Computer Security
[EN] securityvulns.ru no-pyccku


PhonerLite information leak
Published:01.04.2014
Source:
SecurityVulns ID:13656
Type:remote
Threat Level:
5/10
Description:Password digest information leak.
Affected:PHONERLITE : PhonerLite 2.14
CVE:CVE-2014-2560
Original documentdocumentJason Ostrom, PhonerLite 2.14 SIP Soft Phone - SIP Digest Leak Information Disclosure (CVE-2014-2560) (01.04.2014)

curl multiple security vulnerabilities
Published:01.04.2014
Source:
SecurityVulns ID:13657
Type:client
Threat Level:
5/10
Description:Information leaks, certificate checks bypass.
Affected:CURL : cURL 7.36
CVE:CVE-2014-2522 (curl and libcurl 7.27.0 through 7.35.0, when runnning on Windows and using the SChannel/Winssl TLS backend, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.)
 CVE-2014-1263 (curl and libcurl 7.27.0 through 7.35.0, when using the SecureTransport/Darwinssl backend, as used in in Apple OS X 10.9.x before 10.9.2, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when accessing a URL that uses a numerical IP address, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.)
 CVE-2014-0139 (cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.)
 CVE-2014-0138 (The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.)
Original documentdocumentSLACKWARE, [slackware-security] curl (SSA:2014-086-01) (01.04.2014)

SFR ADSL/Fiber Box multiple security vulnerabilities
Published:01.04.2014
Source:
SecurityVulns ID:13658
Type:remote
Threat Level:
4/10
Description:Crossite scripting.
Affected:SFR : SFR BOX
CVE:CVE-2014-1599 (Multiple cross-site scripting (XSS) vulnerabilities in the SFR Box router with firmware NB6-MAIN-R3.3.4 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) dns, (2) dhcp, (3) nat, (4) route, or (5) lan in network/; or (6) wifi/config.)
Original documentdocumentalejandr0.w3b.p0wn3r, CVE-2014-1599 - 39 Type-1 XSS in SFR DSL/Fiber Box (01.04.2014)

EMC RSA Data Loss Prevention privilege escalation
Published:01.04.2014
Source:
SecurityVulns ID:13659
Type:local
Threat Level:
4/10
Description:Session management vulnerability.
CVE:CVE-2014-0624 (EMC RSA Data Loss Prevention (DLP) 9.x before 9.6-SP2 does not properly manage sessions, which allows remote authenticated users to gain privileges and bypass intended content-reading restrictions via unspecified vectors.)
Original documentdocumentEMC, ESA-2014-003: RSA® Data Loss Prevention Improper Session Management Vulnerability (01.04.2014)

Barracuda Message Archiver crossite scripting
Published:01.04.2014
Source:
SecurityVulns ID:13660
Type:remote
Threat Level:
5/10
Description:Web interface crossite scripting.
Affected:BARRACUDA : Barracuda Message Archiver 650
Original documentdocumentVulnerability Lab, Barracuda Message Archiver 650 - Persistent Web Vulnerability (01.04.2014)

CA 2E Web Option session spooging
Published:01.04.2014
Source:
SecurityVulns ID:13661
Type:remote
Threat Level:
5/10
Description:Pridictable session token.
Affected:CA : 2E Web Option 8.6
CVE:CVE-2014-1219 (CA 2E Web Option r8.1.2 accepts a predictable substring of a W2E_SSNID session token in place of the entire token, which allows remote attackers to hijack sessions by changing characters at the end of this substring, as demonstrated by terminating a session via a modified SSNID parameter to web2edoc/close.htm.)
Original documentdocumentCA, CA20140218-01: Security Notice for CA 2E Web Option (01.04.2014)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod