Computer Security
[EN] securityvulns.ru no-pyccku


HP Business Availability Center security vulnerabilities
Published:07.09.2012
Source:
SecurityVulns ID:12578
Type:remote
Threat Level:
5/10
Description:Crossite scripting, requests spoofing, sessions hijacking.
Affected:HP : Business Availability Center 8.07
CVE:CVE-2012-3257 (HP Business Availability Center (BAC) 8.07 allows remote authenticated users to hijack web sessions via unspecified vectors.)
 CVE-2012-3256 (Cross-site request forgery (CSRF) vulnerability in HP Business Availability Center (BAC) 8.07 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.)
 CVE-2012-3255 (Cross-site scripting (XSS) vulnerability in HP Business Availability Center (BAC) 8.07 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Original documentdocumentHP, [security bulletin] HPSBMU02811 SSRT100937 rev.1 - HP Business Availability Center (BAC) Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and Web Session Hijacking (07.09.2012)

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:07.09.2012
Source:
SecurityVulns ID:12579
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:ZABBIX : Zabbix 1.8
 APACHE : Wicket 1.4
 TESTLINK : TestLink 1.9
 APACHE : Wicket 1.5
 FLOGR : Flogr 2.5
 MOIN : Moin 1.9
 KAYAKO : Kayako Fusion 4.40
 EKTRON : Ektron CMS 8.5
 EFRONT : eFront Enterprise 3.6
 ESJOBSEARCH : ES Job Search Engine 3.0
 EFRONT : eFront Educational 3.6
 ADMIDIO : Admidio 2.3
CVE:CVE-2012-4404 (security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group.)
 CVE-2012-4336 (Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flogr 2.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO or (2) an arbitrary parameter.)
 CVE-2012-3435 (SQL injection vulnerability in frontends/php/popup_bitem.php in Zabbix 1.8.15rc1 and earlier, and 2.x before 2.0.2rc1, allows remote attackers to execute arbitrary SQL commands via the itemid parameter.)
 CVE-2012-3373 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.21 and 1.5.x before 1.5.8 allows remote attackers to inject arbitrary web script or HTML via vectors involving a %00 sequence in an Ajax link URL associated with a Wicket app.)
 CVE-2012-3233 (Cross-site scripting (XSS) vulnerability in __swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php in Kayako Fusion 4.40.1148, and possibly before 4.50.1581, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.)
 CVE-2012-2275 (Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information, as demonstrated by changing the administrator's email via an editUser action to lib/usermanagement/userInfo.php.)
Original documentdocumentsschurtz_(at)_darksecurity.de, Admidio 2.3.5 Multiple security vulnerabilities (07.09.2012)
 documentJoseph Sheridan, Group-Office Calendar SQL Injection (07.09.2012)
 documentJoseph Sheridan, Group-Office Calendar SQL Injection (07.09.2012)
 documentVulnerability Lab, eFront Educational v3.6.11 - Multiple Web Vulnerabilities (07.09.2012)
 documentVulnerability Lab, ES Job Search Engine v3.0 - SQL injection vulnerability (07.09.2012)
 documentVulnerability Lab, eFront Enterprise v3.6.11 - Multiple Web Vulnerabilities (07.09.2012)
 documentlists_(at)_senseofsecurity.com, Ektron CMS - Multiple Vulnerabilities - Security Advisory - SOS-12-009 (07.09.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) Vulnerabilities in Flogr (07.09.2012)
 documentHigh-Tech Bridge Security Research, Cross-Site Scripting (XSS) in Kayako Fusion (07.09.2012)
 documentHigh-Tech Bridge Security Research, –°ross-Site Request Forgery (CSRF) in TestLink (07.09.2012)
 documentDEBIAN, [SECURITY] [DSA 2538-1] moin security update (07.09.2012)
 documentDEBIAN, [SECURITY] [DSA 2539-1] zabbix security update (07.09.2012)
 documentcmenzel_(at)_wicketbuch.de, [CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter (07.09.2012)

QNAP Turbo NAS privilege escalation
Published:07.09.2012
Source:
SecurityVulns ID:12580
Type:remote
Threat Level:
4/10
Description:It's possible to manipulate files by absolute path.
Affected:QNAP : Turbo NAS
Original documentdocumentAndrea Fabrizi, QNAP Turbo NAS Multiple Path Injection (07.09.2012)

VMWare Tools privilege escalation
Published:07.09.2012
Source:
SecurityVulns ID:12581
Type:local
Threat Level:
4/10
Description:It's possible to execute code via DLL hijacking.
Affected:VMWARE : ESX 4.1
 VMWARE : VMWare Fusion 4.1
 VMWARE : VMWare Player 4.0
 VMWARE : VMWare Workstation 8.0
 VMWARE : VMware View 5.1
 VMWARE : ESX 5.0
CVE:CVE-2012-1666 (Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMware Fusion before 4.1.2, VMware View before 5.1, and VMware ESX 4.1 before U3 and 5.0 before P03 allows local users to gain privileges via a Trojan horse tpfc.dll file in the current working directory.)
Original documentdocumentmoshez_(at)_comsecglobal.com, VMWare Tools susceptible to binary planting by hijack (07.09.2012)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod