Информационная безопасность
[RU] switch to English


DoS против file/fileinfo/PHP
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13826
Тип:библиотека
Уровень опасности:
5/10
Описание:Исчерпание ресурсов и бесконечный цикл при разборе файлов CDF.
Затронутые продукты:PHP : PHP 5.5
CVE:CVE-2014-3710 (The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.)
 CVE-2014-0238 (The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.)
 CVE-2014-0237 (The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2014:116 ] file (14.06.2014)

DoS против squid
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13827
Тип:удаленная
Уровень опасности:
6/10
Описание:DoS через запрос Range: при разрешенном SSL-Bump.
Затронутые продукты:SQUID : squid 3.4
CVE:CVE-2014-0128 (Squid 3.1 before 3.3.12 and 3.4 before 3.4.4, when SSL-Bump is enabled, allows remote attackers to cause a denial of service (assertion failure) via a crafted range request, related to state management.)
Оригинальный текстdocumentMANDRIVA, [ MDVSA-2014:114 ] squid (14.06.2014)

Многочисленные уязвимости в SAP
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13828
Тип:удаленная
Уровень опасности:
7/10
Описание:Учетные записи по умолчаию, несанкционированный доступ к данным.
Оригинальный текстdocumentOnapsis Research Labs, [Onapsis Security Advisories] Multiple Hard-coded Usernames in SAP Components (14.06.2014)
 documentresearch_(at)_onapsis.com_(at)_, [Onapsis Security Advisory 2014-020] SAP SLD Information Tampering (14.06.2014)

Многочисленные уязвимости безопасности в WebTitan
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13829
Тип:удаленная
Уровень опасности:
6/10
Описание:SQL инъекция, выполнение кода, обратный путь в каталогах.
Затронутые продукты:WEBTITAN : WebTitan 4.0
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20140606-0 :: Multiple critical vulnerabilities in WebTitan (14.06.2014)

Раскрытие информации в Cloudera Manager
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13830
Тип:удаленная
Уровень опасности:
5/10
Описание:Раскрытие информации о конфигурации через API.
Затронутые продукты:CLOUDERA : Cloudera Manager 5.0
CVE:CVE-2014-0220 (Cloudera Manager before 4.8.3 and 5.x before 5.0.1 allows remote authenticated users to obtain sensitive configuration information via the API.)
Оригинальный текстdocumentCLOUDERA, Details for CVE-2014-0220 (14.06.2014)

Повышение привилегий в IBM DB2
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13832
Тип:локальная
Уровень опасности:
5/10
Описание:Небезопасная загрузка динамических библиотек.
CVE:CVE-2014-0907 (Multiple untrusted search path vulnerabilities in unspecified (1) setuid and (2) setgid programs in IBM DB2 9.5, 9.7 before FP9a, 9.8, 10.1 before FP3a, and 10.5 before FP3a on Linux and UNIX allow local users to gain root privileges via a Trojan horse library.)
Оригинальный текстdocumentadvisories_(at)_portcullis-security.com, CVE-2014-0907 - SetUID/SetGID Programs Allow Privilege Escalation Via Insecure RPATH In IBM DB2 (14.06.2014)

Многочисленыне уязвимости безопасности в s3dvt
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13833
Тип:локальная
Уровень опасности:
5/10
Описание:Многочисленные повышения привилегий.
Затронутые продукты:S2DVT : s3dvt 0.2
CVE:CVE-2014-1226
 CVE-2013-6876
Оригинальный текстdocumentHector Marco, CVE-2014-1226 s3dvt Root shell (still) (14.06.2014)
 documentHector Marco, CVE-2013-6876 s3dvt Root shell (14.06.2014)

Повышение привилегий в DCMTK
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13834
Тип:локальная
Уровень опасности:
5/10
Затронутые продукты:DCMTK : dcmtk 3.6
CVE:CVE-2013-6825 ((1) movescu.cc and (2) storescp.cc in dcmnet/apps/, (3) dcmnet/libsrc/scp.cc, (4) dcmwlm/libsrc/wlmactmg.cc, (5) dcmprscp.cc and (6) dcmpsrcv.cc in dcmpstat/apps/, (7) dcmpstat/tests/msgserv.cc, and (8) dcmqrdb/apps/dcmqrscp.cc in DCMTK 3.6.1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by creating a large number of processes.)
Оригинальный текстdocumentHector Marco, CVE-2013-6825 DCMTK Root Privilege escalation (14.06.2014)

Небезопасная передача данных в приложениях Bilyoner
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13835
Тип:m-i-t-m
Уровень опасности:
5/10
Описание:При некоторых условиях данные передаются в незащищенной форме.
Оригинальный текстdocumentharun.esur_(at)_sceptive.com, Bilyoner mobile apps prone to various SSL/TLS attacks (14.06.2014)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13836
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:FCKEDITOR : FCKeditor 2.6
 MYBB : Mybb 1.6
 APACHE : Continuum 1.4
 TYPO3 : typo3 4.5
 APACHE : Struts 2.3
 CODEIGNITER : CodeIgniter 2.1
 OTRS : otrs 3.2
 REVIVEADSERVER : Revive Adserver 3.0
 XALAN : libxalan 2.7
 EGROUPWARE : eGroupware 1.8
 APACHE : Hive 0.13
 MEDIAWIKI : mediawiki 1.19
 ICINGA : icinga 1.11
 SPICEWORKS : SpiceWorks 7.2
 DEVEXPRESS : ASPxFileManager 13.2
 PYTHON : python-bottle 0.10
 PYTHON : python-jinja 2.5
 BOTTOMLINE : Transform Foundation Server 5.2
 F*EX : Frams' Fast File EXchange 20140313
 MAPSUITE : MapAPI 1.1
 WORDPRESS : Participants Database 1.5
 WEBEDITION : webEdition 6.3
 BLOGTRONIX : Sharetronix 3.3
 SEOPANEL : Seo Panel 3.4
 HANDSOMEWEB : SOS Webpages 1.1
 BSS : Continuity CMS 4.2
 DOTCLEAR : Dotclear 6.2
 WORDPRESS : Wordpress Booking System 1.2
 RAILS : Action Pack 3.2
CVE:CVE-2014-3966 (Cross-site scripting (XSS) vulnerability in Special:PasswordReset in MediaWiki before 1.19.16, 1.21.x before 1.21.10, and 1.22.x before 1.22.7, when wgRawHtml is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid username.)
 CVE-2014-3949 (Cross-site scripting (XSS) vulnerability in the layout wizard in the Grid Elements (gridelements) extension before 1.5.1 and 2.0.x before 2.0.3 for TYPO3 allows remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2014-3948 (Cross-site scripting (XSS) vulnerability in the HTML export wizard in the backend module in the powermail extension before 1.6.11 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2014-3947 (Unrestricted file upload vulnerability in the powermail extension before 1.6.11 and 2.x before 2.0.14 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with a crafted extension, then accessing it via unspecified vectors.)
 CVE-2014-3946 (The query caching functionality in the Extbase Framework component in TYPO3 6.2.0 before 6.2.3 does not properly validate group permissions, which allows remote authenticated users to read arbitrary queries via unspecified vectors.)
 CVE-2014-3945 (The Authentication component in TYPO3 before 6.2, when salting for password hashing is disabled, does not require knowledge of the cleartext password if the password hash is known, which allows remote attackers to bypass authentication and gain access to the backend by leveraging knowledge of a password hash.)
 CVE-2014-3944 (The Authentication component in TYPO3 6.2.0 before 6.2.3 does not properly invalidate timed out user sessions, which allows remote attackers to bypass authentication via unspecified vectors.)
 CVE-2014-3943 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified backend components in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allow remote authenticated editors to inject arbitrary web script or HTML via unknown parameters.)
 CVE-2014-3942 (The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object.)
 CVE-2014-3941 (TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, 6.1.0 before 6.1.9, and 6.2.0 before 6.2.3 allows remote attackers to have unspecified impact via a crafted HTTP Host header, related to "Host Spoofing.")
 CVE-2014-3877 (Incomplete blacklist vulnerability in Frams' Fast File EXchange (F*EX, aka fex) before fex-20140530 allows remote attackers to conduct cross-site scripting (XSS) attacks via the addto parameter to fup.)
 CVE-2014-3876 (Multiple cross-site scripting (XSS) vulnerabilities in Frams' Fast File EXchange (F*EX, aka fex) before fex-20140530 allow remote attackers to inject arbitrary web script or HTML via the (1) akey parameter to rup or (2) disclaimer or (3) gm parameter to fuc.)
 CVE-2014-3875
 CVE-2014-3783 (SQL injection vulnerability in admin/categories.php in Dotclear before 2.6.3 allows remote authenticated users with the manage categories permission to execute arbitrary SQL commands via the categories_order parameter.)
 CVE-2014-3782 (Multiple incomplete blacklist vulnerabilities in the filemanager::isFileExclude method in the Media Manager in Dotclear before 2.6.3 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) double extension or (2) .php5, (3) .phtml, or some other PHP file extension.)
 CVE-2014-3781 (The dcXmlRpc::setUser method in nc/core/class.dc.xmlrpc.php in Dotclear before 2.6.3 allows remote attackers to bypass authentication via an empty password in an XML-RPC request.)
 CVE-2014-3749 (SQL injection vulnerability in Construtiva CIS Manager allows remote attackers to execute arbitrary SQL commands via the email parameter to autenticar/lembrarlogin.asp.)
 CVE-2014-3740 (Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.)
 CVE-2014-3448
 CVE-2014-3447
 CVE-2014-3446 (SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.)
 CVE-2014-3445
 CVE-2014-3415 (SQL injection vulnerability in Sharetronix before 3.4 allows remote authenticated users to execute arbitrary SQL commands via the invite_users[] parameter to the /invite page for a group.)
 CVE-2014-3414 (Cross-site request forgery (CSRF) vulnerability in Sharetronix before 3.4 allows remote attackers to hijack the authentication of administrators for requests that add administrative privileges to a user via the admin parameter to admin/administrators.)
 CVE-2014-3210 (SQL injection vulnerability in dopbs-backend-forms.php in the Booking System (Booking Calendar) plugin before 1.3 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the booking_form_id parameter to wp-admin/admin-ajax.php.)
 CVE-2014-3137 (Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code.)
 CVE-2014-2988 (EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987.)
 CVE-2014-2987 (Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. NOTE: vector 2 can be used to execute arbitrary PHP code by leveraging CVE-2014-2988.)
 CVE-2014-2843
 CVE-2014-2577 (Multiple cross-site scripting (XSS) vulnerabilities in the Transform Content Center in Bottomline Technologies Transform Foundation Server before 4.3.1 Patch 8 and 5.x before 5.2 Patch 7 allow remote attackers to inject arbitrary web script or HTML via the (1) pn parameter to index.fsp/document.pdf, (2) db or (3) referer parameter to index.fsp/index.fsp, or (4) PATH_INFO to the default URI.)
 CVE-2014-2575 (Directory traversal vulnerability in the File Manager component in DevExpress ASPxFileManager Control for ASP.NET WebForms and MVC before 13.1.10 and 13.2.x before 13.2.9 allows remote authenticated users to read or write arbitrary files via a .. (dot dot) in the __EVENTARGUMENT parameter.)
 CVE-2014-2554 (OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element.)
 CVE-2014-2553 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to dynamic fields.)
 CVE-2014-2386 (Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2) print_export_link, (3) page_num_selector, or (4) page_limit_selector function in cgi/cgiutils.c or (5) status_page_num_selector function in cgi/status.c, which triggers a stack-based buffer overflow.)
 CVE-2014-2303 (Multiple SQL injection vulnerabilities in the file browser component (we_fs.php) in webEdition CMS before 6.2.7-s1.2 and 6.3.x through 6.3.8 before -s1 allow remote attackers to execute arbitrary SQL commands via the (1) table or (2) order parameter.)
 CVE-2014-2302
 CVE-2014-2233 (Server-side request forgery (SSRF) vulnerability in the MapAPI in Infoware MapSuite before 1.0.36 and 1.1.x before 1.1.49 allows remote attackers to trigger requests to intranet servers via unspecified vectors.)
 CVE-2014-2232 (Absolute path traversal vulnerability in the MapAPI in Infoware MapSuite before 1.0.36 and 1.1.x before 1.1.49 allows remote attackers to read arbitrary files via unspecified vectors.)
 CVE-2014-1878 (Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi.)
 CVE-2014-1855 (Multiple cross-site scripting (XSS) vulnerabilities in Seo Panel before 3.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) capcheck parameter to directories.php or (2) keyword parameter to proxy.php.)
 CVE-2014-1402 (The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.)
 CVE-2014-0228 (Apache Hive before 0.13.1, when in SQL standards based authorization mode, does not properly check the file permissions for (1) import and (2) export statements, which allows remote authenticated users to obtain sensitive information via a crafted URI.)
 CVE-2014-0130 (Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.)
 CVE-2014-0107 (The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.)
 CVE-2014-0082 (actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.)
 CVE-2014-0081 (Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.)
 CVE-2013-7108 (Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.)
 CVE-2013-7107 (Cross-site request forgery (CSRF) vulnerability in cmd.cgi in Icinga 1.8.5, 1.9.4, 1.10.2, and earlier allows remote attackers to hijack the authentication of users for unspecified commands via unspecified vectors, as demonstrated by bypassing authentication requirements for CVE-2013-7106.)
 CVE-2013-7106 (Multiple stack-based buffer overflows in Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the (1) display_nav_table, (2) page_limit_selector, (3) print_export_link, or (4) page_num_selector function in cgi/cgiutils.c; (5) status_page_num_selector function in cgi/status.c; or (6) display_command_expansion function in cgi/config.c. NOTE: this can be exploited without authentication by leveraging CVE-2013-7107.)
 CVE-2013-5954 (Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11 and earlier allow remote attackers to hijack the authentication of administrators for requests that delete (1) users via admin/agency-user-unlink.php, (2) advertisers via admin/advertiser-delete.php, (3) banners via admin/banner-delete.php, (4) campaigns via admin/campaign-delete.php, (5) channels via admin/channel-delete.php, (6) affiliate websites via admin/affiliate-delete.php, or (7) zones via admin/zone-delete.php.)
 CVE-2013-2251 (Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.)
Оригинальный текстdocumentMustLive, LE, BF and IAA vulnerabilities in Catapulta I.W. Edition (14.06.2014)
 documentMustLive, CS and XSS vulnerabilities in DZS Video Gallery for WordPress (14.06.2014)
 documentDEBIAN, [SECURITY] [DSA 2929-1] ruby-actionpack-3.2 security update (14.06.2014)
 documentMatteo Beccati, [REVIVE-SA-2014-001] Revive Adserver 3.0.5 fixes CSRF vulnerability (14.06.2014)
 documentedge_(at)_bitmessage.ch, Construtiva CIS Manager CMS POST SQLi (14.06.2014)
 documentomgpdrv_(at)_gmail.com, Wordpress Booking System (Booking Calendar) plugin SQL Injection (14.06.2014)
 documentUBUNTU, [USN-2218-1] Xalan-Java vulnerability (14.06.2014)
 documentEgidio Romano, [KIS-2014-05] Dotclear <= 2.6.2 (XML-RPC Interface) Authentication Bypass Vulnerability (14.06.2014)
 documentEgidio Romano, [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability (14.06.2014)
 documentEgidio Romano, [KIS-2014-07] Dotclear <= 2.6.2 (categories.php) SQL Injection Vulnerability (14.06.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-3448 - Remote Code Execution Via Unauthenticated File Upload in BSS Continuity CMS (14.06.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-3447 - Remote Denial Of Service in BSS Continuity CMS (14.06.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-3446 - Unauthenticated Blind SQL Injection in BSS Continuity CMS (14.06.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-3445 - Unauthenticated Backup and Password Disclosure in HandsomeWeb SOS Webpages (14.06.2014)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Sharetronix (14.06.2014)
 documentHigh-Tech Bridge Security Research, Two Cross-Site Scripting (XSS) Vulnerabilities in Seo Panel (14.06.2014)
 documentHigh-Tech Bridge Security Research, CSRF and Remote Code Execution in EGroupware (14.06.2014)
 documentRedTeam Pentesting, [RT-SA-2014-004] Remote Command Execution in webEdition CMS Installer Script (14.06.2014)
 documentRedTeam Pentesting, [RT-SA-2014-005] SQL Injection in webEdition CMS File Browser Installer Script (14.06.2014)
 documentyaruboscan_(at)_gmail.com, Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress (14.06.2014)
 documentiedb.team_(at)_gmail.com, Mybb Sendthread Page Denial of Service Vulnerability (14.06.2014)
 documentDEBIAN, [SECURITY] [DSA 2942-1] typo3-src security update (14.06.2014)
 documentLSE Leading Security Experts GmbH (Security Advisories), LSE Leading Security Experts GmbH - LSE-2014-05-22 - F*EX - Multiple Issues (14.06.2014)
 documentRobin Bailey, FCKedtior 2.6.10 Reflected Cross-Site Scripting (XSS) (14.06.2014)
 documentChristian Schneider, CVE-2014-2843 - "Reflected Cross-Site Scripting (XSS)" (CWE-79) vulnerability in "infoware MapSuite" (14.06.2014)
 documentChristian Schneider, CVE-2014-2233 - "Server-Side Request Forgery" (CWE-918) vulnerability in "infoware MapSuite" (14.06.2014)
 documentChristian Schneider, CVE-2014-2232 - "Absolute Path Traversal" (CWE-36) vulnerability in "infoware MapSuite" (14.06.2014)
 documentFran, [CVE-2014-2577] XSS on Transform Foundation Server 4.3.1 and 5.2 from Bottomline Technologies (14.06.2014)
 documentDEBIAN, [SECURITY] [DSA 2934-1] python-django security update (14.06.2014)
 documentDEBIAN, [SECURITY] [DSA 2948-1] python-bottle security update (14.06.2014)
 documentRedTeam Pentesting, [RT-SA-2014-006] Directory Traversal in DevExpress ASP.NET File Manager (14.06.2014)
 documentcseye_ut_(at)_yahoo.com, multiple Vulnerability in "WahmShoppes eStore" (14.06.2014)
 documentiedb.team_(at)_gmail.com, NeginGroup CMS Multiple Vulnerability (14.06.2014)
 documentDolev Farhi, CVE-2014-3740 - SpiceWorks Cross-site scripting (14.06.2014)
 documentcseye_ut_(at)_yahoo.com, DNN (DotNetNuke®) ASPSlideshow Module Arbitrary File Download Vulnerability (14.06.2014)
 documentcseye_ut_(at)_yahoo.com, DNN (DotNetNuke®) CodeEditor Module Arbitrary File Download Vulnerability (14.06.2014)
 documentcseye_ut_(at)_yahoo.com, DNN (DotNetNuke®) EasyDnnGallery Module Arbitrary File Download Vulnerability (14.06.2014)
 documentcseye_ut_(at)_yahoo.com, DNN (DotNetNuke®) eventscalendar Module Arbitrary File Download Vulnerability (14.06.2014)
 documentcseye_ut_(at)_yahoo.com, DNN (DotNetNuke®) dnnUI_NewsArticlesSlider Module Arbitrary File Download Vulnerability (14.06.2014)
 documentcseye_ut_(at)_yahoo.com, DNN (DotNetNuke®) responsivesidebar Module Arbitrary File Download Vulnerability (14.06.2014)
 documentMANDRIVA, [ MDVSA-2014:111 ] otrs (14.06.2014)
 documentRobin Bailey, CodeIgniter <= 2.1.4 Session Decoding Vulnerability (14.06.2014)
 documentDEBIAN, [SECURITY] [DSA 2956-1] icinga security update (14.06.2014)
 documentDEBIAN, [SECURITY] [DSA 2957-1] mediawiki security update (14.06.2014)
 documentAPACHE, CVE-2014-0228: Apache Hive Authorization vulnerability (14.06.2014)
 documentAPACHE, [SECURITY] CVE-2013-2251: Apache Continuum affected by Remote Command Execution (14.06.2014)

Выполнение кода в python-GPG
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13837
Тип:библиотека
Уровень опасности:
5/10
Описание:Шел-инъекции.
Затронутые продукты:PYTHON : python-gnupg 2.3
CVE:CVE-2013-7329 (The CGI::Application module 4.50 and earlier for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function.)
 CVE-2013-7328 (Multiple integer signedness errors in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause a denial of service (application crash) or obtain sensitive information via an imagecrop function call with a negative value for the (1) x or (2) y dimension, a different vulnerability than CVE-2013-7226.)
 CVE-2013-7327 (The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return value, a different vulnerability than CVE-2013-7226.)
 CVE-2013-7323 (python-gnupg before 0.3.5 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 2946-1] python-gnupg security update (14.06.2014)

Многочисленные уязвимости безопасности в CoSoSys Endpoint Protector
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13838
Тип:удаленная
Уровень опасности:
5/10
Описание:Скрытые учетные записи, SQL инъекции, раскрытие информации.
Затронутые продукты:COSOSYS : Endpoint Protector 4
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20140521-0 :: Multiple critical vulnerabilities in CoSoSys Endpoint Protector 4 (14.06.2014)

Проблема символьных линков в ppc64-diag
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13839
Тип:локальная
Уровень опасности:
4/10
Описание:Проблема символьных линков при работе с временными файлами.
Затронутые продукты:PPC64DIAG : ppc64-diag 2.6
Оригинальный текстdocumentVincent Danen, [oss-security] CVE request: multiple /tmp races in ppc64-diag (14.06.2014)

Проверка существования пользователя в proxmox
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13840
Тип:удаленная
Уровень опасности:
4/10
Затронутые продукты:PROXMOX : Proxmox VE 3.1
Оригинальный текстdocumentDamien Cauquil, [oss-security] CVE request: Proxmox VE < 3.2 user enumeration vulnerability (14.06.2014)

DoS против PowerDNS
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:13841
Тип:удаленная
Уровень опасности:
5/10
Описание:DoS через исчерпание дескрипторов.
Оригинальный текстdocumentVasyl Kaiagorodov, [oss-security] CVE request: PowerDNS in default configuration is vulnerable to DoS attack (14.06.2014)

Многочисленные уязвимости в D-Link DSL-500T / DAP-1150 / DAP-1320
дополнено с 11 декабря 2011 г.
Опубликовано:14 июня 2014 г.
Источник:
SecurityVulns ID:12076
Тип:удаленная
Уровень опасности:
4/10
Описание:Межсайтовая подмена запросов, обратный путь в каталогах, обход аутентификации в интерфейсе веб-администрирования.
Затронутые продукты:DLINK : D-Link DSL-500T
 DLINK : D-Link DAP-1150
 DLINK : D-Link DAP-1320
Оригинальный текстdocumentMustLive, Multiple CSRF and XSS vulnerabilities in D-Link DAP 1150 (14.06.2014)
 documentMustLive, CSRF, AoF and XSS vulnerabilities in D-Link DAP 1150 (14.06.2014)
 documentMustLive, Multiple CSRF and XSS vulnerabilities in D-Link DAP 1150 (04.05.2014)
 documentMustLive, Exploit for D-Link DAP 1150 (11.03.2013)
 documentMustLive, AoF and CSRF vulnerabilities in D-Link DAP 1150 (15.02.2012)
 documentMustLive, Multiple CSRF, DoS and XSS vulnerabilities in D-Link DAP 1150 (15.02.2012)
 documentMustLive, CSRF, DT and AB vulnerabilities in D-Link DSL-500T ADSL Router (26.12.2011)
 documentMustLive, Vulnerabilities in D-Link DAP 1150 (12.12.2011)
 documentMustLive, Vulnerabilities in D-Link DSL-500T ADSL Router (11.12.2011)

Многочисленные уязвимости безопасности в EMC Documentum
дополнено с 14 июня 2014 г.
Опубликовано:14 сентября 2015 г.
Источник:
SecurityVulns ID:13831
Тип:удаленная
Уровень опасности:
8/10
Описание:Инъекция кода, повышение привилегий.
Затронутые продукты:EMC : Documentum D2 4.2
 EMC : Documentum eRoom 7.4
 EMC : Documentum Content Server 7.1
 EMC : Documentum Content Server 6.7
 EMC : Documentum Digital Asset Manager 6.5
 EMC : Documentum Foundation Services 6.7
CVE:CVE-2015-4544 (EMC Documentum Content Server before 7.1P20 and 7.2.x before 7.2P04 does not properly verify authorization for dm_job object access, which allows remote authenticated users to obtain superuser privileges via crafted object operations. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4626.)
 CVE-2015-4537 (Lockbox in EMC Documentum D2 before 4.5 uses a hardcoded passphrase when a server lacks a D2.Lockbox file, which makes it easier for remote authenticated users to decrypt admin tickets by locating this passphrase in a decompiled D2 JAR archive.)
 CVE-2015-4536 (EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 before P02, when RPC tracing is configured, stores certain obfuscated password data in a log file, which allows remote authenticated users to obtain sensitive information by reading this file.)
 CVE-2015-4535 (Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02, when __debug_trace__ is configured, allows remote authenticated users to gain super-user privileges by leveraging the ability to read a log file containing a login ticket.)
 CVE-2015-4534 (Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 allows remote authenticated users to execute arbitrary code by forging a signature for a query string that lacks the method_verb parameter.)
 CVE-2015-4533 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2513.)
 CVE-2015-4532 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2514.)
 CVE-2015-4531 (EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4622.)
 CVE-2015-4530 (Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebTop before 6.8P01, Documentum Administrator through 7.2, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to hijack the authentication of arbitrary users. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2518.)
 CVE-2015-4529 (Open redirect vulnerability in EMC Documentum WebTop before 6.8P02, Documentum Administrator before 7.2P01, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL.)
 CVE-2015-4528 (Cross-site scripting (XSS) vulnerability in EMC Documentum CenterStage 1.2SP1 and 1.2SP2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2015-4524 (Unrestricted file upload vulnerability in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P25; Documentum Web Publishers 6.5 SP7 before P25; and Documentum Task Space 6.7SP1 before P31 and 6.7SP2 before P23 allows remote authenticated users to execute arbitrary code by uploading a file to the backend Content Server.)
 CVE-2015-0551 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P25; Documentum Web Publishers 6.5 SP7 before P25; and Documentum Task Space 6.7SP1 before P31 and 6.7SP2 before P23 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2015-0550 (Directory traversal vulnerability in EMC Documentum Thumbnail Server 6.7SP1 before P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P01 allows remote attackers to bypass intended Content Server access restrictions via unspecified vectors.)
 CVE-2015-0549 (Cross-site scripting (XSS) vulnerability in EMC Documentum D2 before 4.5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2015-0548 (The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.)
 CVE-2015-0547 (The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.)
 CVE-2015-0518 (The Properties service in the D2FS web-service component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 allows remote authenticated users to obtain superuser privileges via an unspecified method call that modifies group permissions.)
 CVE-2015-0517 (The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 places the MD5 hash of an encryption passphrase in log files, which allows remote authenticated users to obtain sensitive information by reading a file.)
 CVE-2014-4639 (EMC Documentum Web Development Kit (WDK) before 6.8 does not properly generate random numbers for a certain parameter related to Webtop components, which makes it easier for remote attackers to conduct phishing attacks via brute-force attempts to predict the parameter value.)
 CVE-2014-4638 (EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to conduct frame-injection attacks and obtain sensitive information via unspecified vectors.)
 CVE-2014-4637 (Open redirect vulnerability in EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter.)
 CVE-2014-4636 (Cross-site request forgery (CSRF) vulnerability in EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to hijack the authentication of arbitrary users for requests that perform Docbase operations.)
 CVE-2014-4635 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum Web Development Kit (WDK) before 6.8 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2014-4629 (EMC Documentum Content Server 7.0, 7.1 before 7.1 P10, and 6.7 before SP2 P19 allows remote authenticated users to read or delete arbitrary files via unspecified vectors related to an insecure direct object reference.)
 CVE-2014-4626 (EMC Documentum Content Server before 6.7 SP1 P29, 6.7 SP2 before P18, 7.0 before P16, and 7.1 before P09 allows remote authenticated users to gain privileges by (1) placing a command in a dm_job object and setting this object's owner to a privileged user or placing a rename action in a dm_job_request object and waiting for a (2) dm_UserRename or (3) dm_GroupRename service task, aka ESA-2014-105. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2515.)
 CVE-2014-4618 (EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07 allows remote authenticated users to gain privileges via a user-created system object.)
 CVE-2014-2521 (EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07 allows remote authenticated users to read sensitive object metadata via an RPC command.)
 CVE-2014-2520 (EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07, when Oracle Database is used, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and read sensitive database content via a crafted request.)
 CVE-2014-2518 (Multiple cross-site request forgery (CSRF) vulnerabilities in EMC Documentum WDK before 6.7SP1 P28 and 6.7SP2 before P15 allow remote attackers to hijack the authentication of arbitrary users.)
 CVE-2014-2515 (EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.)
 CVE-2014-2514 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and 7.1 before P06 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors.)
 CVE-2014-2513 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P15, 7.0 before P15, and 7.1 before P06 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script.)
 CVE-2014-2512 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum eRoom 7.4.3, 7.4.4 before P19, and 7.4.4 SP1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2014-2511 (Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.)
 CVE-2014-2510 (The JAXB XML parser in EMC Documentum Foundation Services (DFS) 6.6 before P39, 6.7 SP1 before P28, and 6.7 SP2 before P15, as used in My Documentum for Desktop, My Documentum for Microsoft Outlook, and CenterStage, allows remote authenticated users to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.)
 CVE-2014-2508 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on database actions via vectors involving DQL hints.)
 CVE-2014-2507 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to execute arbitrary commands via shell metacharacters in arguments to unspecified methods.)
 CVE-2014-2506 (EMC Documentum Content Server before 6.7 SP1 P28, 6.7 SP2 before P14, 7.0 before P15, and 7.1 before P05 allows remote authenticated users to obtain super-user privileges for system-object creation, and bypass intended restrictions on data access and server actions, via unspecified vectors.)
 CVE-2014-2503 (The thumbnail proxy server in EMC Documentum Digital Asset Manager (DAM) 6.5 SP3, 6.5 SP4, 6.5 SP5, and 6.5 SP6 before P13 allows remote attackers to conduct Documentum Query Language (DQL) injection attacks and bypass intended restrictions on querying objects via a crafted parameter in a query string.)
Оригинальный текстdocumentEMC, ESA-2015-144: EMC Documentum Content Server Privilege Escalation Vulnerability (14.09.2015)
 documentEMC, ESA-2015-110: EMC Documentum Thumbnail Server Directory Traversal Vulnerability (14.09.2015)
 documentEMC, ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities (24.08.2015)
 documentEMC, ESA-2015-130: EMC Documentum WebTop and WebTop Clients Cross-Site Request Forgery Vulnerability (24.08.2015)
 documentandrew_(at)_panfilov.tel, sysadmin privilege in EMC Documentum Content Server (24.08.2015)
 documentandrew_(at)_panfilov.tel, EMC Documentum Content Server: arbitrary code execution (incomplete fix in CVE-2015-4532) (24.08.2015)
 documentandrew_(at)_panfilov.tel, Privilege escalation through RPC commands in EMC Documentum Content Server (incomplete fix in CVE-2015-4532) (24.08.2015)
 documentEMC, ESA-2015-132: EMC Documentum D2 Fail Open Vulnerability (24.08.2015)
 documentEMC, ESA-2015-122: EMC Documentum CenterStage Cross-site Scripting Vulnerability (20.07.2015)
 documentEMC, ESA-2015-123: EMC Documentum WebTop Open Redirect Vulnerability (20.07.2015)
 documentandrew_(at)_panfilov.tel, Extra information for CVE-2014-2513 - EMC Documentum Content Server: arbitrary code execution (13.07.2015)
 documentEMC, ESA-2015-108: EMC Documentum D2 Multiple DQL Injection Vulnerabilities (05.07.2015)
 documentEMC, ESA-2015-111: EMC Documentum WebTop Client Products Multiple Vulnerabilities (05.07.2015)
 documentandrew_(at)_panfilov.tel, Extra information for CVE-2014-4626 - EMC Documentum Content Server: authenticated user is able to elevate privileges, hijack Content Server filesystem, execute arbitrary commands by creating malicious dm_job objects (05.07.2015)
 documentEMC, ESA-2015-110: EMC Documentum Thumbnail Server Directory Traversal Vulnerability (29.06.2015)
 documentEMC, ESA-2015-109: EMC Documentum D2 Cross-Site Scripting (29.06.2015)
 documentEMC, ESA-2015-010: EMC Documentum D2 Multiple Vulnerabilities (23.02.2015)
 documentEMC, ESA-2014-180: EMC Documentum Web Development Kit Multiple Vulnerabilities (13.01.2015)
 documentEMC, ESA-2014-156: EMC Documentum Content Server Insecure Direct Object Reference Vulnerability (08.12.2014)
 documentEMC, ESA-2014-091: EMC Documentum Content Server Multiple Privilege Escalation Vulnerabilities (21.09.2014)
 documentEMC, ESA-2014-079: EMC Documentum Content Server Multiple Vulnerabilities (26.08.2014)
 documentEMC, ESA-2014-067: EMC Documentum D2 Privilege Escalation Vulnerability (26.08.2014)
 documentEMC, ESA-2014-059: EMC Documentum Multiple Cross-Site Scripting Vulnerabilities (26.08.2014)
 documentEMC, ESA-2014-073: EMC Documentum Multiple Cross-Site Request Forgery Vulnerabilities (26.08.2014)
 documentEMC, ESA-2014-064: EMC Documentum Content Server Privilege Escalation Vulnerabilities (28.07.2014)
 documentEMC, ESA-2014-057: EMC Documentum Foundation Services (DFS) XML External Entity (XXE) Vulnerability (28.07.2014)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20140701-0 :: Stored cross-site scripting vulnerabilities in EMC Documentum eRoom (28.07.2014)
 documentEMC, ESA-2014-060: EMC Documentum eRoom Multiple Cross-Site Scripting Vulnerabilities (28.07.2014)
 documentEMC, ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability (14.06.2014)
 documentEMC, ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities (14.06.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород