Tagged: cert

VU#315340: EMC Documentum products contain multiple vulnerabilities 0

VU#315340: EMC Documentum products contain multiple vulnerabilities

Vulnerability Note VU#315340 EMC Documentum products contain multiple vulnerabilities Original Release date: 15 Dec 2014 | Last revised: 15 Dec 2014 Overview EMC Documentum products including Content Server, D2, and Web Development Kit (WDK) contain multiple vulnerabilities. Description EMC Documentum Content Server, D2, and WDK contain numerous vulnerabilities of varying impact. For details, view our spreadsheet .

VU#685996: GNU wget Arbitrary Filesystem Access through FTP Symlinks 0

VU#685996: GNU wget Arbitrary Filesystem Access through FTP Symlinks

Vulnerability Note VU#685996 GNU wget Arbitrary Filesystem Access through FTP Symlinks Original Release date: 28 Oct 2014 | Last revised: 28 Oct 2014 Overview GNU wget 1.15 allows arbitrary filesystem access when using symlinks in FTP. Description CWE-59: CWE-59: Improper Link Resolution Before File Access (‘Link Following’) Wget is a common Unix utility to retrieve a remote file. When wget 1.15 is running in recursive mode (the -m or -r switch) with a FTP server as the destination, it is vulnerable to a link following attack

VU#298796: Centreon contains multiple vulnerabilities 0

VU#298796: Centreon contains multiple vulnerabilities

Vulnerability Note VU#298796 Centreon contains multiple vulnerabilities Original Release date: 17 Oct 2014 | Last revised: 17 Oct 2014 Overview Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 contain multiple vulnerabilities. Description CWE-77 : Improper Neutralization of Special Elements used in a Command (‘Command Injection’) – CVE-2014-3829 Centreon version 2.5.1 and Centreon Enterprise Server version 2.2 are vulnerable to command injection due to unsafe handling of session_id and  template_id variables in displayServiceStatus.php and insufficient filtering on the command_line variable

VU#280844: Cryoserver Security Appliance vulnerable to privilege escalation 0

VU#280844: Cryoserver Security Appliance vulnerable to privilege escalation

Vulnerability Note VU#280844 Cryoserver Security Appliance vulnerable to privilege escalation Original Release date: 07 Oct 2014 | Last revised: 07 Oct 2014 Overview Cryoserver Security Appliance 7.3.x vulnerable to privilege escalation Description CWE-264 : Permissions, Privileges, and Access Controls Cryoserver Security Appliance 7.3.x does not properly assign permission to the /etc/init.d/cryoserver shell script and allows the default support account to modify it using the   /bin/cryo-mgmt script. Impact An authenticated attacker may be able to gain root access to the appliance. Solution The CERT/CC is currently unaware of a practical solution to this problem.

VU#241508: CacheGuard OS contains a cross-site request forgery vulnerability 0

VU#241508: CacheGuard OS contains a cross-site request forgery vulnerability

Vulnerability Note VU#241508 CacheGuard OS contains a cross-site request forgery vulnerability Original Release date: 10 Sep 2014 | Last revised: 10 Sep 2014 Overview CacheGuard OS v5.7.7 does not sufficiently verify whether a valid request was intentionally provided by the user, which results in a cross-site request forgery (CSRF) vulnerability. Description CWE-352 : Cross-Site Request Forgery (CSRF) CacheGuard OS v5.7.7 does not sufficiently verify whether a valid request was intentionally provided by the user. The cross-site request forgery (CSRF) vulnerability lies in  /gui/password-wadmin.apl Impact A remote unauthenticated attacker may be able to trick an authenticated user into clicking a specially crafted link, resulting in settings modification or privilege escalation.