Информационная безопасность
[RU] switch to English


Уязвимости безопасности в HP Business Availability Center
Опубликовано:7 сентября 2012 г.
Источник:
SecurityVulns ID:12578
Тип:удаленная
Уровень опасности:
5/10
Описание:Межсайтовый скриптинг, подмена запросов, перехват сеансов.
Затронутые продукты:HP : Business Availability Center 8.07
CVE:CVE-2012-3257 (HP Business Availability Center (BAC) 8.07 allows remote authenticated users to hijack web sessions via unspecified vectors.)
 CVE-2012-3256 (Cross-site request forgery (CSRF) vulnerability in HP Business Availability Center (BAC) 8.07 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.)
 CVE-2012-3255 (Cross-site scripting (XSS) vulnerability in HP Business Availability Center (BAC) 8.07 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBMU02811 SSRT100937 rev.1 - HP Business Availability Center (BAC) Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Web Session Hijacking (07.09.2012)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:7 сентября 2012 г.
Источник:
SecurityVulns ID:12579
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:ZABBIX : Zabbix 1.8
 APACHE : Wicket 1.4
 TESTLINK : TestLink 1.9
 APACHE : Wicket 1.5
 FLOGR : Flogr 2.5
 MOIN : Moin 1.9
 KAYAKO : Kayako Fusion 4.40
 EKTRON : Ektron CMS 8.5
 EFRONT : eFront Enterprise 3.6
 ESJOBSEARCH : ES Job Search Engine 3.0
 EFRONT : eFront Educational 3.6
 ADMIDIO : Admidio 2.3
CVE:CVE-2012-4404 (security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.)
 CVE-2012-4336 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flogr 2.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO or (2) an arbitrary parameter.)
 CVE-2012-3435 (SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.)
 CVE-2012-3373 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app.)
 CVE-2012-3233 (Cross-site scripting (XSS) vulnerability in __swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php in Kayako Fusion 4.40.1148, and possibly before 4.50.1581, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.)
 CVE-2012-2275 (Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information, as demonstrated by changing the administrator's email via an editUser action to lib/usermanagement/userInfo.php.)
Оригинальный текстdocumentsschurtz_(at)_darksecurity.de, Admidio 2.3.5 Multiple security vulnerabilities (07.09.2012)
 documentJoseph Sheridan, Group-Office Calendar SQL Injection (07.09.2012)
 documentJoseph Sheridan, Group-Office Calendar SQL Injection (07.09.2012)
 documentVulnerability Lab, eFront Educational v3.6.11 - Multiple Web Vulnerabilities (07.09.2012)
 documentVulnerability Lab, ES Job Search Engine v3.0 - SQL injection vulnerability (07.09.2012)
 documentVulnerability Lab, eFront Enterprise v3.6.11 - Multiple Web Vulnerabilities (07.09.2012)
 documentlists_(at)_senseofsecurity.com, Ektron CMS - Multiple Vulnerabilities - Security Advisory - SOS-12-009 (07.09.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) Vulnerabilities in Flogr (07.09.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Kayako Fusion (07.09.2012)
 documentHigh-Tech Bridge Security Research, Сross-Site Request Forgery (CSRF) in TestLink (07.09.2012)
 documentDEBIAN, [SECURITY] [DSA 2538-1] moin security update (07.09.2012)
 documentDEBIAN, [SECURITY] [DSA 2539-1] zabbix security update (07.09.2012)
 documentcmenzel_(at)_wicketbuch.de, [CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter (07.09.2012)

Несанкционированный доступ к QNAP Turbo NAS
Опубликовано:7 сентября 2012 г.
Источник:
SecurityVulns ID:12580
Тип:удаленная
Уровень опасности:
4/10
Описание:Возможны манипуляции с файлами по абсолютному пути.
Затронутые продукты:QNAP : Turbo NAS
Оригинальный текстdocumentAndrea Fabrizi, QNAP Turbo NAS Multiple Path Injection (07.09.2012)

Повышение привилегий в VMWare Tools
Опубликовано:7 сентября 2012 г.
Источник:
SecurityVulns ID:12581
Тип:локальная
Уровень опасности:
4/10
Описание:Возможно выполнение кода через подмену DLL
Затронутые продукты:VMWARE : ESX 4.1
 VMWARE : VMWare Fusion 4.1
 VMWARE : VMWare Player 4.0
 VMWARE : VMWare Workstation 8.0
 VMWARE : VMware View 5.1
 VMWARE : ESX 5.0
CVE:CVE-2012-1666 (Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMware Fusion before 4.1.2, VMware View before 5.1, and VMware ESX 4.1 before U3 and 5.0 before P03 allows local users to gain privileges via a Trojan horse tpfc.dll file in the current working directory.)
Оригинальный текстdocumentmoshez_(at)_comsecglobal.com, VMWare Tools susceptible to binary planting by hijack (07.09.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород