Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:03.02.2014
Source:
SecurityVulns ID:13548
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:JOOMLA : JomSocial 3.1
 JOOMLA : JV Comment 3.0
 JOOMLA : Komento 1.7
 EVENTUM : Eventum 2.3
 JAMON : JAMon 2.7
 DRUPAL : EventCalendar 7.14
 MEDIATRIX : Mediatrix 4402
 DRUPAL : Drupal 7.25
 OPENPNE : OpenPNE 3.8
 WORDPRESS : Contact Form 7 3.5
CVE:CVE-2014-1632
 CVE-2014-1631
 CVE-2014-1612 (Cross-site scripting (XSS) vulnerability in login.esp in the Web Management Interface in Media5 Mediatrix 4402 VoIP Gateway with firmware Dgw 1.1.13.186 and earlier allows remote attackers to inject arbitrary web script or HTML via the username parameter.)
 CVE-2014-1607 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future.)
 CVE-2014-1476 (The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page.)
 CVE-2014-1475 (The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.)
 CVE-2014-0794 (SQL injection vulnerability in the JV Comment (com_jvcomment) component before 3.0.3 for Joomla! allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a comment.like action to index.php.)
 CVE-2014-0793 (Multiple cross-site scripting (XSS) vulnerabilities in the StackIdeas Komento (com_komento) component before 1.7.3 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) website or (2) latitude parameter in a comment to the default URI.)
 CVE-2013-6235 (Multiple cross-site scripting (XSS) vulnerabilities in JAMon (Java Application Monitor) 2.7 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) listenertype or (2) currentlistener parameter to mondetail.jsp or ArraySQL parameter to (3) mondetail.jsp, (4) jamonadmin.jsp, (5) sql.jsp, or (6) exceptions.jsp.)
 CVE-2013-5350 (The "Remember me" feature in the opSecurityUser::getRememberLoginCookie function in lib/user/opSecurityUser.class.php in OpenPNE 3.6.13 before 3.6.13.1 and 3.8.9 before 3.8.9.1 does not properly validate login data in HTTP Cookie headers, which allows remote attackers to conduct PHP object injection attacks, and execute arbitrary PHP code, via a crafted serialized object.)
Original documentdocumentMustLive, Code Execution vulnerability in Contact Form 7 for WordPress (03.02.2014)
 documentMustLive, Vulnerabilities in Contact Form 7 for WordPress (03.02.2014)
 documentSECUNIA, Secunia Research: OpenPNE PHP Object Injection Vulnerability (03.02.2014)
 documentDEBIAN, [SECURITY] [DSA 2847-1] drupal7 security update (03.02.2014)
 documenttudor.enache_(at)_helpag.com, Reflected cross-site scripting (XSS) vulnerability in Mediatrix Web Management Interface login page (03.02.2014)
 documentali.hussein_(at)_helpag.com, [CVE-2014-1607.] Cross Site Scripting(XSS) in Drupal Event calendar module (03.02.2014)
 documentChristian Catalano, [CVE-2013-6235] - Multiple Reflected XSS vulnerabilities in JAMon v2.7 (03.02.2014)
 documentHigh-Tech Bridge Security Research, Multiple Vulnerabilities in Eventum (03.02.2014)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Komento Joomla Extension (03.02.2014)
 documentHigh-Tech Bridge Security Research, SQL Injection in JV Comment Joomla Extension (03.02.2014)
 documentMark Litchfield, Ektron CMS Take Over - Hijacking Accounts (03.02.2014)
 documentMark Litchfield, Vulnerabilities within Mura CMS / Sitecore MCS / SmarterMail (03.02.2014)
 documentMark Litchfield, SiteCore XML Control Script Insertion (03.02.2014)
 documentmatias.fontanini_(at)_gmail.com, Joomla! JomSocial component < 3.1.0.1 - Remote code execution (03.02.2014)

perl-Proc-Daemon weak permissions
Published:03.02.2014
Source:
SecurityVulns ID:13549
Type:local
Threat Level:
4/10
Description:Weak pid file permissions.
Affected:PERL : Proc::Daemon 0.14
CVE:CVE-2013-7135 (The Proc::Daemon module 0.14 for Perl uses world-writable permissions for a file that stores a process ID, which allows local users to have an unspecified impact by modifying this file.)
Original documentdocumentMANDRIVA, [ MDVSA-2014:021 ] perl-Proc-Daemon (03.02.2014)

Apache Cordova/PhoneGap multiple security vulnerabilities
Published:03.02.2014
Source:
SecurityVulns ID:13550
Type:client
Threat Level:
5/10
Description:Protection bypass, information leakage.
Affected:PHONEGAP : PhoneGap 2.9
Original documentdocumentmgeorgiev_(at)_utexas.edu, Security Vulnerabilities in Apache Cordova / PhoneGap (03.02.2014)

SimplyShare multiple security vulnerabilities
Published:03.02.2014
Source:
SecurityVulns ID:13551
Type:remote
Threat Level:
5/10
Description:Multiple bulit-in web server vulnerabilities.
Affected:SIMPLYSHARE : SimplyShare 1.4
Original documentdocumentVulnerability Lab, SimplyShare v1.4 iOS - Multiple Web Vulnerabilities (03.02.2014)

AmmyAdmin hidden options
Published:03.02.2014
Source:
SecurityVulns ID:13552
Type:remote
Threat Level:
3/10
Description:Few hidden options allow to use application as a backdoor.
Affected:AMMY : Ammyy Admin 3.2
CVE:CVE-2013-5582
 CVE-2013-5581
Original documentdocumentbhadresh.k.patel_(at)_cyberoam.com, Ammyy Admin - Hidden hard-coded option and Access Control vulnerability. (03.02.2014)

Citrix GoToMeeting information leakage
Published:03.02.2014
Source:
SecurityVulns ID:13553
Type:local
Threat Level:
4/10
Description:Information leakage via logs.
Affected:CITRIX : GoToMeeting 5.0
CVE:CVE-2014-1664 (The Citrix GoToMeeting application 5.0.799.1238 for Android logs HTTP requests containing sensitive information, which allows attackers to obtain user IDs, meeting details, and authentication tokens via an application that reads the system log file.)
Original documentdocumentcjlacayo_(at)_gmail.com, [CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android) (03.02.2014)

T-Mobile HOME NET routers multiple security vulnerabilities
Published:03.02.2014
Source:
SecurityVulns ID:13554
Type:remote
Threat Level:
6/10
Description:Privilege escalation, code execution, directory traversal CSRF.
Original documentdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20140122-0 :: Critical vulnerabilities in T-Mobile HOME NET Router LTE (Huawei B593u-12) (03.02.2014)

Cisco Teleprense devices multiple security vulnerabilities
Published:03.02.2014
Source:
SecurityVulns ID:13555
Type:remote
Threat Level:
7/10
Description:DoS, code execution.
Affected:CISCO : TelePresence Video Communication Server 8.0
CVE:CVE-2014-0662 (The SIP module in Cisco TelePresence Video Communication Server (VCS) before 8.1 allows remote attackers to cause a denial of service (process failure) via a crafted SDP message, aka Bug ID CSCue97632.)
 CVE-2014-0661 (The System Status Collection Daemon (SSCD) in Cisco TelePresence System 500-37, 1000, 1300-65, and 3xxx before 1.10.2(42), and 500-32, 1300-47, TX1310 65, and TX9xxx before 6.0.4(11), allows remote attackers to execute arbitrary commands or cause a denial of service (stack memory corruption) via a crafted XML-RPC message, aka Bug ID CSCui32796.)
 CVE-2014-0660 (Cisco TelePresence ISDN Gateway with software before 2.2(1.92) allows remote attackers to cause a denial of service (D-channel call outage) via a crafted Q.931 STATUS message, aka Bug ID CSCui50360.)
Files:Cisco TelePresence ISDN Gateway D-Channel Denial of Service Vulnerability
 Cisco TelePresence Video Communication Server SIP Denial of Service Vulnerability
 Cisco TelePresence System Software Command Execution Vulnerability

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod