Mail Thread Index

• Date Index

• [FD] SEC Consult SA-20170403-0 :: Misbehavior of PHP fsockopen function, SEC Consult Vulnerability Lab
• [FD] Trend Micro Enterprise Mobile Security Android Application - MITM SSL Certificate Vulnerability (CVE-2016-9319), David Coomber
• [FD] CVE Request -- mapr: information disclosure vulnerability, Mark Felder
• [FD] Cross-site request forgery (CSRF) vulnerability in the D-Link (DIR 615 ) Wireless Router Firmware:20.09, pratik shah
• [FD] APPLE-SA-2017-04-03-1 iOS 10.3.1, Apple Product Security
• [FD] AST-2017-001: Buffer overflow in CDR's set user, Asterisk Security Team
• [FD] Dell OpenManage Server Administrator v8.4: CVE-2016-4004 Addendum, Harrison Neal
• [FD] CVE-2017-7185 - Mongoose OS - Use-after-free / Denial of Service, Advisories
• [FD] ManageEngine Applications Manager Multiple Vulnerabilities, ljj
• [FD] Inchoo Facebook Connect Extension for Magento Parameter XSS, Patrick Webster via Fulldisclosure
• [FD] Manhattan Software IWMS (Integrated Workplace Management System) XML External Entity (XXE) Injection File Disclosure, Patrick Webster via Fulldisclosure
• [FD] AirWatch Self Service Portal Username Parameter LDAP Injection, Patrick Webster via Fulldisclosure
• [FD] Avaya Radvision SCOPIA Desktop dlg_loginownerid.jsp ownerid SQL Injection, Patrick Webster via Fulldisclosure
• [FD] Lotus Protector for Mail Security remote code execution, Patrick Webster via Fulldisclosure
• [FD] Kaseya VSA 6.5 Parameter Reflected XSS, Enumeration and Bruteforce Weakness, Patrick Webster via Fulldisclosure
• [FD] Computer Associates API Gateway CRLF Response Splitting, Directory Traversal vulnerabilities, Patrick Webster via Fulldisclosure
• [FD] Tweek!DM Document Management Authentication bypass, SQL injection, Patrick Webster via Fulldisclosure
• [FD] SilverStripe CMS - Path Disclosure, Patrick Webster via Fulldisclosure
• [FD] SmartJobBoard - Cross-site scripting, personal information disclosure and PHPMailer package, Patrick Webster via Fulldisclosure
• [FD] AcoraCMS browser redirect and Cross-site scripting vulnerabilities, Patrick Webster via Fulldisclosure
• [FD] Kaseya information disclosure vulnerability, Patrick Webster via Fulldisclosure
• [FD] iPlatinum iOneView Multiple Parameter Reflected XSS, Patrick Webster via Fulldisclosure
• [FD] Moodle URL Manipulation Remote Account Information Disclosure, Patrick Webster via Fulldisclosure
• [FD] DefenseCode ThunderScan SAST Advisory: Apache Tomcat Directory/Path Traversal, DefenseCode
• [FD] Spiceworks 7.5 TFTP Improper Access Control File Overwrite / Upload, hyp3rlinx
• [FD] Apple Music Android Application - MITM SSL Certificate Vulnerability (CVE-2017-2387), David Coomber
• [FD] QNAP QTS multiple RCE vulnerabilities (CVE-2017-6361, CVE-2017-6360, CVE-2017-6359), Harry Sintonen
• [FD] APPLE-SA-2017-04-04-1 Apple Music 2.0 for Android, Apple Product Security
• [FD] CSRF/stored XSS in WordPress Firewall 2 allows unauthenticated attackers to do almost anything an admin can (WordPress plugin), dxw Security
• [FD] [DefenseCode WhitePaper]: BroadCom UPnP Format String Preauth Root Exploit Aftermath (Few Years Later), DefenseCode
• [FD] SEC Consult SA-20170407-0 :: Server-Side Request Forgery in MyBB forum, SEC Consult Vulnerability Lab
• [FD] DAVOSET v.1.3.1, MustLive
• [FD] Executable installers are vulnerable^WEVIL (case 49): 1Password-4.6.1.619.exe allows arbitrary code execution, Stefan Kanthak
• [FD] LAquis SCADA Access Control Vulnerability, Karn Ganeshen
• [FD] Sielco Sistemi Winlog SCADA Software Insecure Library Loading Allows Code Execution, Karn Ganeshen
• [FD] SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities, Karn Ganeshen
• [FD] Cambium SNMP Security Vulnerabilities, Karn Ganeshen
• [FD] Carlo Gavazzi VMUC-EM - Multiple Vulnerabilities, Karn Ganeshen
• [FD] DragonWave Horizon Hard-coded Credentials Vulnerability (multiple versions), Ian Ling
• [FD] CVE Request:Mutiple CSRF vulnerabilities in e107 CMS 2.1.4, Wester 95
• [FD] CVE Request:Multiple CSRF in WordPress WHIZZ allow attackers to delete any wordpress users and change plugins status, Wester 95
• [FD] CVE Request:CSRF in wordpress copysafe web allows attacker changes plugin settings, Wester 95
• [FD] WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection, Manuel Garcia Cardenas
• [FD] CVE-Request:stored XSS in Serendipity v2.1-rc1 allows attacker steals admin’s cookie and other informations, Wester 95
• [FD] NSE script for exploiting BOF in Microsoft's IIS 6.0 and Windows Server 2003, Rewanth Cool
• [FD] NSE Script for exploiting Directory traversal vulnerability in Wordpress, Rewanth Cool
• [FD] NSE scripts for XSS and session hijacking in AsusWRT, Rewanth Cool
• [FD] NSE Script for CVE 2017-6527, Rewanth Cool
• [FD] Moxa MXview v2.8 Remote Private Key Disclosure, hyp3rlinx
• [FD] CVE-2017-7456 MXview v2.8 Denial Of Service, hyp3rlinx
• [FD] Moxa MX AOPC-Server v1.5 XML External Entity, hyp3rlinx
• [FD] CVE Request:CSRF in Serendipity allows attacker installs any themes, Wester 95
• [FD] CVE Request:XSS Injection in Email MyCode (MyBB <1.8.11), Wester 95
• [FD] CVE Request:Directory Traversal in smilie module(MyBB <1.8.11), Wester 95
• [FD] CVE-2017-7643 Local root privesc in Proxifier for Mac <= 2.18, Mark Wadham
  • Re: [FD] CVE-2017-7643 Local root privesc in Proxifier for Mac <= 2.18, Mark Wadham
• [FD] SSD Advisory – Horde Groupware Webmail Multiple Remote Code Execution Vulnerabilities, Maor Shwartz
• [FD] [SYSS-2015-035] Password Safe and Repository Enterprise v7.4.4 - SQL Injection (CWE-89), Matthias Deeg
• [FD] [SYSS-2015-036] Password Safe and Repository Enterprise v7.4.4 - Violation of Secure Design Principles (CWE-657), Matthias Deeg
  • <Possible follow-ups>
  • Re: [FD] [SYSS-2015-036] Password Safe and Repository Enterprise v7.4.4 - Violation of Secure Design Principles (CWE-657), Nick Boyce
• [FD] ChromeOS / ChromeBooks Persist Certain Network Settings in Guest Mode, Nightwatch Cybersecurity Research
• [FD] Multiple local privilege escalation vulnerabilities in Proxifier for Mac, Securify B.V.
• [FD] Microsoft Office OneNote 2007 DLL side loading vulnerability, Securify B.V.
• [FD] c0c0n X August 17-19, 2017 Call for Papers Open, Prajwal Panchmahalkar
• [FD] Proxifier for Mac 2.19 local root privesc, Mark Wadham
• [FD] DefenseCode ThunderScan SAST Advisory: WordPress Tribulant Slideshow Gallery Plugin - Cross-Site Scripting Vulnerabilities, DefenseCode
• [FD] DefenseCode ThunderScan SAST Advisory: 53+ WordPress plugins by BestWebSoft Multiple Cross-Site Scripting (XSS) Vulnerabilities, DefenseCode
• [FD] DefenseCode Security Advisory: Magento 0day Arbitrary File Upload Vulnerability (Remote Code Execution, CSRF), DefenseCode
• [FD] Adobe Creative Cloud Desktop Application <= v4.0.0.185 Privilege Escalation, hyp3rlinx
• [FD] Persistent Cross-Site Scripting in Scriptler Jenkins Plugin, Securify B.V.
• [FD] CVE-2017-0199 PoC, David ROUTIN
• [FD] Mantis Bug Tracker v1.3.0 / 2.3.0 Pre-Auth Remote Password Reset, hyp3rlinx
• [FD] SSD Advisory – Ubuntu LightDM Guest Account Local Privilege Escalation, Maor Shwartz
• [FD] Cross-Site Request Forgery in WordPress Connection Information, Summer of Pwnage
• [FD] Unicorn Emulator v1.0.1 is out!, Nguyen Anh Quynh
• [FD] nt!_SEP_TOKEN_PRIVILEGES – Single Write EoP Protect, Kyriakos Economou
• [FD] [ERPSCAN-17-020] XXE VIA DOCTYPE in PeopleSoft PeopleSoftServiceListeningConnector, ERPScan inc
• [FD] [ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT, ERPScan inc
• [FD] [ERPSCAN-17-022] SSRF in PeopleSoft IMServlet, ERPScan inc
• [FD] SecretServerSecretStealer - An extraction utility for Thycotic Secret Server, Denis Andzakovic
• [FD] Code Injection through DLL Sideloading in 64bit Oracle Java, Florian Bogner
• [FD] CVE-2017-7991-SQL injection-Exponent CMS, 404 Not Found
• [FD] DefenseCode ThunderScan SAST Advisory: WordPress AccessPress Social Icons Plugin Multiple SQL injection Security Vulnerabilities, DefenseCode
• [FD] DefenseCode ThunderScan SAST Advisory: Ultimate Form Builder Cross-Site Scripting (XSS) Vulnerability, DefenseCode
• [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution, Filippo Cavallarin
  • Re: [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution, Dawid Golunski
    • Re: [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution, Filippo Cavallarin
      • Re: [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution, Dawid Golunski
        • Re: [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution, Filippo Cavallarin
          • Re: [FD] CVE-2017-7692: Squirrelmail 1.4.22 Remote Code Execution, Dawid Golunski
• [FD] Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges, Securify B.V.
• [FD] Tales of SugarCRM Security Horrors, Egidio Romano
• [FD] KL-001-2017-005 : Solarwinds LEM Privilege Escalation via Controlled Sudo Path, KoreLogic Disclosures
• [FD] KL-001-2017-006 : Solarwinds LEM Privilege Escalation via Sudo Script Abuse, KoreLogic Disclosures
• [FD] KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection, KoreLogic Disclosures
• [FD] KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read, KoreLogic Disclosures
• [FD] KL-001-2017-009 : Solarwinds LEM Database Listener with Hardcoded Credentials, KoreLogic Disclosures
• [FD] CVE-2017-7221. OpenText Documentum Content Server: arbitrary code execution in dm_bp_transition.ebs docbase method, Andrey B. Panfilov
• [FD] OXATIS 'EMail' Cross Site Scripting Vulnerability, HTTPCS
• [FD] Flyspray 'real_name' Cross Site Scripting Vulnerability, HTTPCS
• [FD] Samsung Smart TV Wi-Fi Direct Improper Authentication, Info
• [FD] Dell Customer Connect 1.3.28.0 Privilege Escalation, Kacper Szurek
• [FD] SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities, Maor Shwartz
• [FD] SEC Consult SA-20170425-0 :: Portrait Display SDK Service Privilege Escalation, SEC Consult Vulnerability Lab
• [FD] Security Issues in Alerton Webtalk (Auth Bypass, RCE), David Tomaschik via Fulldisclosure
• [FD] Apple iOS 10.2 & 10.3 - Control Panel Denial of Service Vulnerability, Vulnerability Lab
• [FD] Multiple local privilege escalation vulnerabilities in HideMyAss Pro VPN client v2.x for OS X, Securify B.V.
• [FD] Local privilege escalation vulnerability in HideMyAss Pro VPN client v3.x for macOS, Securify B.V.
• [FD] SyntaxHighlight MediaWiki extension allows injection of arbitrary Pygments options, Securify B.V.
• [FD] CVE-2017-7981: Tuleap Remote OS Command Injection, Ben N
• [FD] PRL and CSRF vulnerabilities in D-Link DAP-1360, MustLive
• [FD] 360 security android app snoops data to China Unicom network via insecure HTTP, seclists