Mail Thread Index

• Date Index

• [FD] CVE-2017-6189-Amazon Kindle for Windows, Nitesh Shilpkar
• [FD] Advisory X41-2017-001: Multiple Vulnerabilities in X.org, X41 D-Sec GmbH Advisories
• [FD] Multiple persistent Cross-Site Scripting vulnerabilities in osTicket, Securify B.V.
• [FD] Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP Object injection vulnerability, Summer of Pwnage
• [FD] Admin Custom Login WordPress plugin affected by persistent Cross-Site Scripting via Logo URL field, Summer of Pwnage
• [FD] Admin Custom Login WordPress plugin custom login page affected by persistent Cross-Site Scripting, Summer of Pwnage
• [FD] Cross-Site Scripting vulnerability in Trust Form WordPress Plugin, Summer of Pwnage
• [FD] Cross-Site Scripting vulnerability in WP-Filebase Download Manager WordPress Plugin, Summer of Pwnage
• [FD] Cross-Site Scripting vulnerability in WP-SpamFree Anti-Spam WordPress Plugin, Summer of Pwnage
• [FD] Cross-Site Request Forgery in File Manager WordPress plugin, Summer of Pwnage
• [FD] Cross-Site Request Forgery in Global Content Blocks WordPress Plugin, Summer of Pwnage
• [FD] Cross-Site Scripting vulnerability in Gwolle Guestbook WordPress Plugin, Summer of Pwnage
• [FD] Simple Ads Manager WordPress plugin unauthenticated PHP Object injection vulnerability, Summer of Pwnage
• [FD] Persistent Cross-Site Scripting in the WordPress NewStatPress plugin, Summer of Pwnage
• [FD] Cross-Site Scripting vulnerability in Tribulant Slideshow Galleries WordPress Plugin, Summer of Pwnage
• [FD] Cross-Site Request Forgery in WordPress Download Manager Plugin, Summer of Pwnage
• [FD] Gwolle Guestbook mass action vulnerable for Cross-Site Request Forgery, Summer of Pwnage
• [FD] Cross-Site Request Forgery in Atahualpa WordPress Theme, Summer of Pwnage
• [FD] Cross-Site Scripting in Atahualpa WordPress Theme, Summer of Pwnage
• [FD] Cross-Site Scripting in Magic Fields 1 WordPress Plugin, Summer of Pwnage
• [FD] Cross-Site Scripting in Google Analytics Dashboard WordPress Plugin, Summer of Pwnage
• [FD] Cross-Site Scripting in Alpine PhotoTile for Instagram WordPress Plugin, Summer of Pwnage
• [FD] VaultPress - Remote Code Execution via Man in The Middle attack, Summer of Pwnage
• [FD] WordPress Adminer plugin allows public (local) database login, Summer of Pwnage
• [FD] Popup by Supsystic WordPress plugin vulnerable to Cross-Site Request Forgery, Summer of Pwnage
• [FD] Stored Cross-Site Scripting vulnerability in User Login Log WordPress Plugin, Summer of Pwnage
• [FD] Cross-Site Request Forgery & Cross-Site Scripting in Contact Form Manager WordPress Plugin, Summer of Pwnage
• [FD] Stored Cross-Site Scripting vulnerability in Contact Form WordPress Plugin, Summer of Pwnage
• Re: [FD] Teradici Management Console 2.2.0 - Privilege Escalation, Jack Cha
• [FD] Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution, Karn Ganeshen
• [FD] Veritas NetBackup v6.x, v7.x, v8.0 and NetBackup appliances v2.x, v3.0 - Multiple Critical Vulnerabilities, Sven Blumenstein
• [FD] SEC Consult SA-20170301 :: XXE and XSS vulnerabilities in Aruba AirWave, SEC Consult Vulnerability Lab
• [FD] New BlackArch Linux ISOs (2017.03.01) released!, Black Arch
• [FD] Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0, Larry W. Cashdollar
• [FD] Executable installers are defective^WEVIL (case 1): putty-0.68-installer.exe, Stefan Kanthak
• [FD] Call for Papers for 5th Balkan Computer Congress – BalCCon2k17, Milos Krasojevic
• [FD] CVE-2017-6443: Persistent XSS in EPSON TMNet WebConfig Ver. 1.00, Michael Benich
• [FD] Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13, Kyle Neideck
  • Re: [FD] Remote code execution via CSRF vulnerability in the web UI of Deluge 1.3.13, Thomas Deutschmann
• [FD] 0-Day: Dahua backdoor Generation 2 and 3, bashis
  • Re: [FD] 0-Day: Dahua backdoor Generation 2 and 3, Chris Holland
  • <Possible follow-ups>
  • Re: [FD] 0-Day: Dahua backdoor Generation 2 and 3, bashis
    • Re: [FD] 0-Day: Dahua backdoor Generation 2 and 3, bashis
• [FD] Executable installers are defective^WEVIL (case 2): innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe, Stefan Kanthak
  • Re: [FD] Executable installers are defective^WEVIL (case 2): innosetup-5.5.9.exe and innosetup-5.5.9-unicode.exe, fulldisclosure
• [FD] CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility, Aromal Raj
• [FD] OpenElec: Remote Code Execution Vulnerability through Man-In-The-Middle(CVE-2017-6445), Wolfgang
• [FD] CVE-2017-6430: Out-of-Bounds Read (DOS) Vulnerability in Ettercap Etterfilter utility, Aromal Raj
• [FD] Cross-Site Request Forgery in WordPress Press This function allows DoS, Summer of Pwnage
• [FD] WordPress audio playlist functionality is affected by Cross-Site Scripting, Summer of Pwnage
• [FD] [Tool] Docker Scan: Security analysis tools for Docker Images and Docker Registries, cr0hn
• [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities, Securify B.V.
• [FD] SEC Consult SA-20170307-0 :: Unauthenticated OS command injection & arbitrary file upload in Western Digital WD My Cloud, SEC Consult Vulnerability Lab
• [FD] Western Digital My Cloud vulnerable to Cross-Site Request Forgery vulnerability, Securify B.V.
• [FD] Stack-based buffer overflow in Western Digital My Cloud allows for remote code execution, Securify B.V.
• [FD] Bypassing Authentication on iball Baton Routers, Indrajith AN
  • <Possible follow-ups>
  • [FD] Bypassing Authentication on iball Baton Routers, Indrajith AN
• [FD] Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in GoAhead, Pierre Kim
• [FD] SEC Consult SA-20170308-0 :: Multiple vulnerabilities in Navetti PricePoint, SEC Consult Vulnerability Lab
• [FD] SICUNET Physical Access Controller - Multiple Vulnerabilities, Andrew Griffiths
• [FD] FTP Voyager Scheduler v16.2.0 CSRF Remote Command Execution, hyp3rlinx
• [FD] CVE-2017-6466 - Remote Code Execution under SYSTEM via MITM in F-Secure AV, Martin Kolárik
• [FD] Multiple vulnerabilities discovered in dnaLIMS DNA sequencing web-application, Nicholas von Pechmann
• [FD] Hardwear.io Call For Papers 2017 is open!, Yuliya Pliavaka
• [FD] CVE-2017-6550: Kinsey Infor-Lawson - Multiple SQL Injections, Michael Benich
• [FD] DAVOSET v.1.3, MustLive
• [FD] KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery, KoreLogic Disclosures
• [FD] CVE-2017-6805 MobaXterm Personal Edition v9.4 Directory Traversal File Disclosure, hyp3rlinx
• [FD] Aleph Research: Attacking Nexus 9 with Malicious Headphones (CVE-2017-0510), Roee Hay
• [FD] URL spoofing in UC browser., x ksi
• [FD] Microsoft Edge Fetch API allows setting of arbitrary request headers, Securify B.V.
• [FD] SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products, SEC Consult Vulnerability Lab
  • Re: [FD] SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products, Carlos Silva
• [FD] Microsoft Windows "LoadUvsTable()" Buffer Overflow Vulnerability, Hossein Lotfi
• [FD] Windows DVD Maker XML External Entity File Disclosure, hyp3rlinx
• [FD] Axis Camera Multiple Vulnerabilities, David Wearing
• [FD] USB Pratirodh XML External Entity Injection Vulnerability, Sachin Wagh
• [FD] USB Pratirodh Insecure Password Storage Information Disclosure Vulnerability, Sachin Wagh
• [FD] Skype Insecure Library Loading Vulnerability (api-ms-win-core-winrt-string-l1-1-0.dll), Sachin Wagh
• [FD] phplist 3.2.6: SQL Injection, Curesec Research Team (CRT)
• [FD] phplist 3.2.6: XSS, Curesec Research Team (CRT)
• [FD] HumHub 1.0.1: XSS, Curesec Research Team (CRT)
• [FD] HumHub 0.20.1 / 1.0.0-beta.3: Code Execution, Curesec Research Team (CRT)
• [FD] [CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting, 陈彦羽
• [FD] TS Session Hijacking / Privilege escalation all windows versions, Alexander Korznikov
  • Re: [FD] TS Session Hijacking / Privilege escalation all windows versions, Kevin Beaumont
• [FD] CVE-2017-7183 ExtraPuTTY v029_RC2 TFTP Denial Of Service, hyp3rlinx
• [FD] Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router., Indrajith AN
• [FD] Adium vulnerable to remote code execution via libpurple, erythronium23
• [FD] SEC Consult SA-20170322-0 :: Multiple vulnerabilities in Solare Datensysteme Solar-Log devices, SEC Consult Vulnerability Lab
• [FD] [ERPSCAN-16-041] SAP NETWEAVER DIRECTORY CREATION OUTSIDE OF THE JVM, ERPScan inc
• [FD] QNAP QTS Domain Privilege Escalation Vulnerability, Pasquale Fiorillo
• [FD] [CVE-2017-6087] EON 5.0 Remote Code Execution, Sydream Labs
• [FD] [CVE-2017-6088] EON 5.0 Multiple SQL Injection, Sydream Labs
• [FD] [CVE-2017-5869] Nuxeo Platform remote code execution, Sydream Labs
• [FD] APPLE-SA-2017-03-22-1 iTunes for Windows 12.6, Apple Product Security
• [FD] APPLE-SA-2017-03-22-2 iTunes for Mac 12.6, Apple Product Security
• [FD] Faraday v2.4: Collaborative Penetration Test and Vulnerability Management Platform, Francisco Amato
• [FD] Defense in depth -- the Microsoft way (part 46): no checks for common path handling errors in "Application Verifier", Stefan Kanthak
• [FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups", Stefan Kanthak
• [FD] [CVE-2017-7240] Miele Professional PG 8528 - Web Server Directory Traversal, Jens Regel
• [FD] [FOXMOLE SA 2017-01-25] inoERP - Multiple Issues, FOXMOLE Advisories
• [FD] pfsense 2.3.2: Code Execution, Curesec Research Team (CRT)
• [FD] pfsense 2.3.2: XSS, Curesec Research Team (CRT)
• [FD] pfsense 2.3.2: CSRF, Curesec Research Team (CRT)
• [FD] Vulnerabilities in Transcend Wi-Fi SD Card, MustLive
  • Re: [FD] Vulnerabilities in Transcend Wi-Fi SD Card, Joey Kelly
• [FD] APPLE-SA-2017-03-27-1 Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac; Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS, Apple Product Security
• [FD] CVE-2017-5900, Luke Symons
• [FD] DzSoft PHP Editor v4.2.7 File Enumeration [**UPDATED FIXED TYPO], hyp3rlinx
• [FD] Outlook Remote Crashing Bug, Haifei Li
• [FD] APPLE-SA-2017-03-27-2 Safari 10.1, Apple Product Security
• [FD] APPLE-SA-2017-03-27-4 iOS 10.3, Apple Product Security
• [FD] APPLE-SA-2017-03-27-5 watchOS 3.2, Apple Product Security
• [FD] APPLE-SA-2017-03-27-7 macOS Server 5.3, Apple Product Security
• [FD] APPLE-SA-2017-03-27-3 macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite, Apple Product Security
• Re: [FD] Defense in depth -- the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups", Stefan Kanthak
• [FD] Hidden malicious modules in MS VBA (Visual Basic for Applications), Thegrideon Software
• [FD] APPLE-SA-2017-03-28-1 iCloud for Windows 6.2, Apple Product Security
• [FD] APPLE-SA-2017-03-28-2 Additional information for APPLE-SA-2017-03-22-1 iTunes for Windows 12.6, Apple Product Security
• [FD] Splunk Enterprise Information Theft - CVE-2017-5607, hyp3rlinx
• Re: [FD] Hidden malicious modules in MS VBA (Visual Basic for Applications, Douglas Held