Информационная безопасность
[RU] switch to English


Уязвимости безопасности в Barracuda Networks Firewall / Web Firewall / Spam&Virus Firewall
дополнено с 28 июля 2014 г.
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13887
Тип:удаленная
Уровень опасности:
5/10
Описание:Обход ограничений, XSS.
Затронутые продукты:BARRACUDANETWORK : Barracuda Networks Firewall 6.1
 BARRACUDANETWORK : Web Firewall 610
 BARRACUDANETWORK : Spam & Virus Firewall 600
 BARRACUDANETWORK : Barracuda Networks Web Security Flex 4.1
CVE:CVE-2014-2595
Оригинальный текстdocumentVulnerability Lab, Barracuda Networks Web Security Flex v4.1 - Persistent Vulnerabilities (BNSEC-699) (26.08.2014)
 documentadvisories_(at)_portcullis-security.com, CVE-2014-2595 - Authentication Bypass in Barracuda Web Application Firewall (11.08.2014)
 documentVulnerability Lab, Barracuda Networks Web Application Firewall v6.1.5 & LoadBalancer v4.2.2 #37 - Filter Bypass & Multiple Vulnerabilities (04.08.2014)
 documentVulnerability Lab, Barracuda Networks Spam&Virus Firewall v5.1.3 - Client Side Cross Site Vulnerability (28.07.2014)
 documentVulnerability Lab, Barracuda Networks Spam&Virus Firewall v6.0.2 (600 & Vx) - Client Side Cross Site Vulnerability (28.07.2014)
 documentVulnerability Lab, Barracuda Networks #35 Web Firewall 610 v6.0.1 - Filter Bypass & Persistent Vulnerability (28.07.2014)
 documentVulnerability Lab, Barracuda Networks Firewall 6.1.2 #36 - Filter Bypass & Exception Handling Vulnerability + PoC Video BNSEC-2398 (28.07.2014)
 documentVulnerability Lab, Barracuda Networks Firewall 6.1.5 - Filter Bypass & Persistent Vulnerabilities (28.07.2014)

Многочисленные уязвимости безопасности в HP Service Manager
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13929
Тип:удаленная
Уровень опасности:
6/10
Описание:Межсайтовый скриптинг, несанкционированный доступ, повышение привилегий.
Затронутые продукты:HP : HP Service Manager 9.33
CVE:CVE-2014-2634 (Unspecified vulnerability in the server in HP Service Manager (SM) 7.21 and 9.x before 9.34 allows remote attackers to bypass intended access restrictions, and modify data or cause a denial of service, via unknown vectors.)
 CVE-2014-2633 (Cross-site request forgery (CSRF) vulnerability in the server in HP Service Manager (SM) 7.21 and 9.x before 9.34 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.)
 CVE-2014-2632 (Unspecified vulnerability in the WebTier component in HP Service Manager (SM) 7.21 and 9.x before 9.34 allows remote attackers to execute arbitrary code via unknown vectors.)
 CVE-2013-6222 (Cross-site scripting (XSS) vulnerability in the Mobility Web Client and Service Request Catalog (SRC) components in HP Service Manager (SM) 7.21 and 9.x before 9.34 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Оригинальный текстdocumentHP, [security bulletin] HPSBMU03079 rev.1 - HP Service Manager, Multiple Vulnerabilities (26.08.2014)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13930
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:CACTI : cacti 0.8
 TOMATOCART : TomatoCart 1.1
 APACHE : OFBiz 12.04
 WORDPRESS : Wordpress 3.6
 CHECKMK : check_mk 1.2
 MEDIAWIKI : mediawiki 1.19
 APACHE : Cordova 3.5
 BROWSERIFY : Browserify 4.2
 INNOVAPHONE : Innovaphone PBX 10.00
 JAMROOM : Jamroom 5.2
 DRUPAL : Drupal 7.31
 OPENDAYLIGHT : Opendaylight 1.0
 REPORTBUG : reportbug 6.4
 PROCHATROOMS : Pro Chat Rooms 8.2
 READSOFT : Readsoft Invoice Servicepack 5.6
 READSOFT : Readsoft Process Director 7.2
CVE:CVE-2014-5340 (The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL.)
 CVE-2014-5339 (Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allows remote authenticated users to write check_mk config files (.mk files) to arbitrary locations via vectors related to row selections.)
 CVE-2014-5338 (Multiple cross-site scripting (XSS) vulnerabilities in the multisite component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) render_status_icons function in htmllib.py or (2) ajax_action function in actions.py.)
 CVE-2014-5335 (Multiple cross-site request forgery (CSRF) vulnerabilities in innovaphone PBX 10.00 sr11 and earlier allow remote attackers to hijack the authentication of administrators for requests that modify configurations or user accounts, as demonstrated by (1) changing the administrator password via a crafted request to CMD0/mod_cmd.xml or (2) adding a new SIP user via a crafted request to PBX0/ADMIN/mod_cmd_login.xml.)
 CVE-2014-5262 (SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.)
 CVE-2014-5261 (The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php.)
 CVE-2014-5243 (MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.)
 CVE-2014-5241 (The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted OBJECT element with SWF content consistent with a restricted character set.)
 CVE-2014-5122 (Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login.)
 CVE-2014-5098 (Cross-site scripting (XSS) vulnerability in the Search module before 1.2.2 in Jamroom allows remote attackers to inject arbitrary web script or HTML via the query string to search/results/.)
 CVE-2014-5097 (Multiple SQL injection vulnerabilities in Free Reprintables ArticleFR 3.0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) get or (2) set action to rate.php.)
 CVE-2014-5035 (The Netconf (TCP) service in OpenDaylight 1.0 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference in an XML-RPC message, related to an XML External Entity (XXE) issue.)
 CVE-2014-5027 (Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.)
 CVE-2014-5026 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action.)
 CVE-2014-5025 (Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action.)
 CVE-2014-4722 (Multiple cross-site scripting (XSS) vulnerabilities in the OCS Reports Web Interface in OCS Inventory NG allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2014-4002 (Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php.)
 CVE-2014-3978 (SQL injection vulnerability in TomatoCart 1.1.8.6.1 allows remote authenticated users to execute arbitrary SQL commands via the First Name and Last Name fields in a new address book contact.)
 CVE-2014-3830 (Cross-site scripting (XSS) vulnerability in info.php in TomatoCart 1.1.8.6.1 allows remote attackers to inject arbitrary web script or HTML via the faqs_id parameter.)
 CVE-2014-2709 (lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters.)
 CVE-2014-2708 (Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6) print_source, (7) local_graph_id, or (8) rra_id parameter.)
 CVE-2014-2328 (lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.)
 CVE-2014-2327 (Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configurations, or (3) add arbitrary users.)
 CVE-2014-2326 (Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2014-0483 (The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.)
 CVE-2014-0482 (The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.)
 CVE-2014-0481 (The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a denial of service (CPU consumption) by unloading a multiple files with the same name.)
 CVE-2014-0480 (The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.)
 CVE-2014-0479 (reportbug before 6.4.4+deb7u1 and 6.5.x before 6.5.0+nmu1 allows remote attackers to execute arbitrary commands via vectors related to compare_versions and reportbug/checkversions.py.)
Оригинальный текстdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20140805-0 :: Multiple vulnerabilities in Readsoft Invoice Processing and Process Director (26.08.2014)
 documentmike.manzotti_(at)_dionach.com, Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities (26.08.2014)
 documentMustLive, XSS, FPD and RCE vulnerabilities in DZS Video Gallery for WordPress (26.08.2014)
 documentDEBIAN, [SECURITY] [DSA 2997-1] reportbug security update (26.08.2014)
 documentKenny Mathis, TomatoCart v1.x (latest-stable) Multiple Vulnerabilities (26.08.2014)
 documentMANDRIVA, [ MDVSA-2014:156 ] ocsinventory (26.08.2014)
 documentMarcel Kinard, Apache Cordova 3.5.1: CVE-2014-3502 update (26.08.2014)
 documentGregory Pickett, CVE-2014-5035 - Opendaylight Vulnerable to Local and Remote File Inclusion in the Netconf (TCP) Service (26.08.2014)
 documentDEBIAN, [SECURITY] [DSA 2999-1] drupal7 security update (26.08.2014)
 documentDEBIAN, [SECURITY] [DSA 3001-1] wordpress security update (26.08.2014)
 documentHigh-Tech Bridge Security Research, Reflected Cross-Site Scripting (XSS) in Jamroom (26.08.2014)
 documentAPACHE, [CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability (26.08.2014)
 documentCERT_(at)_telekom.de, Deutsche Telekom CERT Advisory [DTC-A-20140820-001] check_mk vulnerabilities (26.08.2014)
 documentDEBIAN, [SECURITY] [DSA 3007-1] cacti security update (26.08.2014)
 documentDEBIAN, [SECURITY] [DSA 2970-1] cacti security update (26.08.2014)
 documentHigh-Tech Bridge Security Research, SQL Injection Vulnerability in ArticleFR (26.08.2014)
 documentRomano, Christian, ArcGIS for Server Vulnerability Disclosure (26.08.2014)
 documentrg_(at)_nsideattacklogic.de, [CVE-2014-5335] CSRF in Innovaphone PBX (26.08.2014)
 documentDEBIAN, [SECURITY] [DSA 3010-1] python-django security update (26.08.2014)
 documentCal Leeming [Simplicity Media Ltd], Node Browserify RCE vuln (<= 4.2.0) (26.08.2014)
 documentDEBIAN, [SECURITY] [DSA 3011-1] mediawiki security update (26.08.2014)
 documentcseye_ut_(at)_yahoo.com, DNN(DotNetNuke®) Iconbar Control Panel Bad Access Level config (26.08.2014)
 documentcseye_ut_(at)_yahoo.com, DNN(DotNetNuke®) Ribbon Bar Control Panel Bad Access Level config (26.08.2014)
 documentcseye_ut_(at)_yahoo.com, MEHR Automation System Arbitrary File Download Vulnerability(persian portal) (26.08.2014)

DoS против Python Imaging Library
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13931
Тип:библиотека
Уровень опасности:
5/10
Описание:Отказ при декодировании icns.
Затронутые продукты:PYTHON : python-imaging 2.5
CVE:CVE-2014-3589 (PIL/IcnsImagePlugin.py in Python Imaging Library (PIL) and Pillow before 2.3.2 and 2.5.x before 2.5.2 allows remote attackers to cause a denial of service via a crafted block size.)
Оригинальный текстdocumentDEBIAN, [SECURITY] [DSA 3009-1] python-imaging security update (26.08.2014)

Многочисленные уязвимости безопасности в oxide-qt
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13932
Тип:библиотека
Уровень опасности:
5/10
Описание:Утечка информации, повреждения памяти.
CVE:CVE-2014-3167 (Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.143 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.)
 CVE-2014-3166 (The Public Key Pinning (PKP) implementation in Google Chrome before 36.0.1985.143 on Windows, OS X, and Linux, and before 36.0.1985.135 on Android, does not correctly consider the properties of SPDY connections, which allows remote attackers to obtain sensitive information by leveraging the use of multiple domain names.)
 CVE-2014-3165 (Use-after-free vulnerability in modules/websockets/WorkerThreadableWebSocketChannel.cpp in the Web Sockets implementation in Blink, as used in Google Chrome before 36.0.1985.143, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an unexpectedly long lifetime of a temporary object during method completion.)
Оригинальный текстdocumentUBUNTU, [USN-2320-1] Oxide vulnerabilities (26.08.2014)

Повышение привилегий в приложениях ESET
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13933
Тип:локальная
Уровень опасности:
5/10
Описание:Повышение привилегий через драйвер EpFwNdis.sys
CVE:CVE-2014-4973 (The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.)
Оригинальный текстdocumentadvisories_(at)_portcullis-security.com, CVE-2014-4973 - Privilege Escalation in ESET Windows Products (26.08.2014)

Повышение привилегий в Panda Security
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13934
Тип:локальная
Уровень опасности:
5/10
Описание:Повышение привилегий через драйвер PavTPK.sys.
CVE:CVE-2014-5307 (Heap-based buffer overflow in the PavTPK.sys kernel mode driver of Panda Security 2014 products before hft131306s24_r1 allows local users to gain privileges via a crafted argument to a 0x222008 IOCTL call.)
Оригинальный текстdocumentadvisories_(at)_portcullis-security.com, CVE-2014-5307 - Privilege Escalation in Panda Security Products (26.08.2014)

Многочисленные уязвимости безопасности в EMC RSA Archer
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13935
Тип:удаленная
Уровень опасности:
5/10
Описание:Повышение привилегий, несанкционированный доступ, CSRF.
Затронутые продукты:EMC : RSA Archer 5.5
CVE:CVE-2014-2517 (Unspecified vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to gain privileges via unknown vectors.)
 CVE-2014-2505 (EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.)
 CVE-2014-0641 (Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.)
 CVE-2014-0640 (EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.)
Оригинальный текстdocumentEMC, ESA-2014-071: RSA Archer® GRC Platform Multiple Vulnerabilities (26.08.2014)

Переполнение буфера в Kolibri WebServer
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13936
Тип:удаленная
Уровень опасности:
5/10
Описание:Переполнение буфера через POST-запрос.
Затронутые продукты:SENKAS : Kolibri WebServer 2.0
Оригинальный текстdocumenttekwizz123_(at)_riseup.net, CVE-2014-5289 - Kolibri WebServer 2.0 Vulnerable to RCE via Overly Long POST Request (26.08.2014)

Подмена имени сертификата в serf
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13937
Тип:библиотека
Уровень опасности:
5/10
Описание:Подмена имени через NUL-байт.
Затронутые продукты:SERF : serf 0.2
CVE:CVE-2014-3504 (The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.)
Оригинальный текстdocumentUBUNTU, [USN-2315-1] serf vulnerability (26.08.2014)

Многочисленные уязвимости безопасности в Apache Subversion
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13938
Тип:удаленная
Уровень опасности:
6/10
Описание:DoS, утечка информации, проблемы с валидацией сертификата.
Затронутые продукты:APACHE : Subversion 1.8
CVE:CVE-2014-3528 (Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm.)
 CVE-2014-3522 (The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.)
 CVE-2014-0032 (The get_resource function in repos.c in the mod_dav_svn module in Apache Subversion before 1.7.15 and 1.8.x before 1.8.6, when SVNListParentPath is enabled, allows remote attackers to cause a denial of service (crash) via vectors related to the server root and request methods other than GET, as demonstrated by the "svn ls http://svn.example.com" command.)
Оригинальный текстdocumentUBUNTU, [USN-2316-1] Subversion vulnerabilities (26.08.2014)

Переполнение буфера в MIT krb5 kadmind
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13939
Тип:удаленная
Уровень опасности:
6/10
Описание:Переполнение буфера через LDAP.
Затронутые продукты:MIT : krb5 1.12
CVE:CVE-2014-4345 (Off-by-one error in the krb5_encode_krbsecretkey function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) 1.6.x through 1.11.x before 1.11.6 and 1.12.x before 1.12.2 allows remote authenticated users to cause a denial of service (buffer overflow) or possibly execute arbitrary code via a series of "cpw -keepold" commands.)
Оригинальный текстdocumentMIT, MITKRB5-SA-2014-001 Buffer overrun in kadmind with LDAP backend (26.08.2014)

Обход аутентификации в BlackBerry Z10
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13940
Тип:удаленная
Уровень опасности:
5/10
Описание:Несанкционированный доступ через SMB.
Затронутые продукты:BLACKBERRY : Blackberry Z10
CVE:CVE-2014-2388 (The Storage and Access service in BlackBerry OS 10.x before 10.2.1.1925 on Q5, Q10, Z10, and Z30 devices does not enforce the password requirement for SMB filesystem access, which allows context-dependent attackers to read arbitrary files via (1) a session over a Wi-Fi network or (2) a session over a USB connection in Development Mode.)
Оригинальный текстdocumentmodzero security, BlackBerry Z 10 - Storage and Access File-Exchange Authentication By-Pass [MZ-13-04] (26.08.2014)

Утечка информации в pyCADF
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13941
Тип:удаленная
Уровень опасности:
5/10
Описание:Утечка токенов авторизации.
CVE:CVE-2014-4615 (The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).)
Оригинальный текстdocumentUBUNTU, [USN-2311-1] pyCADF vulnerability (26.08.2014)

Межсайтовый скриптинг в IBM Maximo
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13942
Тип:удаленная
Уровень опасности:
5/10
Описание:Несколько различных уязвимостей.
Затронутые продукты:IBM : Maximo Asset Management 7.5
CVE:CVE-2014-0915 (Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.2, and 7.2 for Tivoli Asset Management for IT and certain other products allow remote authenticated users to inject arbitrary web script or HTML via (1) the KPI display name field or (2) a portlet field.)
 CVE-2014-0914 (Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management for IT and Maximo Service Desk allows remote authenticated users to inject arbitrary web script or HTML via the Query Description Field.)
Оригинальный текстdocumentJamie Riden, IBM Maximo: Cross-site Scripting Vulnerability Addressed in Asset and Service Management (CVE-2014-0914 and -0915) (26.08.2014)

XSS в ntopng
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13943
Тип:удаленная
Уровень опасности:
5/10
Описание:XSS в веб-интерфейсе.
Затронутые продукты:NTOPNG : ntopng 1.2
Оригинальный текстdocumentmail_(at)_steffenbauch.de, ntopng 1.2.0 XSS injection using monitored network traffic (26.08.2014)

Многочисленные уязвимости безопасности в Zyxel P660RT2
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13944
Тип:удаленная
Уровень опасности:
4/10
Описание:Межсайтовый скриптинг, CSRF, подбор пароля.
Затронутые продукты:ZYXEL : Zyxel P660RT2
Оригинальный текстdocumentMustLive, XSS and CSRF vulnerabilities in Zyxel P660RT2 EE (26.08.2014)
 documentMustLive, BF and XSS vulnerabilities in Zyxel P660RT2 EE (26.08.2014)

Проблема XXE в HP Release Control
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13945
Тип:удаленная
Уровень опасности:
6/10
Описание:Несколько возможностей serverside injection.
Затронутые продукты:HP : HP Release Control 9.20
Оригинальный текстdocumentMustLive, XXE Injection in HP Release Control (26.08.2014)

Недостаточное шифрование в Grand MA 300 Fingerprint Reader
Опубликовано:26 августа 2014 г.
Источник:
SecurityVulns ID:13946
Тип:m-i-t-m
Уровень опасности:
5/10
Описание:Пин-код не шифруется при передаче.
Затронутые продукты:GRANDMA : Grand MA 300
CVE:CVE-2014-5381
 CVE-2014-5380
Оригинальный текстdocumentLSE Leading Security Experts GmbH (Security Advisories), LSE Leading Security Experts GmbH - LSE-2014-07-13 - Granding Grand MA 300 - Weak Pin Verification (26.08.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород