Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в Cisco Unified Computing System
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13056
Тип:удаленная
Уровень опасности:
8/10
Описание:Переполнение буфера, утечка информации, DoS условия, обход аутентификации.
Затронутые продукты:CISCO : Unified Computing System 6100
 CISCO : Unified Computing System 6200
CVE:CVE-2013-1186 (Cisco Unified Computing System (UCS) 1.x before 1.4(4) and 2.x before 2.0(2m) allows remote attackers to bypass KVM authentication via a crafted authentication request to a Cisco Integrated Management Controller (IMC), aka Bug ID CSCts53746.)
 CVE-2013-1185 (The web interface in the Manager component in Cisco Unified Computing System (UCS) 1.x and 2.x before 2.0(2m) allows remote attackers to obtain sensitive information by reading a (1) technical-support bundle file or (2) on-device configuration backup, aka Bug ID CSCtq86543.)
 CVE-2013-1184 (The management API in the XML API management service in the Manager component in Cisco Unified Computing System (UCS) 1.x before 1.2(1b) allows remote attackers to cause a denial of service (service outage) via a malformed request, aka Bug ID CSCtg48206.)
 CVE-2013-1183 (Buffer overflow in the Intelligent Platform Management Interface (IPMI) functionality in the Manager component in Cisco Unified Computing System (UCS) 1.0 and 1.1 before 1.1(1j) and 1.2 before 1.2(1b) allows remote attackers to execute arbitrary code via malformed data in a UDP packet, aka Bug ID CSCtd32371.)
 CVE-2013-1182 (The login page in the Web Console in the Manager component in Cisco Unified Computing System (UCS) before 1.0(2h), 1.1 before 1.1(1j), and 1.3(x) allows remote attackers to bypass LDAP authentication via a malformed request, aka Bug ID CSCtc91207.)
Файлы:Multiple Vulnerabilities in Cisco Unified Computing System

Выполнение кода в Cisco Device Manager
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13057
Тип:удаленная
Уровень опасности:
5/10
Описание:Выполнение кода через JAR-приложения.
Затронутые продукты:CISCO : Cisco MDS 9000
 CISCO : Cisco Nexus 5000
CVE:CVE-2013-1192 (The JAR files on Cisco Device Manager for Cisco MDS 9000 devices before 5.2.8, and Cisco Device Manager for Cisco Nexus 5000 devices, allow remote attackers to execute arbitrary commands on Windows client machines via a crafted element-manager.jnlp file, aka Bug IDs CSCty17417 and CSCty10802.)
Файлы:Cisco Device Manager Command Execution Vulnerability

Выполнение кода в OpenText/IXOS ECM for SAP NetWeaver
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13058
Тип:удаленная
Уровень опасности:
6/10
Описание:Внедрение ABAP-кода.
CVE:CVE-2013-3243 (Unspecified vulnerability in OpenText/IXOS ECM for SAP NetWeaver allows remote attackers to execute arbitrary ABAP code via unknown vectors.)
Оригинальный текстdocumentESNC Security, [ESNC-2013-004] Remote ABAP Code Injection in OpenText/IXOS ECM for SAP NetWeaver (06.05.2013)

Обход защиты в Oracle Java / IBM Java
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13059
Тип:библиотека
Уровень опасности:
7/10
Описание:Выход из ограниченной среды через Reflection API.
Затронутые продукты:ORACLE : JRE 1.7
Оригинальный текстdocumentSecurity Explorations, [SE-2012-01] New security vulnerabilities and broken fixes in IBM Java (06.05.2013)
 documentSecurity Exploration, [SE-2012-01] Yet another Reflection API flaw affecting Oracle's Java SE (06.05.2013)

Целочисленное переполнение в libarchive
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13060
Тип:библиотека
Уровень опасности:
5/10
Описание:Целочисленное переполнение при создании ZIP-файла приводит к переполнению буфера.
Затронутые продукты:LIBARCHIVE : libarchive 3.0
CVE:CVE-2013-0211 (Integer signedness error in the archive_write_zip_data function in archive_write_set_format_zip.c in libarchive 3.1.2 and earlier, when running on 64-bit machines, allows context-dependent attackers to cause a denial of service (crash) via unspecified vectors, which triggers an improper conversion between unsigned and signed types, leading to a buffer overflow.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2013:147 ] libarchive (06.05.2013)

Обратный путь в каталогах Dell EqualLogic
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13062
Тип:удаленная
Уровень опасности:
4/10
Описание:Возможен доступ к системным файлам.
Затронутые продукты:DELL : EqualLogic PS6110X
Оригинальный текстdocumentddivulnalert_(at)_ddifrontline.com, DDIVRT-2013-52 Dell EqualLogic PS6110X Directory Traversal (06.05.2013)

Обход защиты в OWASP WAF
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13064
Тип:удаленная
Уровень опасности:
3/10
Описание:Возможно обойти защиту используя нестандартные кодировки URL
Оригинальный текстdocumentsafe3q_(at)_gmail.com, Report OWASP WAF Naxsi bypass Vulnerability (06.05.2013)

Многочисленные уязвимости безопасности в Censornet Professional
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13065
Тип:удаленная
Уровень опасности:
5/10
Описание:Межсайтовый скриптинг, инъекции SQL.
Затронутые продукты:CENSORNET : Censornet Professional 4
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult 20130404-0 :: Multiple Vulnerabilities in Censornet Professional v4 (2.1.7) (06.05.2013)

Переполнение буфера в устройствах Huawei
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13066
Тип:удаленная
Уровень опасности:
5/10
Описание:Многочисленные переполнения буфера в демоне SNMPv3
Затронутые продукты:HUAWEI : Huawei AR1220
 HUAWEI : Huawei AR 150
 HUAWEI : Huawei AR 200
 HUAWEI : Huawei AR 1200
 HUAWEI : Huawei AR 2200
 HUAWEI : Huawei AR 3200
Оригинальный текстdocumentroberto.paleari_(at)_emaze.net, Multiple buffer overflows on Huawei SNMPv3 service (06.05.2013)
Файлы:Huawei SNMPv3 service buffer overflow PoC
 Security Advisory-Overflow Vulnerabilities in SNMPv3
 Security Advisory-Stack Overflow Vulnerabilities in SNMPv3 debugging mode

Несанкционированный доступ к D-Link DSL-320B
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13067
Тип:удаленная
Уровень опасности:
5/10
Описание:Возможен доступ к файлу конфигурации без аутентификации.
Затронутые продукты:DLINK : D-Link DSL-320B
Оригинальный текстdocumentdevnull_(at)_s3cur1ty.de, Multiple Vulnerabilities in D-Link DSL-320B (06.05.2013)

Устаревшие библиотеки в 3CX Phone
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13068
Тип:библиотека
Уровень опасности:
5/10
Описание:Используются устаревшие версии OpenSSL и FFmpeg/FFdshow.
Затронутые продукты:3CX : 3CX Phone 6
Оригинальный текстdocumentStefan Kanthak, VULNERABLE and COMPLETELY outdated 3rd-party libraries/components used in 3CX Phone 6 (06.05.2013)

Многочисленные уязвимости безопасности в EMC RSA Archer
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13069
Тип:удаленная
Уровень опасности:
6/10
Описание:Выполнение кода, межсайтовый скриптинг, обход авторизации.
Затронутые продукты:EMC : RSA Archer GRC 5.3
CVE:CVE-2013-0934 (EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework 4.x, allows remote authenticated users to bypass intended access restrictions and modify global reports via unspecified vectors.)
 CVE-2013-0933 (Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework 4.x, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2013-0932 (EMC RSA Archer 5.x before GRC 5.3SP1, and Archer Smart Suite Framework 4.x, allows remote authenticated users to bypass intended access restrictions and upload arbitrary files via unspecified vectors.)
Оригинальный текстdocumentEMC, ESA-2013-015: RSA Archer® GRC Multiple Vulnerabilities (06.05.2013)

Повышение привилегий в Microsoft Antimalware
дополнено с 12 апреля 2013 г.
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13007
Тип:локальная
Уровень опасности:
6/10
Описание:Возможно выполнение кода в контексте локальной системы.
Затронутые продукты:MICROSOFT : Windows 8
 MICROSOFT : Windows RT
CVE:CVE-2013-0078 (The Microsoft Antimalware Client in Windows Defender on Windows 8 and Windows RT uses an incorrect pathname for MsMpEng.exe, which allows local users to gain privileges via a crafted application, aka "Microsoft Antimalware Improper Pathname Vulnerability.")
Оригинальный текстdocumentStefan Kanthak, Vulnerability in Microsoft Security Essentials <v4.2 (06.05.2013)
Файлы:Microsoft Security Bulletin MS13-034 - Important Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13053
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:WORDPRESS : Advanced XML Reader 0.3
 GETSIMPLE : GetSimple CMS 3.1
 B2EVOLUTION : b2evolution 4.1
 SNMPSOFT : Syslog Watcher Pro 2.8
 JOOMLA : Joomla 3.0
 ROUNDCUBE : RoundCube Webmail 0.8
 KRIMSONAV : KrisonAV CMS 3.0
 SOSCISURVEY : Sosci Survey 2.3
 MATRIX42 : Service Store 5.3
 OPENXCHANGE : Open-Xchange Server 6
 E107 : e107 1.0
 FUDFORUM : FUDforum 3.0
 SYMPHONY : Symphony 2.3
 ROYALTS : Royal TS 2.1
 ROYALTS : mRemote 1.50
 MAILORDERWORKS : MailOrderWorks 5.907
 WORDPRESS : podPress 8.8
 AWSDMS : AWS XMS 2.5
 ICINGA : icinga 1.7
 SYNCONNECT : SynConnect 2.0
 SMOKEPING : smokeping 2.6
 ZONEMINDER : zoneminder 1.25
 OPENCART : OpenCart 1.5
 APACHE : Rave 0.20
 APACHE : VCL 2.1
 APACHE : VCL 2.2
 APACHE : VCL 2.3
 VANILLAFORUMS : Vanilla Forums 2.0
 TINYWEBGALLERY : TinyWebGallery 1.8
 TYPO3 : typo3 4.5
 WORDPRESS : WordPress 3.3
 JOOMLA : Joomla 2.5
 XENFORO : XenForo 1.1
 JFORUM : jforum 2.1
 SWFUPLOAD : SWFUpload 2.2
 JWPLAYER : JW Player 5.10
 HORNBILL : Supportworks ITSM 1.0
 JPLAYER : jPlayer 2.2
 JPLAYER : jPlayer 2.3
 DOTCLEAR : Dotclear 2.4
 DOTCLEAR : Dotclear 2.5
 ZEROCLIPBOARD : ZeroClipboard 1.1
 PHPMYADMIN : phpmyadmin 3.5
 PHPMYADMIN : phpMyAdmin 4.0
CVE:CVE-2013-3242 (plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and cause a denial of service via unspecified vectors.)
 CVE-2013-3239 (phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.)
 CVE-2013-3238 (phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.)
 CVE-2013-2945 (SQL injection vulnerability in blogs/admin.php in b2evolution before 4.1.7 allows remote authenticated administrators to execute arbitrary SQL commands via the show_statuses[] parameter. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.)
 CVE-2013-2750 (Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string.)
 CVE-2013-2714
 CVE-2013-2713 (Cross-site request forgery (CSRF) vulnerability in users_maint.html in KrisonAV CMS before 3.0.2 allows remote attackers to hijack the authentication of administrators for requests that create user accounts via a crafted request.)
 CVE-2013-2712 (Cross-site scripting (XSS) vulnerability in services/get_article.php in KrisonAV CMS before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter.)
 CVE-2013-2631
 CVE-2013-2594 (SQL injection vulnerability in reports/calldiary.php in Hornbill Supportworks ITSM 1.0.0 through 3.4.14 allows remote attackers to execute arbitrary SQL commands via the callref parameter.)
 CVE-2013-2582 (CRLF injection vulnerability in the redirect servlet in Open-Xchange AppSuite and Server before 6.22.0 rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allows remote attackers to inject arbitrary HTTP headers and conduct open redirect attacks by leveraging improper sanitization of whitespace characters.)
 CVE-2013-2559 (SQL injection vulnerability in Symphony CMS before 2.3.2 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter to system/authors/. NOTE: this can be leveraged using CSRF to allow remote unauthenticated attackers to execute arbitrary SQL commands.)
 CVE-2013-2504 (Cross-site scripting (XSS) vulnerability in SPS/Portal/default.aspx in Service Desk in Matrix42 Service Store 5.3 SP3 (aka 5.33.946.0) allows remote attackers to inject arbitrary web script or HTML via the query string.)
 CVE-2013-2474
 CVE-2013-2267
 CVE-2013-1904 (Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013.)
 CVE-2013-1843 (Open redirect vulnerability in the Access tracking mechanism in TYPO3 4.5.x before 4.5.24, 4.6.x before 4.6.17, 4.7.x before 4.7.9, and 6.0.x before 6.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.)
 CVE-2013-1842 (SQL injection vulnerability in the Extbase Framework in TYPO3 4.5.x before 4.5.24, 4.6.x before 4.6.17, 4.7.x before 4.7.9, and 6.0.x before 6.0.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to "the Query Object Model and relation values.")
 CVE-2013-1814 (The users/get program in the User RPC API in Apache Rave 0.11 through 0.20 allows remote authenticated users to obtain sensitive information about all user accounts via the offset parameter, as demonstrated by discovering password hashes in the password field of a response.)
 CVE-2013-1420
 CVE-2013-0332 (Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) view, (2) request, or (3) action parameter.)
 CVE-2013-0232 (includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.)
 CVE-2012-6096 (Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long (1) host_name variable (host parameter) or (2) svc_description variable.)
 CVE-2012-0790 (Cross-site scripting (XSS) vulnerability in smokeping_cgi in Smokeping 2.4.2, 2.6.6, and other versions before 2.6.7 allows remote attackers to inject arbitrary web script or HTML via the displaymode parameter.)
Оригинальный текстdocumentAPACHE, Apache VCL improper input validation (06.05.2013)
 documentAPACHE, [CVE-2013-1814] Apache Rave exposes User over API (06.05.2013)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20130311-0 :: Persistent cross-site scripting in jforum (06.05.2013)
 documentISecAuditors Security Advisories, [ISecAuditors Security Advisories] Reflected XSS in Asteriskguru Queue Statistics (06.05.2013)
 documentJanek Vind, [waraxe-2013-SA#098] - Directory Traversal Vulnerabilities in OpenCart 1.5.5.1 (06.05.2013)
 documentOPENXCHANGE, Open-Xchange Security Advisory 2013-03-13 (06.05.2013)
 documentDEBIAN, [SECURITY] [DSA 2640-1] zoneminder security update (06.05.2013)
 documentDEBIAN, [SECURITY] [DSA 2646-1] typo3-src security update (06.05.2013)
 documentDEBIAN, [SECURITY] [DSA 2651-1] smokeping security update (06.05.2013)
 documentbhadresh.k.patel_(at)_cyberoam.com, SynConnect PMS SQL Injection Vulnerability (06.05.2013)
 documentDEBIAN, [SECURITY] [DSA 2653-1] icinga security update (06.05.2013)
 documentHigh-Tech Bridge Security Research, Path Traversal in AWS XMS (06.05.2013)
 documenthip_(at)_insight-labs.org, WordPress podPress Plugin XSS in SWF (06.05.2013)
 documentVulnerability Lab, MailOrderWorks v5.907 - Multiple Web Vulnerabilities (06.05.2013)
 documentJanek Vind, [waraxe-2013-SA#100] - Update Spoofing Vulnerability in mRemote 1.50 (06.05.2013)
 documentJanek Vind, [waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5 (06.05.2013)
 documentHigh-Tech Bridge Security Research, SQL Injection Vulnerability in Symphony (06.05.2013)
 documentHigh-Tech Bridge Security Research, PHP Code Injection in FUDforum (06.05.2013)
 documentSimon Bieber, TC-SA-2013-01: Reflected Cross-Site-Scripting (XSS) vulnerability in e107 CMS v1.0.2 (06.05.2013)
 documentmschratt_(at)_mfs-enterprise.com, Vanilla Forums 2.0.18 / SQL-Injection / Insert arbitrary user & dump usertable (06.05.2013)
 documentISecAuditors Security Advisories, [ISecAuditors Security Advisories] Multiple Full Path Disclosure Vulnerabilities in TinyWebGallery <= v1.8.9 (06.05.2013)
 documentJanek Vind, [waraxe-2013-SA#102] - Reflected XSS in phpMyAdmin 3.5.7 (06.05.2013)
 documentOPENXCHANGE, Open-Xchange Security Advisory 2013-04-17 (06.05.2013)
 documentHigh-Tech Bridge Security Research, Multiple Vulnerabilities in KrisonAV CMS (06.05.2013)
 documentSEC Consult Vulnerability Lab, SEC Consult 20130417-0 :: Multiple vulnerabilities in Sosci Survey (06.05.2013)
 document43z sec, CVE-2013-2504 : Matrix42 Service Desk XSS (06.05.2013)
 documentMichal Blaszczak, [SQLi] vBilling for FreeSWITCH (06.05.2013)
 documentMANDRIVA, [ MDVSA-2013:149 ] roundcubemail (06.05.2013)
 documentJanek Vind, [waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin (06.05.2013)
 documentEgidio Romano, [KIS-2013-04] Joomla! <= 3.0.3 (remember.php) PHP Object Injection Vulnerability (06.05.2013)
 documentdemonalex_(at)_163.com, Syslog Watcher Pro 'Date' Parameter Cross Site Scripting Vulnerability (06.05.2013)
 documentHigh-Tech Bridge Security Research, SQL Injection in b2evolution (06.05.2013)
 documentHigh-Tech Bridge Security Research, Multiple Cross-Site Scripting (XSS) vulnerabilities in GetSimple CMS (06.05.2013)
 documentMANDRIVA, [ MDVSA-2013:160 ] phpmyadmin (06.05.2013)
 documentadmin_(at)_elites0ft.com, WordPress Plugin: Advanced XML Reader v0.3.4 XXE Vulnerability (06.05.2013)
 documentMustLive, Vulnerabilities in SWFUpload in multiple web applications: WordPress, Dotclear, InstantCMS, AionWeb and others (06.05.2013)
 documentMustLive, XSS vulnerabilities in ZeroClipboard and multiple web applications (06.05.2013)
 documentMustLive, XSS vulnerabilities in ZeroClipboard in multiple plugins for WordPress (06.05.2013)
 documentMustLive, XSS and FPD vulnerabilities in ZeroClipboard in multiple themes for WordPress (06.05.2013)
 documentMustLive, XSS and CS vulnerabilities in Dotclear (06.05.2013)
 documentMustLive, Vulnerabilities in AI-Bolit (06.05.2013)
 documentMustLive, Multiple vulnerabilities in Colormix theme for WordPress (06.05.2013)
 documentMustLive, Vulnerabilities in jPlayer (06.05.2013)
 documentMustLive, Vulnerabilities in multiple plugins for WordPress with jPlayer (06.05.2013)
 documentMustLive, Vulnerabilities in multiple themes for WordPress with jPlayer (06.05.2013)
 documentresearch_(at)_reactionis.co.uk, hornbill supportworks SQL injection (06.05.2013)
 documentX-Cisadane, Site by Webrevelation SQL Injection Vulnerability (06.05.2013)
 documentMustLive, XSS vulnerability in JW Player and JW Player Pro (06.05.2013)

Межсайтовый скриптинг в HP Managed Printing Administration
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13054
Тип:удаленная
Уровень опасности:
5/10
Затронутые продукты:HP : Managed Printing Administration 2.6
CVE:CVE-2012-5219 (Cross-site scripting (XSS) vulnerability in HP Managed Printing Administration (MPA) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBPI02868 SSRT101017 rev.1 - HP Managed Printing Administration (MPA), Remote Cross Site Scripting (XSS) (06.05.2013)

Несанкционированный доступ к различным печатающим устройствам HP
Опубликовано:6 мая 2013 г.
Источник:
SecurityVulns ID:13055
Тип:удаленная
Уровень опасности:
5/10
Описание:Возможен доступ к файлам устройства.
Затронутые продукты:HP : LaserJet 4250
 HP : LaserJet 4350
 HP : LaserJet 9040
 HP : Color LaserJet CP3525
 HP : LaserJet P3015
 HP : Color LaserJet CM6030
 HP : Color LaserJet CM6040
 HP : Color LaserJet CP4025
 HP : Color LaserJet CP4525
 HP : Color LaserJet CP6015
 HP : LaserJet P4014
 HP : LaserJet P4015
 HP : LaserJet P4515
 HP : Color LaserJet 3000
 HP : Color LaserJet 3800
 HP : Color LaserJet 4700
 HP : Color LaserJet 4730
 HP : Color LaserJet 5550
 HP : Color LaserJet 9500
 HP : Color LaserJet CP3505
 HP : Color LaserJet CP4005
 HP : LaserJet 4240
 HP : LaserJet 4345
 HP : LaserJet 5200
 HP : LaserJet 9050
 HP : LaserJet M3027
 HP : LaserJet M3035
 HP : LaserJet M4345
 HP : LaserJet M5025
 HP : LaserJet M5035
 HP : LaserJet M9040
 HP : LaserJet M9050
 HP : LaserJet P3005
CVE:CVE-2012-5221 (Unspecified vulnerability on the HP LaserJet 4xxx, 5200, 90xx, M30xx, M4345, M50xx, M90xx, P3005, and P4xxx; LaserJet Enterprise P3015; Color LaserJet 3xxx, 47xx, 5550, 9500, CM60xx, CP35xx, CP4005, and CP6015; Color LaserJet Enterprise CP4xxx; and 9250c Digital Sender with model-dependent firmware through 52.x allows remote attackers to read arbitrary files via unknown vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBPI02869 SSRT100936 rev.1 - HP LaserJet MFP Printers, HP Color LaserJet MFP Printers, Certain HP LaserJet Printers, Remote Unauthorized Access to Files (06.05.2013)

Уязвимости безопасности в HAProxy
дополнено с 6 мая 2013 г.
Опубликовано:1 июля 2013 г.
Источник:
SecurityVulns ID:13061
Тип:удаленная
Уровень опасности:
6/10
Описание:Несколько повреждений памяти.
Затронутые продукты:HAPROXY : haproxy 1.4
 HAPROXY : haproxy 1.5
CVE:CVE-2013-2175 (HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable.)
 CVE-2013-1912 (Buffer overflow in HAProxy 1.4 through 1.4.22 and 1.5-dev through 1.5-dev17, when HTTP keep-alive is enabled, using HTTP keywords in TCP inspection rules, and running with rewrite rules that appends to requests, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted pipelined HTTP requests that prevent request realignment from occurring.)
 CVE-2012-2942 (Buffer overflow in the trash buffer in the header capture functionality in HAProxy before 1.4.21, when global.tune.bufsize is set to a value greater than the default and header rewriting is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors.)
Оригинальный текстdocumentUBUNTU, [USN-1889-1] HAProxy vulnerability (01.07.2013)
 documentUBUNTU, [USN-1800-1] HAProxy vulnerabilities (06.05.2013)

Уязвимости безопасности в различных Ruby Gem
дополнено с 6 мая 2013 г.
Опубликовано:12 августа 2013 г.
Источник:
SecurityVulns ID:13063
Тип:библиотека
Уровень опасности:
5/10
Описание:Уязвимости в различных библиотеках
Затронутые продукты:RUBY : Ruby Gem kelredd-pruview 0.3
 RUBY : Ruby Gem ldoce 0.0
 RUBY : Ruby Gem fastreader 1.0
 RUBY : Ruby Gem ftpd 0.2
 RUBY : Ruby gem Rgpg 0.2
CVE:CVE-2013-4203 (The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.)
Оригинальный текстdocumentlarry0_(at)_me.com, Rgpg 0.2.2 Ruby Gem Remote Command Injection (12.08.2013)
 documentlarry0_(at)_me.com, Remote command execution for Ruby Gem ftpd-0.2.1 (06.05.2013)
 documentlarry0_(at)_me.com, Curl Ruby Gem Remote command execution (06.05.2013)
 documentlarry0_(at)_me.com, MiniMagic ruby gem remote code execution (06.05.2013)
 documentlarry0_(at)_me.com, Remote command execution in fastreader ruby gem (06.05.2013)
 documentlarry0_(at)_me.com, Remote command execution in Ruby Gem Command Wrap (06.05.2013)
 documentlarry0_(at)_me.com, Remote command execution in Ruby Gem ldoce 0.0.2 (06.05.2013)
 documentlarry0_(at)_me.com, Remote command injection in Ruby Gem kelredd-pruview 0.3.8 (06.05.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород