Информационная безопасность
[RU] switch to English


Перенаправление URL в F5 Firepass
Опубликовано:22 октября 2012 г.
Источник:
SecurityVulns ID:12658
Тип:удаленная
Уровень опасности:
3/10
Описание:Неконтролируемое перенаправление со страницы my.activation.cns.php3
Оригинальный текстdocumentYGN Ethical Hacker Group, F5 FirePass SSL VPN 4xxx Series | Arbitrary URL Redirection (22.10.2012)

Уязвимости безопасности в IBM Lotus Notes Traveler
Опубликовано:22 октября 2012 г.
Источник:
SecurityVulns ID:12659
Тип:удаленная
Уровень опасности:
5/10
Описание:Межсайтовый скриптинг, подмена запроса, перенаправление URL.
Затронутые продукты:IBM : Lotus Notes Traveler 8.5
CVE:CVE-2012-4825 (Multiple cross-site scripting (XSS) vulnerabilities in servlet/traveler/ILNT.mobileconfig in IBM Lotus Notes Traveler before 8.5.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) userId or (2) address parameter in a getClientConfigFile action.)
 CVE-2012-4824 (Open redirect vulnerability in servlet/traveler in IBM Lotus Notes Traveler 8.5.3 before 8.5.3.3 Interim Fix 1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirectURL parameter.)
Оригинальный текстdocumentMustLive, BF, XSS, CSRF and Redirector vulnerabilities in IBM Lotus Notes Traveler (22.10.2012)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:22 октября 2012 г.
Источник:
SecurityVulns ID:12660
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:OPENX : OpenX 2.8
 CMSQLITE : CMSQLITE 1.3
 VBULLETIN : Vbulletin 4.1
 WORDPRESS : Wordfence Security 3.3
 ATUTOR : ATutor 1.2
 SUBRION : Subrion CMS 2.2
 JCORE : jCore 1.0
 SILVERSTRIPE : SilverStripe 2.4
 TEMPLATECMS : Template CMS 2.1
 CAMPAIGNENTERPRI : Campaign Enterprise 11
 WORDPRESS : Wordpress Social Discussions 6.1
 WORDPRESS : Wordpress Slideshow 2.1
 UNIRGY : uStoreLocator 2.0
 FILEBOUND : FileBound On-Site 6.1
 VOLK : vOlk Botnet Framework 4.0
 OMNISTAR : Omnistar Document Manager 8.0
 INTERSPIRE : Interspire Email Marketer 6.0
 OMNISTAR : Omnistar Mailer 7.2
 PHPFREECHAT : phpFreeChat 1.4
 PHPTAX : phptax 0.8
 SWITCHVOX : Switchvox Asterisk 5.1
 AXIS : Axis VoIP Manager 2.1
 NEOBILL : NeoBill CMS 0.8
 ATLASSIAN : Confluence 3.5
 ATLASSIAN : Confluence 4.0
 ATLASSIAN : Confluence 4.1
 TORRENTTRADER : TorrentTrader 2.08
CVE:CVE-2012-5169 (Multiple cross-site scripting (XSS) vulnerabilities in file_manager/preview_top.php in ATutor AContent before 1.2-2 allow remote attackers to inject arbitrary web script or HTML via the (1) pathext, (2) popup, (3) framed, or (4) file parameter.)
 CVE-2012-5168 (ATutor AContent before 1.2-1 allows remote attackers to modify arbitrary user passwords or category names via a direct request to (1) user/index_inline_editor_submit.php or (2) course_category/index_inline_editor_submit.php.)
 CVE-2012-5167 (Multiple SQL injection vulnerabilities in ATutor AContent before 1.2-1 allow remote attackers to execute arbitrary SQL commands via the (1) field parameter to course_category/index_inline_editor_submit.php or (2) user/index_inline_editor_submit.php; or (3) id parameter to user/user_password.php.)
 CVE-2012-4990 (SQL injection vulnerability in admin/campaign-zone-link.php in OpenX 2.8.10 before revision 81823 allows remote attackers to execute arbitrary SQL commands via the ids[] parameter in a link action.)
 CVE-2012-4989 (Cross-site scripting (XSS) vulnerability in admin/plugin-index.php in OpenX 2.8.10 before revision 81823 allows remote attackers to inject arbitrary web script or HTML via the parent parameter in an info action.)
 CVE-2012-4902 (Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php or (2) conduct static PHP code injection attacks via the themes_editor parameter in an edit_template action to admin/index.php.)
 CVE-2012-4901 (Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter an add_template action to admin/index.php.)
 CVE-2012-4773 (Multiple cross-site request forgery (CSRF) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to hijack the authentication of administrators for requests that add, delete, or modify sensitive information, as demonstrated by adding an administrator account via an add action to admin/accounts/add/.)
 CVE-2012-4772 (SQL injection vulnerability in register/ in Subrion CMS before 2.2.3 allows remote attackers to execute arbitrary SQL commands via the plan_id parameter.)
 CVE-2012-4771 (Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) admin/accounts/, (2) admin/manage/, or (3) admin/manage/blocks/edit/; or (4) group parameter to admin/configuration/. NOTE: The f[accounts][fullname] and f[accounts][username] vectors are covered in CVE-2012-5452.)
 CVE-2012-4232 (SQL injection vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to execute arbitrary SQL commands via the memberloginid cookie.)
 CVE-2012-4231 (Cross-site scripting (XSS) vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to inject arbitrary web script or HTML via the path parameter.)
 CVE-2012-3824
 CVE-2012-3823
 CVE-2012-3822
 CVE-2012-3821
 CVE-2012-3820 (Multiple SQL injection vulnerabilities in Campaign11.exe in Arial Software Campaign Enterprise before 11.0.551 allow remote attackers to execute arbitrary SQL commands via the (1) SerialNumber field to activate.asp or (2) UID field to User-Edit.asp.)
Оригинальный текстdocumentJanek Vind, [waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08 (22.10.2012)
 documentIrIsT.Ir_(at)_gmail.com, [INTREST SEC] Atlassian Confluence Wiki XSS Vulnerability (22.10.2012)
 documentIrIsT.Ir_(at)_gmail.com, Vbulletin (blog_plugin_useradmin) v4.1.12 Sql Injection Vulnerability (22.10.2012)
 documentVulnerability Lab, Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, NeoBill CMS v0.8 Alpha - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Better WP Security v3.4.3 Wordpress - Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentpereira_(at)_secbiz.de, phptax 0.8 <= Remote Code Execution Vulnerability (22.10.2012)
 documentNetsparker Advisories, XSS Vulnerabilities in phpFreeChat (22.10.2012)
 documentVulnerability Lab, Omnistar Mailer v7.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Interspire Email Marketer v6.0.1 - Multiple Vulnerabilites (22.10.2012)
 documentVulnerability Lab, Omnistar Document Manager v8.0 - Multiple Vulnerabilities (22.10.2012)
 documentVulnerability Lab, vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities (22.10.2012)
 documentlists_(at)_senseofsecurity.com, FileBound - Privilege Escalation Vulnerability - Security Advisory - SOS-12-010 (22.10.2012)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20121017-1 :: Unirgy uStoreLocator SQL Injection - Magento extension (22.10.2012)
 documentJanek Vind, [waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin (22.10.2012)
 documentJanek Vind, [waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin (22.10.2012)
 documentVulnerability Lab, CMSQLITE v1.3.2 - Multiple Web Vulnerabiltiies (22.10.2012)
 documentMustLive, Multiple vulnerabilities in Megapolis.Portal Manager (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Template CMS (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in OpenX (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in jCore (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Subrion CMS (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in AContent (22.10.2012)
 documentYGN Ethical Hacker Group, SilverStripe CMS 2.4.7 <= Arbitrary URL Redirection (22.10.2012)
 documentYGN Ethical Hacker Group, SilverStripe CMS 2.4.7 <= Persistent Cross Site Scripting Vulnerability (22.10.2012)
 documentMustLive, XSS and IAA vulnerabilities in Wordfence Security for WordPress (22.10.2012)

Уязвимости безопасности в CA ARCserve Backup
Опубликовано:22 октября 2012 г.
Источник:
SecurityVulns ID:12661
Тип:удаленная
Уровень опасности:
7/10
Описание:Уязвимости безопасности связанные с обработкой RPC-запросов.
CVE:CVE-2012-2972 (The (1) server and (2) agent components in CA ARCserve Backup r12.5, r15, and r16 on Windows do not properly validate RPC requests, which allows remote attackers to cause a denial of service (service crash) via a crafted request.)
 CVE-2012-2971 (The server in CA ARCserve Backup r12.5, r15, and r16 on Windows does not properly process RPC requests, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted request.)
Оригинальный текстdocumentCA, CA20121018-01: Security Notice for CA ARCserve Backup (22.10.2012)

Недостаточная проверка сертификата в Palo Alto Networks GlobalProtect
Опубликовано:22 октября 2012 г.
Источник:
SecurityVulns ID:12662
Тип:m-i-t-m
Уровень опасности:
5/10
Описание:Не проверяется сертификат сервера
Оригинальный текстdocumentMicha.Borrmann_(at)_SySS.de, MitM-vulnerability in Palo Alto Networks GlobalProtect (22.10.2012)

Обход защиты в modsecurity для Apache
Опубликовано:22 октября 2012 г.
Источник:
SecurityVulns ID:12663
Тип:удаленная
Уровень опасности:
4/10
Описание:Возможно обойти фильтрацию через двойной \r в идентификаторе границы части.
Затронутые продукты:MODSECURITY : ModSecurity 2.6
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass (22.10.2012)

Многочисленные уязвимости безопасности в SonicWALL EMail Security
Опубликовано:22 октября 2012 г.
Источник:
SecurityVulns ID:12664
Тип:удаленная
Уровень опасности:
5/10
Описание:Межсайтовый скриптинг, подмена форм и т.д.
Затронутые продукты:SONICWALL : SonicWalls UTM Email Security 7.3
Оригинальный текстdocumentVulnerability Lab, SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities (22.10.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород