Mail Thread Index

• Date Index

• CA20160627-01: Security Notice for Release Automation, Kotas, Kevin J
• [CVE-2016-5728] Double-Fetch Vulnerability in Linux-4.5/drivers/misc/mic/host/mic_virtio.c, wpengfeinudt
• [CVE-2016-6130] Double-Fetch Vulnerability in Linux-4.5/drivers/s390/char/sclp_ctl.c, wpengfeinudt
• Logic security flaw in TP-LINK - tplinklogin.net, Info
• Executable installers are vulnerable^WEVIL (case 34): Microsoft's vs-community-*.exe susceptible to DLL hijacking, Stefan Kanthak
• KL-001-2016-003 : SQLite Tempdir Selection Vulnerability, KoreLogic Disclosures
• [security bulletin] HPSBGN03626 rev.1 - HPE Service Manager using OpenSSL, Remote Disclosure of Information Logjam, security-alert
• [SECURITY] [DSA 3612-1] gimp security update, Salvatore Bonaccorso
• [security bulletin] HPSBGN03627 rev.1 - HPE Service Manager using OpenSSL, Remote Disclosure of Information, security-alert
• [SECURITY] CVE-2016-4974: Apache Qpid: deserialization of untrusted input while using JMS ObjectMessage, Robbie Gemmell
• [SECURITY] [DSA 3613-1] libvirt security update, Salvatore Bonaccorso
• [SECURITY] [DSA 3615-1] wireshark security update, Moritz Muehlenhoff
• [SECURITY] [DSA 3614-1] tomcat7 security update, Salvatore Bonaccorso
• [FD]CVE ID request : SQL injection in 24Online Client, rahullraz
• WebCalendar v1.2.7 PHP Code Injection, hyp3rlinx
• HTTP session poisoning in EMC Documentum WDK-based applications causes arbitrary code execution and privilege elevation, Andrey B. Panfilov
• WebCalendar v1.2.7 CSRF Protection Bypass, hyp3rlinx
  • <Possible follow-ups>
  • WebCalendar v1.2.7 CSRF Protection Bypass, hyp3rlinx
  • WebCalendar v1.2.7 CSRF Protection Bypass, hyp3rlinx
• [SECURITY] [DSA 3616-1] linux security update, Salvatore Bonaccorso
• [CVE-2016-6156] Double-Fetch Vulnerability in Linux-4.6/drivers/platform/chrome/cros_ec_dev.c, wpengfeinudt
• KWSPHP CMS v1.6.995 - Persistent Cross Site Scripting Web Vulnerability, Vulnerability Lab
• OpenDocMan v1.3.5 - Full Path Disclosure Vulnerability, Vulnerability Lab
• [CVE-2016-6136] Double-Fetch Vulnerability in Linux-4.6/kernel/auditsc.c, wpengfeinudt
• Syslog Server "npriority" field remote Denial of Service vulnerability, chaoyi . huang
• Apple Safari for Mac OS X SVG local XXE, Filippo Cavallarin
• Putty (beta 0.67) DLL Hijacking Vulnerability, wsachin092
  • <Possible follow-ups>
  • Re: Putty (beta 0.67) DLL Hijacking Vulnerability, wsachin092
• [slackware-security] mozilla-thunderbird (SSA:2016-187-01), Slackware Security Team
• [security bulletin] HPSBHF03613 rev.1 - HPE Network Products including iMC, VCX, and Comware using OpenSSL, Remote Denial of Service (DoS), Unauthorized Access, security-alert
• IBM BlueMix Cloud - (API) Persistent Web Vulnerability, Vulnerability Lab
• Teampass 2.1.26 - Authenticated File Upload Vulnerability, Vulnerability Lab
• Micron CMS v5.3 - (cat_id) SQL Injection Vulnerability, Vulnerability Lab
• ESA-2016-054: EMC Avamar Data Store and Avamar Virtual Edition Unauthorized Data Access Vulnerability, Security Alert
• [SECURITY] [DSA 3617-1] horizon security update, Moritz Muehlenhoff
• Acer Portal Android Application - MITM SSL Certificate Vulnerability (CVE-2016-5648), David Coomber
• [KIS-2016-11] IPS Community Suite <= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability, Egidio Romano
• [security bulletin] HPSBGN03628 rev.1 - HPE IceWall Federation Agent using libXML2 library, Remote Denial of Service (DoS), Unauthorized Modification, Unauthorized Disclosure of Information, security-alert
• [slackware-security] samba (SSA:2016-189-01), Slackware Security Team
• Microsoft WinDbg logviewer.exe Buffer Overflow DOS, hyp3rlinx
• Microsoft Process Kill Utility "kill.exe" Buffer Overflow, hyp3rlinx
• BMW ConnectedDrive - (Update) VIN Session Vulnerability, Vulnerability Lab
• BMW - (Token) Client Side Cross Site Scripting Vulnerability, Vulnerability Lab
• Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin, Summer of Pwnage
• Persistent Cross-Site Scripting in WP Live Chat Support plugin, Summer of Pwnage
• [RCESEC-2016-003][CVE-2016-4469] Apache Archiva 1.3.9 Multiple Cross-Site Request Forgeries, Julien Ahrens
• [RCESEC-2016-004][CVE-2016-5005] Apache Archiva 1.3.9 admin/addProxyConnector_commit.action connector.sourceRepoId Persistent Cross-Site Scripting, Julien Ahrens
• Persistent Cross-Site Scripting in WordPress Activity Log plugin, Summer of Pwnage
• [security bulletin] HPSBHF03608 rev.1 - HPE iMC PLAT and other Network Products using Apache Java Commons Collection (ACC), Remote Execution of Arbitrary Code, security-alert
• Cross-Site Scripting vulnerability in Master Slider WordPress Plugin, Summer of Pwnage
• Cross-Site Scripting vulnerability in Email Users WordPress Plugin, Summer of Pwnage
• Cross-Site Scripting vulnerability in Profile Builder WordPress Plugin, Summer of Pwnage
• WP Fastest Cache Member Local File Inclusion vulnerability, Summer of Pwnage
• Easy Forms for MailChimp Local File Inclusion vulnerability, Summer of Pwnage
• [CVE-2016-1014, CVE-2016-4247] Executable installers are vulnerable^WEVIL (case 35): Adobe's Flash Player (un)installers, Stefan Kanthak
• missing input validation in pmount: arbitrary mount as non-root, Imre RAD
• Open-Xchange Security Advisory 2016-07-13, Martin Heiland
• Cisco Security Advisory: Cisco IOS XR for NCS 6000 Packet Timer Leak Denial of Service Vulnerability, Cisco Systems Product Security Incident Response Team
• Cross-Site Scripting vulnerability in Simple Membership WordPress Plugin, Summer of Pwnage
• Cross-Site Scripting vulnerability in Top 10 - Popular posts plugin for WordPress, Summer of Pwnage
• Cross-Site Scripting vulnerability in WP No External Links WordPress Plugin, Summer of Pwnage
• Cross-Site Scripting vulnerability in Google Forms WordPress Plugin, Summer of Pwnage
• [ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability, ERPScan inc
• [ERPSCAN-16-020] SAP NetWeaver AS JAVA UDDI component - XXE vulnerability, ERPScan inc
• [ERPSCAN-16-019] SAP NetWeaver Enqueue Server - DoS vulnerability, ERPScan inc
• [security bulletin] HPSBMU03562 rev.3 - HPE Service Manager using Java Deserialization, Remote Arbitrary Code Execution, security-alert
• [SECURITY] [DSA 3619-1] libgd2 security update, Salvatore Bonaccorso
• [SECURITY] [DSA 3620-1] pidgin security update, Salvatore Bonaccorso
• Multiple vulns in Vodafone EasyBox 804, Tim Schughart
• [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon, bashis
• [SECURITY] [DSA 3621-1] mysql-connector-java security update, Salvatore Bonaccorso
• [CVE-2016-1281] NOT FIXED: VeraCrypt*Setup*.exe still vulnerable to DLL hijacking, Stefan Kanthak
• [SECURITY] [DSA 3622-1] python-django security update, Salvatore Bonaccorso
• APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004, Apple Product Security
• APPLE-SA-2016-07-18-2 iOS 9.3.3, Apple Product Security
• APPLE-SA-2016-07-18-3 watchOS 2.2.2, Apple Product Security
• APPLE-SA-2016-07-18-4 tvOS 9.2.2, Apple Product Security
• APPLE-SA-2016-07-18-5 Safari 9.1.2, Apple Product Security
• APPLE-SA-2016-07-18-6 iTunes 12.4.2, Apple Product Security
• Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability (CVE-2016-6186), Vulnerability Lab
• Executable installers are vulnerable^WEVIL (case 35): eclipse-inst-win*.exe vulnerable to DLL and EXE hijacking, Stefan Kanthak
• Multiple Cross-Site Scripting vulnerabilities in Ninja Forms WordPress Plugin, Summer of Pwnage
• Cross-Site Request Forgery in Icegram WordPress Plugin, Summer of Pwnage
• Multiple SQL injection vulnerabilities in WordPress Video Player, Summer of Pwnage
• CVE-2016-5080: Memory corruption in code generated by Objective Systems Inc. ASN1C compiler for C/C++ [STIC-2016-0603], Programa STIC
• [SECURITY] [DSA 3623-1] apache2 security update, Salvatore Bonaccorso
• [SEARCH-LAB advisory] Cisco EPC3925 UPC modem/router default passphrase vulnerabilities, Gergely Eberhardt
• [SEARCH-LAB advisory] Hitron CGNV4 modem/router multiple vulnerabilities, Gergely Eberhardt
• [SEARCH-LAB advisory] Compal CH7465LG-LC modem/router multiple vulnerabilities, Gergely Eberhardt
• [SEARCH-LAB advisory] Technicolor TC7200 modem/router multiple vulnerabilities, Gergely Eberhardt
• [SEARCH-LAB advisory] UPC Hungary network problems, Gergely Eberhardt
• Cisco Security Advisory: Cisco Unified Computing System Performance Manager Input Validation Vulnerability, Cisco Systems Product Security Incident Response Team
• Cross-Site Scripting vulnerability in Paid Memberships Pro WordPress Plugin, Summer of Pwnage
• Persistent Cross-Site Scripting in WooCommerce using image metadata (EXIF), Summer of Pwnage
• CVE-2016-5399: php: out-of-bounds write in bzread(), Hans Jerry Illikainen
• Cisco Security Advisory: Vulnerability in Objective Systems ASN1C Compiler Affecting Cisco Products, Cisco Systems Product Security Incident Response Team
• [SECURITY] [DSA 3624-1] mysql-5.5 security update, Salvatore Bonaccorso
• MySQL zero-day vulnerabilities (July 2016 CPU), lem . nikolas
  • <Possible follow-ups>
  • MySQL zero-day vulnerabilities (July 2016 CPU), lem . nikolas
• [security bulletin] HPSBGN03631 rev.1 - HPE IceWall Identity Manager and HPE IceWall SSO Password Reset Option running Apache Commons FileUpload, Remote Denial of Service (DoS), security-alert
• [slackware-security] php (SSA:2016-203-02), Slackware Security Team
• [slackware-security] gimp (SSA:2016-203-01), Slackware Security Team
• Dreammail 5 mail client XSS Vulnerability, wwiinngd
• [SECURITY] [DSA 3625-1] squid3 security update, Sebastien Delafond
• [CVE-2016-5000] XML External Entity (XXE) Vulnerability in Apache POI's XLSX2CSV Example, Tim Allison
• CA20160721-01: Security Notice for CA eHealth, Kotas, Kevin J
• [slackware-security] bind (SSA:2016-204-01), Slackware Security Team
• Executable installers are vulnerable^WEVIL (case 37): eclipse-inst-win*.exe vulnerable to DLL redirection and manifest hijacking, Stefan Kanthak
• Defense in depth -- the Microsoft way (part 41): vulnerable by (poor implementation of bad) design, Stefan Kanthak
• Autobahn|Python Insecure allowedOrigins validation >= 0.14.1, mgill
• [SECURITY] [DSA 3626-1] openssh security update, Salvatore Bonaccorso
• Neoscreen v4.5 Authentication bypass, alex_haynes
• Neoscreen v4.5 Blind SQL injection, alex_haynes
• Neoscreen v4.5 Cross-site scripting, alex_haynes
• Cross-Site Scripting in Contact Form to Email WordPress Plugin, Summer of Pwnage
• Cross-Site Scripting in Code Snippets WordPress Plugin, Summer of Pwnage
• [SECURITY] [DSA 3627-1] phpmyadmin security update, Thijs Kinkhorst
• SEC Consult SA-20160725-0 :: Multiple vulnerabilities in Micro Focus (Novell) Filr, SEC Consult Vulnerability Lab
• XSS and SQLi in huge IT gallery v1.1.5 for Joomla, Larry W. Cashdollar
• [SECURITY] [DSA 3628-1] perl security update, Salvatore Bonaccorso
• FreeBSD Security Advisory FreeBSD-SA-16:25.bspatch, FreeBSD Security Advisories
• Secunia Research: Reprise License Manager "actserver" Buffer Overflow Vulnerability, Secunia Research
• Secunia Research: Reprise License Manager "akey" Buffer Overflow Vulnerability, Secunia Research
• [security bulletin] HPSBGN03630 rev.1 - HP Operations Manager for Unix, Solaris, and Linux using Apache Commons Collections (ACC), Remote Code Execution, security-alert
• [SECURITY] [DSA 3629-1] ntp security update, Moritz Muehlenhoff
• July 2016 - Bamboo Server - Critical Security Advisory, David Black
• MySQL 0days followup (CVE-2016-3477) CVSS 8.1, lem . nikolas
• Crashing Browsers Remotely via Insecure Search Suggestions, research
• Huawei ISM Professional XSS Vulnerability, ak47464659484
• Dropbox 6.4.14 DLL Hijacking Vulnerability, mehta . himanshu21
• Cross-Site Scripting vulnerability in ColorWay WordPress Theme, Summer of Pwnage
• Silurus Classifieds XSS Vulnerability, ak47464659484
• [security bulletin] HPSBST03603 rev.1 - HPE StoreVirtual Products running LeftHand OS using glibc, Remote Arbitrary Code Execution, Denial of Service (DoS), security-alert
• [SECURITY] [DSA 3630-1] libgd2 security update, Salvatore Bonaccorso
• [SECURITY] [DSA 3631-1] php5 security update, Moritz Muehlenhoff
• Nusiorung CMS 2016 - (Login) Auth Bypass Vulnerability, Vulnerability Lab
• DornCMS v1.4 - (FileManager) Persistent Cross Site Scripting Vulnerability, Vulnerability Lab
• VUPlayer 2.49 - (.pls) Buffer Overflow Vulnerability, Vulnerability Lab
• VUPlayer 2.49 - (.wax) Buffer Overflow Vulnerability, Vulnerability Lab
  • RE: VUPlayer 2.49 - (.wax) Buffer Overflow Vulnerability, Wick, Ryan (US - Chicago)
• [SECURITY] [DSA 3632-1] mariadb-10.0 security update, Salvatore Bonaccorso
• CVE-2016-2783 - Avaya VOSS/VSP Release 4.1.0.0 Vulnerable to SPB Traffic traversal, Grebovich, Dragan (Dragan)
• [SECURITY] [DSA 3633-1] xen security update, Moritz Muehlenhoff
• Zortam Media Studio 20.60 - Buffer Overflow Vulnerability, Vulnerability Lab
• Exponent CMS 2.3.9 - Useraccounts Persistent Vulnerability, Vulnerability Lab
• Zoll Checklist v1.2.2 iOS - Multiple Persistent Vulnerabilities, Vulnerability Lab
• Saveya Bounty #1 - Bypass & Persistent Vulnerability, Vulnerability Lab
• Vicon Network Cameras - Authentication Bypass, reggie . dodd30
• [S21SEC-047] Fotoware Fotoweb 8.0 Cross Site Scripting, S21sec Vulnerability Research
• ZMS v3.2 CMS - Multiple Client Side Cross Site Scripting Web Vulnerabilities, Vulnerability Lab
• [SYSS-2016-044] Logitech K520 - Insufficient Protection against Replay Attacks, matthias . deeg
  • <Possible follow-ups>
  • [SYSS-2016-044] Logitech K520 - Insufficient Protection against Replay Attacks, matthias . deeg
• [SYSS-2016-046] Perixx PERIDUO-710W - Missing Protection against Replay Attacks, matthias . deeg
• [SYSS-2016-047] Perixx PERIDUO-710W - Keystroke Injection Vulnerability, matthias . deeg
• [SYSS-2016-045] Perixx PERIDUO-710W - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key), matthias . deeg
• [SYSS-2016-059] Microsoft Wireless Desktop 2000 - Insufficient Verification of Data Authenticity (CWE-345), matthias . deeg
• [SYSS-2016-031] CHERRY B.UNLIMITED AES - Missing Protection against Replay Attacks, matthias . deeg
  • <Possible follow-ups>
  • [SYSS-2016-031] CHERRY B.UNLIMITED AES - Missing Protection against Replay Attacks, matthias . deeg
• [SYSS-2016-032] CHERRY B.UNLIMITED AES - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key), matthias . deeg
  • <Possible follow-ups>
  • [SYSS-2016-032] CHERRY B.UNLIMITED AES - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key), matthias . deeg
• [SYSS-2016-038] CHERRY B.UNLIMITED AES - Keystroke Injection Vulnerability, matthias . deeg
  • <Possible follow-ups>
  • [SYSS-2016-038] CHERRY B.UNLIMITED AES - Keystroke Injection Vulnerability, matthias . deeg
• CVE-2016-5672: Intel Crosswalk SSL Prompt Issue, research
• [SECURITY] [DSA 3635-1] libdbd-mysql-perl security update, Salvatore Bonaccorso