Информационная безопасность
[RU] switch to English


Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:14 января 2013 г.
Источник:
SecurityVulns ID:12828
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:TINYMCE : TinyBrowser 1.33
 WORDPRESS : Floating Tweets 1.0
 PRIZM : Prizm Content Connect 5.1
 APACHE : CouchDB 1.2
CVE:CVE-2012-5650 (Cross-site scripting (XSS) vulnerability in the Futon UI in Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.)
 CVE-2012-5649 (Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1 allows remote attackers to execute arbitrary code via a JSONP callback, related to Adobe Flash.)
 CVE-2012-5641 (Directory traversal vulnerability in the partition2 function in mochiweb_util.erl in MochiWeb before 2.4.0, as used in Apache CouchDB before 1.0.4, 1.1.x before 1.1.2, and 1.2.x before 1.2.1, allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the default URI.)
 CVE-2012-5190
Оригинальный текстdocumentAPACHE, CVE-2012-5649 Apache CouchDB JSONP arbitrary code execution with Adobe Flash (14.01.2013)
 documentAPACHE, CVE-2012-5650 Apache CouchDB DOM based Cross-Site Scripting via Futon UI (14.01.2013)
 documentAPACHE, CVE-2012-5641 Apache CouchDB Information disclosure via unescaped backslashes in URLs on Windows (14.01.2013)
 documentMustLive, IL, XSS, FPD, AoF, DoS, AFU vulnerabilities in Daily Edition Mouss theme for WordPress (14.01.2013)
 documentresearch_(at)_includesecurity.com, Arbitrary File Upload and Code Execution in Accusoft Prizm Content Connect (14.01.2013)
 documentSBV Research, OrangeHRM 2.7.1 Vacancy Name Persistent XSS (14.01.2013)
 documentMustLive, Multiple vulnerabilities in Floating Tweets for WordPress (14.01.2013)
 documentMustLive, Multiple vulnerabilities in TinyBrowser (14.01.2013)

Несанкционированный доступ к маршрутизаторам Cisco Linksys
Опубликовано:14 января 2013 г.
Источник:
SecurityVulns ID:12829
Тип:удаленная
Уровень опасности:
5/10
Оригинальный текстdocumentdefensecode_(at)_defensecode.com, DefenseCode Security Advisory (UPCOMING): Cisco Linksys Remote Preauth 0day Root Exploit (14.01.2013)

DoS против HP ServiceGuard
Опубликовано:14 января 2013 г.
Источник:
SecurityVulns ID:12830
Тип:удаленная
Уровень опасности:
5/10
Затронутые продукты:HP : ServiceGuard 11.20
CVE:CVE-2012-3252 (Unspecified vulnerability in HP Serviceguard A.11.19 and A.11.20 allows remote attackers to cause a denial of service via unknown vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBMU02838 SSRT100789 rev.1 - HP Serviceguard on Linux, Remote Denial of Service (DoS) (14.01.2013)

Многочисленные уязвимости безопасности в Adobe ColdFusion
Опубликовано:14 января 2013 г.
Источник:
SecurityVulns ID:12831
Тип:удаленная
Уровень опасности:
8/10
Описание:Обход аутентификации, повышение привилегий, утечка информации
Затронутые продукты:ADOBE : ColdFusion 9.0
CVE:CVE-2013-0632 (Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.)
 CVE-2013-0631 (Adobe ColdFusion 9.0, 9.0.1, and 9.0.2 allows attackers to obtain sensitive information via unspecified vectors, as exploited in the wild in January 2013.)
 CVE-2013-0629 (Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10, when a password is not configured, allows attackers to access restricted directories via unspecified vectors, as exploited in the wild in January 2013.)
 CVE-2013-0625 (Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.)

Повреждение памяти в Adobe Flash Player
дополнено с 5 января 2013 г.
Опубликовано:14 января 2013 г.
Источник:
SecurityVulns ID:12815
Тип:клиент
Уровень опасности:
7/10
Описание:Повреждение памяти при разборе SWF
Затронутые продукты:ADOBE : Flash Player 10.3
 ADOBE : Flash Player 11.4
 ADOBE : AIR 3.5
CVE:CVE-2013-0630 (Buffer overflow in Adobe Flash Player before 10.3.183.50 and 11.x before 11.5.502.146 on Windows and Mac OS X, before 10.3.183.50 and 11.x before 11.2.202.261 on Linux, before 11.1.111.31 on Android 2.x and 3.x, and before 11.1.115.36 on Android 4.x; Adobe AIR before 3.5.0.1060; and Adobe AIR SDK before 3.5.0.1060 allows attackers to execute arbitrary code via unspecified vectors.)
Оригинальный текстdocumentMustLive, DoS vulnerability in Flash player (access violation) (05.01.2013)
Файлы:Security updates available for Adobe Flash Player

Многочисленные уязвимости безопасности в Adobe Reader / Acrobat
Опубликовано:14 января 2013 г.
Источник:
SecurityVulns ID:12832
Тип:клиент
Уровень опасности:
8/10
Описание:Многочисленные повреждения памяти, переполнения буфера, переполнения целочисленных типов, повышения привилегий, выполнения кода.
CVE:CVE-2013-0627 (Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows local users to gain privileges via unknown vectors.)
 CVE-2013-0626 (Stack-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0610.)
 CVE-2013-0624 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2013-0622.)
 CVE-2013-0623 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, and CVE-2013-0620.)
 CVE-2013-0622 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2013-0624.)
 CVE-2013-0621 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0606, CVE-2013-0612, CVE-2013-0615, and CVE-2013-0617.)
 CVE-2013-0620 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, and CVE-2013-0623.)
 CVE-2013-0619 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0620, and CVE-2013-0623.)
 CVE-2013-0618 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "logic error," a different vulnerability than CVE-2013-0607, CVE-2013-0608, CVE-2013-0611, and CVE-2013-0614.)
 CVE-2013-0617 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0606, CVE-2013-0612, CVE-2013-0615, and CVE-2013-0621.)
 CVE-2013-0616 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-1530, CVE-2013-0601, CVE-2013-0605, CVE-2013-0619, CVE-2013-0620, and CVE-2013-0623.)
 CVE-2013-0615 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0606, CVE-2013-0612, CVE-2013-0617, and CVE-2013-0621.)
 CVE-2013-0614 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "logic error," a different vulnerability than CVE-2013-0607, CVE-2013-0608, CVE-2013-0611, and CVE-2013-0618.)
 CVE-2013-0613 (Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0609.)
 CVE-2013-0612 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0606, CVE-2013-0615, CVE-2013-0617, and CVE-2013-0621.)
 CVE-2013-0611 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "logic error," a different vulnerability than CVE-2013-0607, CVE-2013-0608, CVE-2013-0614, and CVE-2013-0618.)
 CVE-2013-0610 (Stack-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0626.)
 CVE-2013-0609 (Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0613.)
 CVE-2013-0608 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "logic error," a different vulnerability than CVE-2013-0607, CVE-2013-0611, CVE-2013-0614, and CVE-2013-0618.)
 CVE-2013-0607 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code via unspecified vectors, related to a "logic error," a different vulnerability than CVE-2013-0608, CVE-2013-0611, CVE-2013-0614, and CVE-2013-0618.)
 CVE-2013-0606 (Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0612, CVE-2013-0615, CVE-2013-0617, and CVE-2013-0621.)
 CVE-2013-0605 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-1530, CVE-2013-0601, CVE-2013-0616, CVE-2013-0619, CVE-2013-0620, and CVE-2013-0623.)
 CVE-2013-0604 (Heap-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0603.)
 CVE-2013-0603 (Heap-based buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-0604.)
 CVE-2013-0602 (Use-after-free vulnerability in Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allows attackers to execute arbitrary code via unspecified vectors.)
 CVE-2013-0601 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-1530, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, CVE-2013-0620, and CVE-2013-0623.)
 CVE-2012-1530 (Adobe Reader and Acrobat 9.x before 9.5.3, 10.x before 10.1.5, and 11.x before 11.0.1 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-0601, CVE-2013-0605, CVE-2013-0616, CVE-2013-0619, CVE-2013-0620, and CVE-2013-0623.)
Файлы:Security updates for Adobe Reader and Acrobat

Проблема символьных линков в ProFTPd
Опубликовано:14 января 2013 г.
Источник:
SecurityVulns ID:12833
Тип:локальная
Уровень опасности:
5/10
Затронутые продукты:PROFTPD : ProFTPD 1.3
CVE:CVE-2012-6095 (ProFTPD before 1.3.5rc1, when using the UserOwner directive, allows local users to modify the ownership of arbitrary files via a race condition and a symlink attack on the (1) MKD or (2) XMKD commands.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2606-1] proftpd-dfsg security update (14.01.2013)

Уязвимости безопасности в FreeType
Опубликовано:14 января 2013 г.
Источник:
SecurityVulns ID:12834
Тип:библиотека
Уровень опасности:
6/10
Описание:Различные уязвимости при разборе шрифтов BDF.
Затронутые продукты:FREETYPE : FreeType 2.4
CVE:CVE-2012-5670 (The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.)
 CVE-2012-5669 (The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.)
 CVE-2012-5668 (FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function.)
Оригинальный текстdocumentUBUNTU, [USN-1686-1] FreeType vulnerabilities (14.01.2013)

0-day уязвимость в Oracle Java используется для установки вредоносного кода
дополнено с 14 января 2013 г.
Опубликовано:21 января 2013 г.
Источник:
SecurityVulns ID:12827
Тип:клиент
Уровень опасности:
9/10
Описание:Апплет может дать разрешения самому себе.
Затронутые продукты:ORACLE : JDK 7
 ORACLE : JRE 7
CVE:CVE-2013-0422 (Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114. CVE-2013-0422 covers both the JMX/MBean and Reflection API issues. NOTE: it was )
Оригинальный текстdocumentSecurity Explorations, [SE-2012-01] Java 7 Update 11 confirmed to be vulnerable (21.01.2013)
 documentSecurity Explorations, [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code (14.01.2013)
 documentCERT, US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability (14.01.2013)
Файлы:SE-2012-01 Details

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород