Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
дополнено с 5 мая 2014 г.
Опубликовано:5 мая 2014 г.
Источник:
SecurityVulns ID:13733
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:CACTI : cacti 0.8
 MYBB : Mybb 1.6
 POSTFIXADMIN : postfixadmin 2.3
 EXTPLORER : extplorer 2.1
 OTRS : otrs 3.2
 SYNOLOGY : Synology DSM 4.3
 NAGIOS : Nagios 3.5
 WOLTLAB : Woltlab Burning Board 3.9
 SENDY : Sendy 1.1
 ZEND : php-ZendFramework 1.12
 PHPFOX : PHPFox 3.7
 MEDIAWIKI : MediaWiki 1.22
 CHECKMK : check_mk 1.2
 ICINGA : icinga 1.9
 CACTI : php-font-lib 0.3
 WEBMIN : Webmin 1.590
 SEEDDMS : SeedDMS 4.3
 REXX : rexx Recruitment 7
 INTERWORX : InterWorx Control Panel 5.0
 VTIGER : Vtiger CRM 6.0
 PROCENTIA : IntelliPen 1.1
 PIVOTAL : Spring MVC 4.0
 ESTORE : E-store 2.0
 CLANSPHERE : ClanSphere 2011.4
 WORDPRESS : thecotton Themes 1.14
 PIVOTAL : Grails 2.3
 FITNESSWIKI : Fitnesse Wiki 20131110
 WORDPRSS : Media File Renamer 1.7
 COSMOSHOP : CosmoShop ePRO 10.17
 INTERWORX : InterWorx Web Control Panel 5.0
 PHPMYADMIN : phpMyAdmin 4.1
 TELLIGENT : Telligent Evolution 7.5
 PHPMYBACKUPPRO : phpMyBackupPro 2.4
 OPENWEBANALYTICS : Open Web Analytics 1.5
 WORDPRESS : Buddypress 1.9
 FREEPBX : FreePBX 2.11
 FREEPBX : FreePBX 12.0
CVE:CVE-2014-2685 (The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.)
 CVE-2014-2684 (The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 does not verify that the openid_op_endpoint value identifies the same Identity Provider as the provider used in the association handle, which allows remote attackers to bypass authentication and spoof arbitrary OpenID identities by using a malicious OpenID Provider that generates OpenID tokens with arbitrary identifier and claimed_id values.)
 CVE-2014-2683 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to cause a denial of service (CPU consumption) via (1) recursive or (2) circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-6532.)
 CVE-2014-2682 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0, when PHP-FPM is used, does not properly share the libxml_disable_entity_loader setting between threads, which might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.)
 CVE-2014-2681 (Zend Framework 1 (ZF1) before 1.12.4, Zend Framework 2 before 2.1.6 and 2.2.x before 2.2.6, ZendOpenId, ZendRest, ZendService_AudioScrobbler, ZendService_Nirvanix, ZendService_SlideShare, ZendService_Technorati, and ZendService_WindowsAzure before 2.0.2, ZendService_Amazon before 2.0.3, and ZendService_Api before 1.0.0 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack. NOTE: this issue exists because of an incomplete fix for CVE-2012-5657.)
 CVE-2014-2655 (SQL injection vulnerability in the gen_show_status function in functions.inc.php in Postfix Admin (aka postfixadmin) before 2.3.7 allows remote authenticated users to execute arbitrary SQL commands via a new alias.)
 CVE-2014-2570 (Cross-site scripting (XSS) vulnerability in www/make_subset.php in PHP Font Lib before 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the name parameter.)
 CVE-2014-2531 (SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) Resellers interface, as demonstrated by the "or" key in a pgn8state object in an i object in a JSON object.)
 CVE-2014-2332 (Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allows remote authenticated users to delete arbitrary files via a request to an unspecified link, related to "Insecure Direct Object References." NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2330.)
 CVE-2014-2331 (Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2330.)
 CVE-2014-2330 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Multisite GUI in Check_MK before 1.2.5i2 allow remote attackers to hijack the authentication of users for requests that (1) upload arbitrary snapshots, (2) delete arbitrary files, or possibly have other unspecified impact via unknown vectors.)
 CVE-2014-2329 (Multiple cross-site scripting (XSS) vulnerabilities in Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allow remote authenticated users to inject arbitrary web script or HTML via the (1) agent string for a check_mk agent, a (2) crafted request to a monitored host, which is not properly handled by the logwatch module, or other unspecified vectors.)
 CVE-2014-2328 (lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.)
 CVE-2014-2327 (Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users.)
 CVE-2014-2326 (Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2014-2280 (Cross-site scripting (XSS) vulnerability in the search feature in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allows remote attackers to inject arbitrary web script or HTML via the query parameter.)
 CVE-2014-2279 (Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary files via a .. (dot dot) in the logname parameter to out/out.LogManagement.php or (2) remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to op/op.AddFile2.php. NOTE: vector 2 can be leveraged to execute arbitrary code by using CVE-2014-2278.)
 CVE-2014-2278 (Unrestricted file upload vulnerability in op/op.AddFile2.php in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension specified by the partitionIndex parameter and leveraging CVE-2014-2279.2 to access it via the directory specified by the fileId parameter.)
 CVE-2014-2244 (Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTML via a crafted string located after http:// in the text parameter to api.php.)
 CVE-2014-2243 (includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain access via a brute-force attack that relies on timing differences in responses to incorrect token guesses.)
 CVE-2014-2242 (includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an SVG upload, as demonstrated by use of a W3C XHTML namespace in conjunction with an IFRAME element.)
 CVE-2014-2043 (SQL injection vulnerability in Resources/System/Templates/Data.aspx in Procentia IntelliPen before 1.1.18.1658 allows remote authenticated users to execute arbitrary SQL commands via the value parameter.)
 CVE-2014-2040 (Multiple cross-site scripting (XSS) vulnerabilities in the (1) callback_multicheck, (2) callback_radio, and (3) callback_wysiwygin functions in mfrh_class.settings-api.php in the Media File Renamer plugin 1.7.0 for WordPress allow remote authenticated users with permissions to add media or edit media to inject arbitrary web script or HTML via unspecified parameters, as demonstrated by the title of an uploaded file.)
 CVE-2014-2035 (Cross-site scripting (XSS) vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.13 build 574 allows remote attackers to inject arbitrary web script or HTML via the i parameter.)
 CVE-2014-1904 (Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.)
 CVE-2014-1889
 CVE-2014-1888 (Cross-site scripting (XSS) vulnerability in the BuddyPress plugin before 1.9.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the name field to groups/create/step/group-details. NOTE: this can be exploited without authentication by leveraging CVE-2014-1889.)
 CVE-2014-1879 (Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action.)
 CVE-2014-1695 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15, and 3.3.x before 3.3.5 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML email.)
 CVE-2014-1694 (Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm, (3) CustomerTicketProcess.pm, and (4) CustomerTicketZoom.pm in Kernel/Modules/ in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allow remote attackers to hijack the authentication of arbitrary users for requests that (5) create tickets or (6) send follow-ups to existing tickets.)
 CVE-2014-1610 (MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5 and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/media/DjVu.php; (2) the w parameter (aka width field) to thumb.php, which is not properly handled by includes/media/PdfHandler_body.php; and possibly unspecified vectors in (3) includes/media/Bitmap.php and (4) includes/media/ImageHandler.php.)
 CVE-2014-1471 (SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.)
 CVE-2014-1455 (SQL injection vulnerability in the password reset functionality in Pearson eSIS Enterprise Student Information System, possibly 3.3.0.13 and earlier, allows remote attackers to execute arbitrary SQL commands via the new password.)
 CVE-2014-1454
 CVE-2014-1224 (Incomplete blacklist vulnerability in the user registration feature in rexx Recruitment R6.1 and R7 without "fixes from 2014-01-15" allows remote attackers to conduct cross-site scripting (XSS) attacks via the oninput event handler in the fname parameter to the default URI in /reg.)
 CVE-2014-1223 (Cross-site scripting (XSS) vulnerability in controlpanel/loading.aspx in Telligent Evolution before 6.1.19.36103, 7.x before 7.1.12.36162, 7.5.x, and 7.6.x before 7.6.7.36651 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: some of these details are obtained from third party information.)
 CVE-2014-1222 (Directory traversal vulnerability in kcfinder/browse.php in Vtiger CRM before 6.0.0 Security patch 1 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter in a download action.)
 CVE-2014-1216 (FitNesse Wiki 20131110, 20140201, and earlier allows remote attackers to execute arbitrary commands by defining a COMMAND_PATTERN and TEST_RUNNER in the pageContent parameter when editing a page.)
 CVE-2014-1206 (SQL injection vulnerability in the password reset page in Open Web Analytics (OWA) before 1.5.5 allows remote attackers to execute arbitrary SQL commands via the owa_email_address parameter in a base.passwordResetRequest action to index.php.)
 CVE-2014-0097
 CVE-2014-0054 (The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.)
 CVE-2014-0053 (The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 before 2.3.6 does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this identifier has been SPLIT due to different researchers and different vulnerability types. See CVE-2014-2857 for the META-INF variant and CVE-2014-2858 for the directory traversal.)
 CVE-2013-7196 (static/ajax.php in PHPFox 3.7.3, 3.7.4, and 3.7.5 allows remote authenticated users to bypass intended "Only Me" restrictions and comment on a private publication via a request with a modified val[item_id] parameter for the publication.)
 CVE-2013-7195 (PHPFox 3.7.3 and 3.7.4 allows remote authenticated users to bypass intended "Only Me" restrictions and "like" a publication via a request that specifies the ID for the publication.)
 CVE-2013-7108 (Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.)
 CVE-2013-7106 (Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the (1) display_nav_table, (2) page_limit_selector, (3) print_export_link, or (4) page_num_selector function in cgi/cgiutils.c; (5) status_page_num_selector function in cgi/status.c; or (6) display_command_expansion function in cgi/config.c. NOTE: this can be exploited without authentication by leveraging CVE-2013-7107.)
 CVE-2013-6472 (MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.)
 CVE-2013-6453 (MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML.)
 CVE-2013-6452 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file.)
 CVE-2013-6451
 CVE-2013-6429 (The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.)
 CVE-2013-6234
 CVE-2013-6233 (Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via the Description field in the "Short document metadata.")
 CVE-2013-6232 (Cross-site scripting (XSS) vulnerability in SpagoBI before 4.1 allows remote authenticated users to inject arbitrary web script or HTML via a document note in the execution page.)
 CVE-2013-6231
 CVE-2013-5951 (Multiple cross-site scripting (XSS) vulnerabilities in eXtplorer 2.1.3, when used as a component for Joomla!, allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) application.js.php in scripts/ or (2) admin.php, (3) copy_move.php, (4) functions.php, (5) header.php, or (6) upload.php in include/.)
 CVE-2013-4568 (Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as demonstrated using variations of "expression" containing (1) full width characters or (2) IPA extensions, which are converted and rendered by Internet Explorer.)
 CVE-2013-4152 (The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.)
 CVE-2012-4893 (Multiple cross-site request forgery (CSRF) vulnerabilities in file/show.cgi in Webmin 1.590 and earlier allow remote attackers to hijack the authentication of privileged users for requests that (1) read files or execute (2) tar, (3) zip, or (4) gzip commands, a different issue than CVE-2012-2982.)
 CVE-2012-2983 (file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field.)
 CVE-2012-2982 (file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character.)
 CVE-2012-2981 (Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the type (aka monitor type name) parameter.)
Оригинальный текстdocumentiedb.team_(at)_gmail.com, Wordpress all_in_one_carousel Plugin /XSS/CSRF/ Vuln (05.05.2014)
 documentiedb.team_(at)_gmail.com, Phpbb Forum Denial of Service Vulnerability (05.05.2014)
 documentrob.thomas_(at)_schmoozecom.com, [CVE-2014-1903] FreePBX 2.9 through 12 RCE (05.05.2014)
 documentiedb.team_(at)_gmail.com, Mybb All Version Denial of Service Vulnerability (05.05.2014)
 documentPietro Oliva, Wordpress plugin Buddypress <= 1.9.1 stored xss vulnerability (05.05.2014)
 documentPietro Oliva, Wordpress plugin Buddypress <= 1.9.1 privilege escalation vulnerability (05.05.2014)
 documentISecAuditors Security Advisories, [ISecAuditors Security Advisories] - Reflected XSS vulnerability in Boxcryptor (www.boxcryptor.com) (05.05.2014)
 documentAaron Zauner, Critical security flaws in Nagios NRPE client/server crypto (05.05.2014)
 documentno-reply_(at)_secureworks.com, [SWRX-2014-001] Open Web Analytics Pre-Auth SQL Injection (05.05.2014)
 documentiedb.team_(at)_gmail.com, phpMyBackupPro-2.4 Cross-Site Scripting vulnerability (05.05.2014)
 documentEric Flokstra, [CVE-2014-2035] XSS in InterWorx Web Control Panel <= 5.0.12 (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:046 ] phpmyadmin (05.05.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-1223 - Cross-site Scripting in Telligent Evolution (05.05.2014)
 documentDEBIAN, [SECURITY] [DSA 2867-1] otrs2 security update (05.05.2014)
 documentl0om, Authentication-Bypass in CosmoShop ePRO V10.17.00 (and lower, maybe higher) (05.05.2014)
 documentlarry0_(at)_me.com, Persistent XSS in Media File Renamer V1.7.0 wordpress plugin (05.05.2014)
 documentPivotal Security Team, Update: CVE-2014-0053 Information Disclosure when using Grails (05.05.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-1216 - Remote Command Execution in Fitnesse Wiki (05.05.2014)
 documentiedb.team_(at)_gmail.com, WordPress thecotton Themes Remote File Upload Vulnerability (05.05.2014)
 documentChristian Catalano, [CVE-2013-6231] Remote Privilege Escalation in SpagoBI v4.0 (05.05.2014)
 documentChristian Catalano, [CVE-2013-6232] Persistent Cross-Site Scripting (XSS) in SpagoBI v4.0 (05.05.2014)
 documentChristian Catalano, [CVE-2013-6233] Persistent HTML Script Insertion permits offsite-bound forms in SpagoBI v4.0 (05.05.2014)
 documentChristian Catalano, [CVE-2013-6234] XSS File Upload in SpagoBI v4.0 (05.05.2014)
 documentBartlomiej Balcerek, JOIDS (Java OpenID Server) multiple vulnerabilities (05.05.2014)
 documentcontact_(at)_httpcs.com, [HTTPCS] ClanSphere 'where' Cross Site Scripting Vulnerability (05.05.2014)
 documentAlkeraithe_(at)_gmail.com, E-Store (1.0 & 2.0) <= SQL Injection Vulnerability (05.05.2014)
 documentMichael Wisniewski, Synology DSM4 Blind SQL Injection (05.05.2014)
 documentPivotal Security Team, CVE-2014-1222 - Local File Inclusion in Vtiger CRM (05.05.2014)
 documentPivotal Security Team, CVE-2014-2043 - SQL Injection in Procentia IntelliPen (05.05.2014)
 documentPivotal Security Team, CVE-2014-0054 Spring MVC Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE) (05.05.2014)
 documentPivotal Security Team, CVE-2014-0097 Spring Security Blank password may bypass user authentication (05.05.2014)
 documentPivotal Security Team, CVE-2014-1904 XSS when using Spring MVC (05.05.2014)
 documentEric Flokstra, [CVE-2014-2531] SQL injection in InterWorx Web Control Panel <= 5.0.13 (05.05.2014)
 documentRedTeam Pentesting, [RT-SA-2014-002] rexx Recruitment: Cross-Site Scripting in User Registration (05.05.2014)
 documentDEBIAN, [SECURITY] [DSA 2889-1] postfixadmin security update (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:054 ] otrs (05.05.2014)
 documentcraig.arendt_(at)_stratumsecurity.com, Multiple Vulnerabilities in SeedDMS < = 4.3.3 (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:062 ] webmin (05.05.2014)
 documentDEBIAN, [SECURITY] [DSA 2882-1] extplorer security update (05.05.2014)
 documentDaniel C. Marques, CVE-2014-2570 - php-font-lib 0.3 www/make_subset.php Reflected Cross Site Scripting (05.05.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140324-004] nagios vulnerability (05.05.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140324-003] vulnerabilities in icinga (05.05.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti (05.05.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140324-002] update140328 - vulnerabilities in check_mk (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:057 ] mediawiki (05.05.2014)
 documentWesley Henrique Leite, Vulnerability in PHPFox v3.7.3, v3.7.4 and v3.7.5 all build [ CVE-2013-7195, CVE-2013-7196 ] (05.05.2014)
 documenttudor.enache_(at)_helpag.com, Pearson eSIS Enterprise Student Information System SQL Injection (05.05.2014)
 documenttudor.enache_(at)_helpag.com, Pearson eSIS Enterprise Student Information System Stored XSS (05.05.2014)
 documentMANDRIVA, [ MDVSA-2014:072 ] php-ZendFramework (05.05.2014)
 documentmarduk369_(at)_gmail.com, Sendy 1.1.9.1 - SQL Injection Vulnerability (05.05.2014)
 documentVulnerability Lab, Woltlab Burning Board 3.9.1 pl1 - Persistent Web Vulnerability & Editor Reverse Encoding Issue (05.05.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород