Информационная безопасность
[RU] switch to English


Многочисленные уязвимости безопасности в Cisco Unified Customer Voice Portal
Опубликовано:10 мая 2013 г.
Источник:
SecurityVulns ID:13074
Тип:удаленная
Уровень опасности:
7/10
Описание:DoS, повышение привилегий, выполнение кода, доступ к файлам.
Затронутые продукты:CISCO : Cisco Unified Customer Voice Portal 9.0
CVE:CVE-2013-1225 (Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to read arbitrary files via a Resource Manager (1) HTTP or (2) HTTPS request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCub38366.)
 CVE-2013-1224 (Directory traversal vulnerability in the Resource Manager in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to overwrite arbitrary files via a crafted (1) HTTP or (2) HTTPS request that triggers incorrect parameter validation, aka Bug ID CSCub38369.)
 CVE-2013-1223 (The log viewer in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly validate an unspecified parameter, which allows remote attackers to read arbitrary files via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38372.)
 CVE-2013-1222 (The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to launch arbitrary custom web applications via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38379.)
 CVE-2013-1221 (The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to execute arbitrary code via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38384.)
 CVE-2013-1220 (The CallServer component in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to cause a denial of service (call-acceptance outage) via malformed SIP INVITE messages, aka Bug ID CSCua65148.)
Файлы:Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:10 мая 2013 г.
Источник:
SecurityVulns ID:13075
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:UMISOFT : UMI.CMS 2.9
 VIDEOJS : VideoJS 3.0
 VIDEOJS : VideoJS 4.0
 VIDEOJS : Video.js for Drupal 2.2
 VIDEOJS : bo:VideoJS for Joomla 2.1
 TELEMETA : Telemeta 1.4
 NETAPP : OnCommand System Manager 2.1
 ACTUATE : Actuate 10
CVE:CVE-2013-3322
 CVE-2013-3321
 CVE-2013-3320
 CVE-2013-2754 (Cross-site request forgery (CSRF) vulnerability in Umisoft UMI.CMS before 2.9 build 21905 allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via a request to admin/users/add/user/do/.)
Оригинальный текстdocumentddivulnalert_(at)_ddifrontline.com, DDIVRT-2013-53 Actuate 'ActuateJavaComponent' Multiple Vulnerabilities (10.05.2013)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20130507-0 :: Multiple vulnerabilities in NetApp OnCommand System Manager (10.05.2013)
 documentMustLive, Vulnerabilities in multiple web applications with VideoJS (10.05.2013)
 documentMustLive, Vulnerabilities in VideoJS (10.05.2013)
 documentHigh-Tech Bridge Security Research, Cross-Site Request Forgery (CSRF) in UMI.CMS (10.05.2013)

Недостаточная проверка сертификата в telepathy-idle
Опубликовано:10 мая 2013 г.
Источник:
SecurityVulns ID:13076
Тип:m-i-t-m
Уровень опасности:
5/10
Описание:Серверный сертификат не проверяется.
Затронутые продукты:TELEPATHYIDLE : telepathy-idle
CVE:CVE-2007-6746 (telepathy-idle before 0.1.15 does not verify (1) that the issuer is a trusted CA, (2) that the server hostname matches a domain name in the subject's Common Name (CN), or (3) the expiration date of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.)
Оригинальный текстdocumentUBUNTU, [USN-1821-1] telepathy-idle vulnerability (10.05.2013)

Повышение привилегий в ноутбуках Fujitsu
Опубликовано:10 мая 2013 г.
Источник:
SecurityVulns ID:13077
Тип:локальная
Уровень опасности:
5/10
Описание:Недоверенный путь к исполняемым файлам.
Оригинальный текстdocumentStefan Kanthak, Re: Vulnerabilities in Windows 8 Professional x64 factory preinstallation of Fujitsu Lifebook A512 [continued] (10.05.2013)
 documentStefan Kanthak, Vulnerability in "Fujitsu Desktop Update" (for Windows) (10.05.2013)

Многочисленные уязвимости безопасности в EMC Documentum
Опубликовано:10 мая 2013 г.
Источник:
SecurityVulns ID:13078
Тип:удаленная
Уровень опасности:
5/10
Описание:Перехват сеанса, межсайтовый скриптинг.
Затронутые продукты:EMC : Documentum 6.7
CVE:CVE-2013-0939 (EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allow remote attackers to obtain sensitive information via vectors involving cross-origin frame navigation, related to a "Cross Frame Scripting" issue.)
 CVE-2013-0938 (Cross-site scripting (XSS) vulnerability in EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2013-0937 (Session fixation vulnerability in EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allows remote attackers to hijack web sessions via unspecified vectors.)
Оригинальный текстdocumentEMC, ESA-2013-021: EMC Documentum Multiple Vulnerabilities (10.05.2013)

Переполнение буфера в EMC AlphaStor
Опубликовано:10 мая 2013 г.
Источник:
SecurityVulns ID:13079
Тип:удаленная
Уровень опасности:
6/10
Описание:Переполнение буфера при разборе команд в AlphaStor Library Control Program.
Затронутые продукты:EMC : AlphaStor 4.0
CVE:CVE-2013-0946 (Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor 4.0 before build 910 allows remote attackers to execute arbitrary code via crafted commands.)
Оригинальный текстdocumentEMC, ESA-2013-037: EMC AlphaStor Buffer Overflow Vulnerability (10.05.2013)

Уязвимости безопасности в Apache Tomcat
Опубликовано:10 мая 2013 г.
Источник:
SecurityVulns ID:13080
Тип:удаленная
Уровень опасности:
6/10
Описание:DoS, перехват сеанса, утечка информации.
Затронутые продукты:APACHE : Tomcat 6.0
 APACHE : Tomcat 7.0
CVE:CVE-2013-2071 (java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.)
 CVE-2013-2067 (java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.)
 CVE-2012-3544 (Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.)
Оригинальный текстdocumentAPACHE, CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException (10.05.2013)
 documentAPACHE, [SECURITY] CVE-2013-2067 Session fixation with FORM authenticator (10.05.2013)
 documentAPACHE, [SECURITY] CVE-2012-3544 Chunked transfer encoding extension size is not limited (10.05.2013)

Межсайтовый скриптинг в EMC RSA Authentication Agent
Опубликовано:10 мая 2013 г.
Источник:
SecurityVulns ID:13081
Тип:удаленная
Уровень опасности:
5/10
Затронутые продукты:EMC : RSA Authentication Agent 7.1
CVE:CVE-2013-0942 (Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Agent 7.1 before 7.1.1 for Web for Internet Information Services, and 7.1 before 7.1.1 for Web for Apache, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Оригинальный текстdocumentEMC, ESA-2013-031: RSA® Authentication Agent Cross-Site Scripting (XSS) Vulnerability (10.05.2013)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород