Информационная безопасность
[RU] switch to English


Межсайтовый скриптинг в F5 BIG-IP Application Security Manager
Опубликовано:14 января 2015 г.
Источник:
SecurityVulns ID:14208
Тип:удаленная
Уровень опасности:
2/10
Описание:self-XSS.
Оригинальный текстdocumentPeter Lapp, [Corrected] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager (14.01.2015)

Многочисленные уязвимости в IP-телефонах snom
Опубликовано:14 января 2015 г.
Источник:
SecurityVulns ID:14209
Тип:удаленная
Уровень опасности:
5/10
Описание:Межсайтовый скриптинг, обратный путь в каталогах, повышение привилегий, выполнение кода, обход аутентификации, CSRF, несанкционированный доступ, програмные закладки.
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20150113-0 :: Multiple critical vulnerabilities in all snom desktop IP phones (14.01.2015)

DoS против Apache qpid
Опубликовано:14 января 2015 г.
Источник:
SecurityVulns ID:14210
Тип:удаленная
Уровень опасности:
5/10
Описание:Многочисленные срабатывания assert().
CVE:CVE-2015-0203
Оригинальный текстdocumentAPACHE, CVE-2015-0203: Apache Qpid's qpidd can be crashed by authenticated user (14.01.2015)

Многочисленные уязвимости безопасности в Microsoft Windows
Опубликовано:14 января 2015 г.
Источник:
SecurityVulns ID:14211
Тип:библиотека
Уровень опасности:
8/10
Описание:Многочисленные уязвимости в Microsoft Internet Explorer, выполнение кода в VBScript Scripting Engine, утечка информации при работе с JPEG.
Затронутые продукты:MICROSOFT : Windows Vista
 MICROSOFT : Windows 8
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows 2012 Server
CVE:CVE-2014-8966 (Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6376 (Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6329.)
 CVE-2014-6375 (Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6374 (Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6373 (Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6369 (Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6368 (Microsoft Internet Explorer 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability.")
 CVE-2014-6366 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6365 (Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6328.)
 CVE-2014-6363 (vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Internet Explorer 6 through 11 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability.")
 CVE-2014-6355 (The Graphics Component in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly process JPEG images, which makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Graphics Component Information Disclosure Vulnerability.")
 CVE-2014-6330 (Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6329 (Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6376.)
 CVE-2014-6328 (Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6365.)
 CVE-2014-6327 (Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6329 and CVE-2014-6376.)
Файлы: Microsoft Security Bulletin MS14-080 - Critical Cumulative Security Update for Internet Explorer (3008923)
  Microsoft Security Bulletin MS14-084 - Critical Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
  Microsoft Security Bulletin MS14-085 - Important Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)

Многочисленные уязвимости безопасности в Microsoft Office
Опубликовано:14 января 2015 г.
Источник:
SecurityVulns ID:14212
Тип:клиент
Уровень опасности:
8/10
Описание:Повреждения памяти, переполнение индекса массива, использование памяти после освобождения, неинициализированные указатели.
Затронутые продукты:MICROSOFT : Office 2007
 MICROSOFT : Office 2012
 MICROSOFT : Office 2010
 MICROSOFT : Office 2013
CVE:CVE-2014-6364 (Use-after-free vulnerability in Microsoft Office 2007 SP3; 2010 SP2; 2013 Gold, SP1, and SP2; and 2013 RT Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability.")
 CVE-2014-6361 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 Gold and SP1, Excel 2013 RT Gold and SP1, and Office Compatibility Pack allow remote attackers to execute arbitrary code via a crafted Office document, aka "Excel Invalid Pointer Remote Code Execution Vulnerability.")
 CVE-2014-6360 (Microsoft Excel 2007 SP3, Excel 2010 SP2, and Office Compatibility Pack allow remote attackers to execute arbitrary code via a crafted Office document, aka "Global Free Remote Code Execution in Excel Vulnerability.")
 CVE-2014-6357 (Use-after-free vulnerability in Microsoft Office 2010 SP2, Office 2013 Gold and SP1, Office 2013 RT Gold and SP1, Office for Mac 2011, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 Gold and SP1, and Office Web Apps 2010 SP2 and 2013 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Use After Free Word Remote Code Execution Vulnerability.")
 CVE-2014-6356 (Array index error in Microsoft Word 2007 SP3, Word 2010 SP2, and Office Compatibility Pack SP3 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Invalid Index Remote Code Execution Vulnerability.")
Файлы: Microsoft Security Bulletin MS14-081 - Critical Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
  Microsoft Security Bulletin MS14-082 - Important Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
  Microsoft Security Bulletin MS14-083 - Important Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)

Межсайтовый скриптинг в Kodi / XBMC
Опубликовано:14 января 2015 г.
Источник:
SecurityVulns ID:14213
Тип:удаленная
Уровень опасности:
5/10
Описание:Межсайтовый скриптинг в веб-интерфейсе.
Затронутые продукты:KODI : Kodi 14.0
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20150113-2 :: Cross-Site Request Forgery in XBMC / Kodi (14.01.2015)

Утечка информации в HP Insight Control server deployment
Опубликовано:14 января 2015 г.
Источник:
SecurityVulns ID:14214
Тип:удаленная
Уровень опасности:
5/10
CVE:CVE-2014-7881 (Cross-site scripting (XSS) vulnerability in the server in HP Insight Control allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBMU03230 rev.1 - HP Insight Control server deployment Remote Disclosure of Information (14.01.2015)

Многочисленные уязвимости безопасности в GNU binutils
Опубликовано:14 января 2015 г.
Источник:
SecurityVulns ID:14215
Тип:библиотека
Уровень опасности:
6/10
Описание:Многочисленные повреждения памяти.
Затронутые продукты:GNU : binutils 2.25
CVE:CVE-2014-8738 (The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.)
 CVE-2014-8737 (Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.)
 CVE-2014-8504 (Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.)
 CVE-2014-8503 (Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.)
 CVE-2014-8502 (Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.)
 CVE-2014-8501 (The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.)
 CVE-2014-8485 (The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.)
 CVE-2014-8484 (The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 3123-2] binutils-mingw-w64 security update (14.01.2015)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород