Информационная безопасность
[RU] switch to English

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:10 мая 2014 г.
SecurityVulns ID:13764
Уровень опасности:
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:MEDIAWIKI : MediaWiki 1.22
 VMTURBO : VM Turbo Operations Manager 4.5
 BCSW : BSCW 5.0
 OFFIRA : Offiria 2.1
 SOAPPY : SOAPpy 0.12
 RUBY : Ruby on Rails 4.2
 DOVECOT : Dovecot 2.2
CVE:CVE-2014-3430 (Dovecot 1.1 before 2.2.13 and dovecot-ee before and 2.2.x before does not properly close old connections, which allows remote attackers to cause a denial of service (resource consumption) via an incomplete SSL/TLS handshake for an IMAP/POP3 connection.)
 CVE-2014-3243 (SOAPpy 0.12.5 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted SOAP request containing a large number of nested entity references.)
 CVE-2014-3242 (SOAPpy 0.12.5 allows remote attackers to read arbitrary files via a SOAP request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.)
 CVE-2014-3225 (Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.)
 CVE-2014-3146 (Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function.)
 CVE-2014-2989 (Cross-site request forgery (CSRF) vulnerability in Open Assessment Technologies TAO 2.5.6 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts via a request to Users/add.)
 CVE-2014-2689 (Cross-site scripting (XSS) vulnerability in Offiria 2.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to installer/index.php.)
 CVE-2014-2665 (includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account, as demonstrated by tracking the victim's activity, related to a "login CSRF" issue.)
 CVE-2014-2301 (OrbiTeam BSCW before 5.0.8 allows remote attackers to obtain sensitive metadata via the inf operations (op=inf) to an object in pub/bscw.cgi/.)
 CVE-2014-0130 (Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.)
Оригинальный текстdocumentREDHAT, [oss-security] CVE request: python-lxml clean_html() input sanitization flaw (10.05.2014)
 documenthenri_(at)_nerv.fi, [oss-security] CVE request: Denial of Service attacks against Dovecot v1.1+ (10.05.2014)
 documentDolev Farhi, [oss-security] CVE Request - Local File inclusion in Cobbler (10.05.2014)
 documentRafael Mendonca Franca, [oss-security] Unsafe Query Risk in Active Record (10.05.2014)
 documentRafael Mendonca Franca, [oss-security] [CVE-2014-0130] Directory Traversal Vulnerability With Certain Route Configurations (10.05.2014)
 documentfeer james, [oss-security] CVE Request ---- SOAPpy 0.12.5 Multiple Vulnerabilities (10.05.2014)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Offiria (10.05.2014)
 documentHigh-Tech Bridge Security Research, Сross-Site Request Forgery (CSRF) in TAO (10.05.2014)
 documentRedTeam Pentesting, [RT-SA-2014-003] Metadata Information Disclosure in OrbiTeam BSCW (10.05.2014)
 documentJamal Pecou, Directory Traversal Vulnerability in VMTurbo Operations Manager 4.5 or earlier (10.05.2014)
 documentMANDRIVA, [ MDVSA-2014:083 ] mediawiki (10.05.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород