note VU#335192 Actiontec GT784WN Wireless N DSL Modem contains multiple vulnerabilities Original Release date: 11 Aug 2015 | Last revised: 11 Aug 2015 Overview Actiontec GT784WN Wireless N DSL Modem, versions NCS01-1.0.12 and earlier, contains multiple vulnerabilities.
Vulnerability Note VU#209512 Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities Original Release date: 11 Aug 2015 | Last revised: 11 Aug 2015 Overview Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities Description The Mobile Devices C4 OBD2 dongle is the base model for several rebranded consumer devices, such as the Metromile pay-by-mile insurance dongle. These devices are plugged into a vehicle’s on-board diagnostics port (OBD-II), usually located under the wheel. The device itself contains a GPS receiver, cellular chip, and on board microprocessors
Vulnerability Note VU#628568 Sierra Wireless GX, ES, and LS gateways running ALEOS contains hard-coded credentials Original Release date: 07 Aug 2015 | Last revised: 07 Aug 2015 Overview Sierra Wireless GX, ES, and LS gateway devices running ALEOS versions 4.4.1 and earlier contain hard-coded credentials.
Vulnerability Note VU#628568 Sierra Wireless GX, ES, and LS gateways running ALEOS contain hard-coded credentials Original Release date: 07 Aug 2015 | Last revised: 10 Aug 2015 Overview Sierra Wireless GX, ES, and LS gateway devices running ALEOS versions 4.4.1 and earlier contain hard-coded credentials. Description CWE-259 : Use of Hard-coded Password – CVE-2015-2897 Sierra Wireless GX, ES, and LS gateways running ALEOS contain multiple hard-coded accounts with root privileges
Vulnerability Note VU#360431 Chiyu Technology fingerprint access control contains multiple vulnerabilities Original Release date: 31 Jul 2015 | Last revised: 31 Jul 2015 Overview Multiple models of Chiyu Technology fingerprint access control devices contain a cross-site scripting (XSS) vulnerability and an authentication bypass vulnerability. Description CWE-80 : Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) – CVE-2015-2870 According to the reporter, tags are not filtered out of a URL passed to the device, allowing an attacker to perform a reflected XSS attack
Vulnerability Note VU#338736 Adobe Flash ActionScript 3 opaqueBackground use-after-free vulnerability Original Release date: 11 Jul 2015 | Last revised: 11 Jul 2015 Overview Adobe Flash Player contains a vulnerability in the ActionScript 3 opaqueBackground property, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Adobe Flash Player versions 9.0 through version 184.108.40.206 contain a use-after-free vulnerability in the AS3 opaqueBackground class .