Mail Thread Index

• Date Index

• Re: [FD] GoAgent vulnerabilities: CA cert with known private key, TLS MITM, David Fifield
• [FD] Three out of bounds access issues in ImageMagick (CVE-2014-8354, CVE-2014-8355, CVE-2014-8562), Hanno Böck
• [FD] CVE-2014-5387 - Multiple Authenticated SQL Injections in EllisLab ExpressionEngine Core, Portcullis Advisories
• [FD] CNIL CookieViz XSS + SQL injection leading to user pwnage, iliketurtles
• [FD] KL-001-2014-004 : VMWare vmx86.sys Arbitrary Kernel Read, KoreLogic Disclosures
• [FD] Vulnerabilities in D-Link DAP-1360, MustLive
• [FD] Cisco RV Series multiple vulnerabilities, Securify B.V.
• [FD] SEC Consult SA-20141106-0 :: XXE & XSS & Arbitrary File Write vulnerabilities in Symantec Endpoint Protection, SEC Consult Vulnerability Lab
• [FD] XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1 (Joomla!) Vulnerabilities, Larry W. Cashdollar
• [FD] CVE-2014-8557 - JExperts Tecnologia - Channel Software Cross Site Scripting Issues, Luciano Pedreira
• [FD] CVE-2014-8558 - JExperts Tecnologia - Channel Software Escalation Access Issues, Luciano Pedreira
• [FD] DAVOSET v.1.2.2, MustLive
• [FD] [The ManageOwnage Series, part VI]: 0day database info and superuser credential disclosure in EventLog Analyser, Pedro Ribeiro
• [FD] Wordpress bulletproof-security <=.51 multiple vulnerabilities, Pietro Oliva
• [FD] Insecure management of login credentials in PicsArt Photo Studio for Android [STIC-2014-0426], Programa STIC
• [FD] SeasonApps iTransfer 1.1 - Persistent UI Vulnerability, Vulnerability Lab
• [FD] BookFresh - Persistent Clients Invite Vulnerability, Vulnerability Lab
• [FD] PayPal Inc BugBounty #107 MultiOrder Shipping (API) - Persistent History Vulnerability, Vulnerability Lab
• [FD] [The ManageOwnage Series, part VII]: Super admin privesc + password DB dump in Password Manager Pro, Pedro Ribeiro
• [FD] IL and CSRF vulnerabilities in D-Link DAP-1360, MustLive
• [FD] IP.Board <= 3.4.7 SQL Injection, secthrowaway
• [FD] [The ManageOwnage series, part VIII]: Remote code execution and blind SQLi in OpManager, Social IT and IT360, Pedro Ribeiro
• [FD] PayPal Inc Bug Bounty #88 - Filter Bypass & Arbitrary Code Execution Vulnerability, Vulnerability Lab
• [FD] Piwigo <= v2.6.0 - Blind SQL Injection, Manuel Garcia Cardenas
• [FD] Lantronix xPrintServer Code execution and CSRF vulnerability, Jim Bauwens
• [FD] [ESNC-2039348] Multiple Critical Security Vulnerabilities in SAP Governance, Risk and Compliance (SAP GRC), ESNC Security
• [FD] Missing SSL certificate validation in MercadoLibre app for Android [STIC-2014-0211], Programa STIC
• [FD] CFP: AIPR2015 China - Artificial Intelligence and Pattern Recognition, Hazel Ann
• [FD] Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers, Jing Wang
• [FD] Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net, Jing Wang
  • Re: [FD] Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net, Nick Semenkovich
• [FD] CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability, Jing Wang
• [FD] Prey Anti-Theft for Android missing SSL certificate validation [STIC-2014-0731], Programa STIC
• [FD] CVE-2014-8681 Blind SQL Injection in Gogs label search, Timo Schmid
• [FD] CVE-2014-8682 Multiple Unauthenticated SQL Injections in Gogs, Timo Schmid
• [FD] CVE-2014-8683 XSS in Gogs Markdown Renderer, Timo Schmid
• [FD] XSS Reflected in Page visualization agents in Pandora FMS v5.1SP1 - Revisión PC141031 (CVE-2014-8629), William Costa
• [FD] xdg-open RCE, joernchen
  • Re: [FD] xdg-open RCE, Brandon Perry
• [FD] Reflected XSS in Nibbleblog <= v4.0.1, Manuel Garcia Cardenas
• [FD] XOOPS <= 2.5.6 - Blind SQL Injection, Manuel Garcia Cardenas
• [FD] 81% of Tor users can be de-anonymised by analysing router information, research indicates, Ivan .Heca
• [FD] Vulnerabilities in D-Link DCS-2103, MustLive
• [FD] Proticaret E-Commerce Script v3.0 SQL Injection, Onur Alanbel
• [FD] WebsiteBaker <=2.8.3 - Multiple Vulnerabilities, Manuel Garcia Cardenas
• [FD] Zoph <= 0.9.1 - Multiple Vulnerabilities, Manuel Garcia Cardenas
• [FD] CVE-2014-8493 - ZTE ZXHN H108L Authentication Bypass, Project Zero Labs
• [FD] CVE-2014-8767 tcpdump denial of service in verbose mode using malformed OLSR payload, Steffen Bauch
• [FD] CVE-2014-8768 tcpdump denial of service in verbose mode using malformed Geonet payload, Steffen Bauch
• [FD] CVE-2014-8769 tcpdump unreliable output using malformed AOVD payload, Steffen Bauch
• [FD] PHPFox XSS AdminCP, Wesley Henrique
• [FD] CVE-2014-7911: Android <5.0 Privilege Escalation using ObjectInputStream, Jann Horn
• [FD] CVE-2014-2382 - Arbitrary Code Execution In Faronics Deep Freeze Standard and Enterprise, Portcullis Advisories
• [FD] Bootkit via SMS, SCADA StrangeLove
• [FD] CVE-2014-8600 - Insufficient Input Validation By IO Slaves In KDE e.V. KDE, Portcullis Advisories
• [FD] CVE-2014-2630 - SetUID/SetGID Programs Allow Privilege Escalation Via Insecure RPATH in Compaq/Hewlett Packard Glance for Linux, Portcullis Advisories
• [FD] CVE-2014-7137 - Multiple SQL Injections in Dolibarr ERP & CRM, Portcullis Advisories
• [FD] [CORE-2014-0008] - Advantech AdamView Buffer Overflow, CORE Advisories Team
• [FD] [CORE-2014-0009] - Advantech EKI-6340 Command Injection, CORE Advisories Team
• [FD] [CORE-2014-0010] - Advantech WebAccess Stack-based Buffer Overflow, CORE Advisories Team
• [FD] Capstone disassembly engine 3.0 released!, Nguyen Anh Quynh
• [FD] CVE-2014-8349 LIFERAY Portal Stored XSS, Garcia, Ariel (LATCO - Buenos Aires)
• [FD] WordPress 3 persistent script injection, Jouko Pynnonen
• [FD] DAVOSET v.1.2.3, MustLive
• [FD] Beginners error: "Google update" runs rogue programs %USERPROFILE%\Local.exe, %USERPROFILE%\Local Settings\Application.exe, %SystemDrive%\Documents.exe, %SystemDrive%\Program.exe, ..., Stefan Kanthak
• [FD] AST-2014-012: Mixed IP address families in access control lists may permit unwanted traffic., Asterisk Security Team
• [FD] AST-2014-013: PJSIP ACLs are not loaded on startup, Asterisk Security Team
• [FD] AST-2014-014: High call load may result in hung channels in ConfBridge., Asterisk Security Team
• [FD] AST-2014-015: Remote Crash Vulnerability in PJSIP channel driver, Asterisk Security Team
• [FD] AST-2014-016: Remote Crash Vulnerability in PJSIP channel driver, Asterisk Security Team
• [FD] AST-2014-017: <font size="3" style="font-size: 12pt">Permission escalation through ConfBridge actions/dialplan functions</font>, Asterisk Security Team
• [FD] AST-2014-018: AMI permission escalation through DB dialplan function, Asterisk Security Team
• [FD] Supr Shopsystem - Persistent UI Vulnerability, Vulnerability Lab
• [FD] FluxBB <= 1.5.6 SQL Injection, secthrowaway
  • <Possible follow-ups>
  • Re: [FD] FluxBB <= 1.5.6 SQL Injection, secthrowaway
• [FD] on Linux, 'less' can probably get you owned, Michal Zalewski
• [FD] Exploit for stealing backups on WP sites with WP-DB-Backup v2.2.4 plugin, Larry W. Cashdollar
• [FD] DataSoft Nova Anti-reconnaissance System 13.10.0 || Stored XSS, static rez
• [FD] Slider Revolution/Showbiz Pro shell upload exploit, Simo Ben youssef
  • Re: [FD] Slider Revolution/Showbiz Pro shell upload exploit, Ryan Dewhurst
    • Re: [FD] Slider Revolution/Showbiz Pro shell upload exploit, Simo Ben youssef
  • Re: [FD] Slider Revolution/Showbiz Pro shell upload exploit, Lukasz Biegaj
• [FD] Defense in depth -- the Microsoft way (part 21): errors/inconsistencies in Windows registry data may lead to buffer overflows or use of random data, Stefan Kanthak
• [FD] Defense in depth -- the Microsoft way (part 20): Microsoft Update may fail to offer current security updates, Stefan Kanthak
  • Re: [FD] Defense in depth -- the Microsoft way (part 20): Microsoft Update may fail to offer current security updates, Susan Bradley
• [FD] MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability, Taoguang Chen
• [FD] phpBB <= 3.1.1 deregister_globals() Function Bypass, Taoguang Chen
• [FD] CVE-2014-8609 Android Settings application privilege leakage vulnerability, Wang,Tao(Scloud)
• [FD] device42 DCIM authenticated remote root via appliance manager, Brandon Perry
• [FD] CVE-2014-8610 Android < 5.0 SMS resend vulnerability, Wang,Tao(Scloud)
• [FD] CVE-2014-8507 Android < 5.0 SQL injection vulnerability in WAPPushManager, Wang,Tao(Scloud)
• [FD] FileVista < v6.0.8.0 Insecure zip file handling, DS MailingList
• [FD] CVE-2014-5439 - Root shell on Sniffit [with exploit], Hector Marco
• [FD] The Weather Channel weather.com Almost All Links Vulnerable to XSS Attacks, Jing Wang
• [FD] CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Vulnerability, Jing Wang
• [FD] CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege Escalation, Jing Wang
• [FD] All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (cross site scripting) Attacks, Jing Wang
• [FD] Agafi/ROP v1.0 released !, Nicolas A. Economou
• [FD] XSS (in 20 chars) in Microsoft IIS 7.5 error message, A Z
• [FD] [Tool] Responder v2.1.3, laurent gaffie
• [FD] CSRF and XSS vulnerabilities in D-Link DAP-1360, MustLive
• [FD] [KIS-2014-13] Tuleap <= 7.6-4 (register.php) PHP Object Injection Vulnerability, Egidio Romano
• [FD] Defense in depth -- the Microsoft way (part 22): no DEP in Windows' filesystem (and ASLR barely used), Stefan Kanthak