Tagged: cert

VU#630872: Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N contains multiple vulnerabilities 0

VU#630872: Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N contains multiple vulnerabilities

Vulnerability Note VU#630872 Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N contains multiple vulnerabilities Original Release date: 03 Sep 2015 | Last revised: 03 Sep 2015 Overview Mediabridge Medialink Wireless-N Broadband Router MWN-WAPR300N, firmware version 5.07.50 and possibly earlier, uses non-unique default credentials and is vulnerable to universal authentication bypass and cross-site request forgery (CSRF). Description CWE-255 : Credentials Management – CVE-2015-5994 Medialink MWN-WAPR300N by default uses the common admin:admin credentials for the web management interface and uses medialink:password for the wireless network. An attacker within range of a wireless network using default settings can connect and gain privileged access to the web management interface

VU#276148: Dedicated Micros DVR products use plaintext protocols and require no password by default 0

VU#276148: Dedicated Micros DVR products use plaintext protocols and require no password by default

Vulnerability Note VU#276148 Dedicated Micros DVR products use plaintext protocols and require no password by default Original Release date: 20 Aug 2015 | Last revised: 20 Aug 2015 Overview Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password. Description CWE-311 : Missing Encryption of Sensitive Data Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather than secure alternatives, making it the responsibility of the end user to configure a device securely. Sensitive data may be viewed or modified in transit by unauthorized attackers

VU#300820: Cisco Prime Infrastructure contains SUID root binaries 0

VU#300820: Cisco Prime Infrastructure contains SUID root binaries

Vulnerability Note VU#300820 Cisco Prime Infrastructure contains SUID root binaries Original Release date: 17 Aug 2015 | Last revised: 17 Aug 2015 Overview The Cisco Prime Infrastructure version 2.2 contains two binaries with SUID root world-executable privileges, allowing any local user to execute arbitrary commands as root. Description CWE-276 : Incorrect Default Permissions Two binaries are included in Cisco Prime version 2.2 that run as SUID root with world-executable privileges. The commands are /opt/CSCOlumos/bin/runShellCommand /opt/CSCOlumos/bin/runShellAsRoot These commands may be used to run arbitrary commands as root by any local user

VU#209512: Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities 0

VU#209512: Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities

Vulnerability Note VU#209512 Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities Original Release date: 11 Aug 2015 | Last revised: 11 Aug 2015 Overview Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities Description The Mobile Devices C4 OBD2 dongle is the base model for several rebranded consumer devices, such as the Metromile pay-by-mile insurance dongle. These devices are plugged into a vehicle’s on-board diagnostics port (OBD-II), usually located under the wheel. The device itself contains a GPS receiver, cellular chip, and on board microprocessors

VU#628568: Sierra Wireless GX, ES, and LS gateways running ALEOS contain hard-coded credentials 0

VU#628568: Sierra Wireless GX, ES, and LS gateways running ALEOS contain hard-coded credentials

Vulnerability Note VU#628568 Sierra Wireless GX, ES, and LS gateways running ALEOS contain hard-coded credentials Original Release date: 07 Aug 2015 | Last revised: 10 Aug 2015 Overview Sierra Wireless GX, ES, and LS gateway devices running ALEOS versions 4.4.1 and earlier contain hard-coded credentials. Description CWE-259 : Use of Hard-coded Password – CVE-2015-2897 Sierra Wireless GX, ES, and LS gateways running ALEOS contain multiple hard-coded accounts with root privileges

VU#360431: Chiyu Technology fingerprint access control contains multiple vulnerabilities 0

VU#360431: Chiyu Technology fingerprint access control contains multiple vulnerabilities

Vulnerability Note VU#360431 Chiyu Technology fingerprint access control contains multiple vulnerabilities Original Release date: 31 Jul 2015 | Last revised: 31 Jul 2015 Overview Multiple models of Chiyu Technology fingerprint access control devices contain a cross-site scripting (XSS) vulnerability and an authentication bypass vulnerability. Description CWE-80 : Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) – CVE-2015-2870 According to the reporter, tags are not filtered out of a URL passed to the device, allowing an attacker to perform a reflected XSS attack

VU#338736: Adobe Flash ActionScript 3 opaqueBackground use-after-free vulnerability 0

VU#338736: Adobe Flash ActionScript 3 opaqueBackground use-after-free vulnerability

Vulnerability Note VU#338736 Adobe Flash ActionScript 3 opaqueBackground use-after-free vulnerability Original Release date: 11 Jul 2015 | Last revised: 11 Jul 2015 Overview Adobe Flash Player contains a vulnerability in the ActionScript 3 opaqueBackground property, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Adobe Flash Player versions 9.0 through version 18.0.0.203 contain a use-after-free vulnerability in the AS3 opaqueBackground class .

VU#103336: Windows Adobe Type Manager privilege escalation vulnerability 0

VU#103336: Windows Adobe Type Manager privilege escalation vulnerability

Vulnerability Note VU#103336 Windows Adobe Type Manager privilege escalation vulnerability Original Release date: 08 Jul 2015 | Last revised: 08 Jul 2015 Overview The Adobe Type Manager module contains a memory corruption vulnerability, which can allow an attacker to obtain SYSTEM privileges on an affected Windows system. Description Adobe Type Manager, which is provided by atmfd.dll, is a Windows kernel module that provides support for OpenType fonts in Windows. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts