Computer Security
[EN] securityvulns.ru no-pyccku


Microsoft Internet Explorer multiple security vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13333
Type:client
Threat Level:
8/10
Description:Multiple memory corruption.
Affected:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
 MICROSOFT : Windows 8
 MICROSOFT : Windows 2012 Server
CVE:CVE-2013-3897 (Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2013-3893 (Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.)
 CVE-2013-3886 (Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2013-3885 (Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3872, CVE-2013-3873, and CVE-2013-3882.)
 CVE-2013-3882 (Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3872, CVE-2013-3873, and CVE-2013-3885.)
 CVE-2013-3875 (Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2013-3874 (Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2013-3873 (Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3872, CVE-2013-3882, and CVE-2013-3885.)
 CVE-2013-3872 (Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3873, CVE-2013-3882, and CVE-2013-3885.)
 CVE-2013-3871 (Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
Files:Microsoft Security Bulletin MS13-080 - Critical Cumulative Security Update for Internet Explorer (2879017)

Microsoft Windows multiple security vulnerabilities
updated since 09.10.2013
Published:09.10.2013
Source:
SecurityVulns ID:13334
Type:library
Threat Level:
8/10
Description:.Net code execution, comctl32.dll integer overflow.
Affected:MICROSOFT : Windows XP
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
 MICROSOFT : Windows 8
 MICROSOFT : Windows 2012 Server
CVE:CVE-2013-3868 (Microsoft Active Directory Lightweight Directory Service (AD LDS) on Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, and Windows 8 and Active Directory Services on Windows Server 2008 SP2 and R2 SP1 and Server 2012 allow remote attackers to cause a denial of service (LDAP directory-service outage) via a crafted LDAP query, aka "Remote Anonymous DoS Vulnerability.")
 CVE-2013-3861 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 allows remote attackers to cause a denial of service (application crash or hang) via crafted character sequences in JSON data, aka "JSON Parsing Vulnerability.")
 CVE-2013-3860 (Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly parse a DTD during XML digital-signature validation, which allows remote attackers to cause a denial of service (application crash or hang) via a crafted signed XML document, aka "Entity Expansion Vulnerability.")
 CVE-2013-3195 (The DSA_InsertItem function in Comctl32.dll in the Windows common control library in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly allocate memory, which allows remote attackers to execute arbitrary code via a crafted value in an argument to an ASP.NET web application, aka "Comctl32 Integer Overflow Vulnerability.")
 CVE-2013-3128 (The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT, and .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, and 4.5, allow remote attackers to execute arbitrary code via a crafted OpenType font (OTF) file, aka "OpenType Font Parsing Vulnerability.")
Files:Microsoft Security Bulletin MS13-079 - Important Vulnerability in Active Directory Could Allow Denial of Service (2853587)
 Microsoft Security Bulletin MS13-082 - Critical Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)
 Microsoft Security Bulletin MS13-083 - Critical Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)

Microsoft Sharepoint security vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13335
Type:remote
Threat Level:
7/10
Description:Memory corruption on Excel files parsing, crossite scripting.
Affected:MICROSOFT : SharePoint Server 2007
 MICROSOFT : SharePoint Server 2010
 MICROSOFT : Office Web Apps 2010
CVE:CVE-2013-3895 (Microsoft SharePoint Server 2007 SP3 and 2010 SP1 and SP2 allows remote attackers to conduct clickjacking attacks via a crafted web page, aka "Parameter Injection Vulnerability.")
 CVE-2013-3889 (Microsoft Excel 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office for Mac 2011; Excel Viewer; Office Compatibility Pack SP3; and Excel Services and Word Automation Services in SharePoint Server 2013 allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Excel Memory Corruption Vulnerability.")
Files:Microsoft Security Bulletin MS13-084 - Important Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)

Microsoft Office multiple security vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13336
Type:client
Threat Level:
7/10
Description:Memory corruptions on Word and Excel documents parsing.
Affected:MICROSOFT : Office 2003
 MICROSOFT : Office 2007
 MICROSOFT : Office 2010
 MICROSOFT : Office for Mac 2011
 MICROSOFT : Office 2013
CVE:CVE-2013-3892 (Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code via a crafted Office document, aka "Memory Corruption Vulnerability.")
 CVE-2013-3891 (Microsoft Word 2003 SP3 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Memory Corruption Vulnerability.")
 CVE-2013-3890 (Microsoft Excel 2007 SP3, Excel Viewer, and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Excel Memory Corruption Vulnerability.")
 CVE-2013-3889 (Microsoft Excel 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Office for Mac 2011; Excel Viewer; Office Compatibility Pack SP3; and Excel Services and Word Automation Services in SharePoint Server 2013 allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Excel Memory Corruption Vulnerability.")
Files:Microsoft Security Bulletin MS13-085 - Important Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)
 Microsoft Security Bulletin MS13-086 - Important Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)

Apple Motion integer overflow
Published:09.10.2013
Source:
SecurityVulns ID:13338
Type:local
Threat Level:
3/10
Description:Integer overflow on .motn files parsing.
Affected:APPLE : Motion 5.0
Original documentdocumentpereira_(at)_secbiz.de, Apple Motion Integer Overflow Vulnerability (09.10.2013)

HP Intelligent Management Center multiple security vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13339
Type:remote
Threat Level:
6/10
Description:Code execution, authentication bypass, SQL injection, unauthorized access.
CVE:CVE-2013-4827 (SQL injection vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka ZDI-CAN-1664.)
 CVE-2013-4826 (Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-1647.)
 CVE-2013-4825 (Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to bypass intended access restrictions via unknown vectors, aka ZDI-CAN-1645.)
 CVE-2013-4824 (Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Service Operation Management Software Module allows remote attackers to bypass authentication via unknown vectors, aka ZDI-CAN-1644.)
 CVE-2013-4823 (Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Branch Intelligent Management System Software Module (aka BIMS) allows remote attackers to obtain sensitive information via unknown vectors, aka ZDI-CAN-1607.)
 CVE-2013-4822 (Unspecified vulnerability in HP Intelligent Management Center (iMC) and HP IMC Branch Intelligent Management System Software Module (aka BIMS) allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1606.)
Original documentdocumentHP, [security bulletin] HPSBGN02930 rev.1 - HP Intelligent Management Center(iMC) and HP IMC Service Operation Management Software Module, Remote Authentication Bypass, Disclosure of Information, Unauthorized Access, SQL Injection (09.10.2013)
 documentHP, [security bulletin] HPSBGN02929 rev.1 - HP Intelligent Management Center (iMC), HP IMC Branch Intelligent Management System Software Module (BIMS), and Comware Based Switches and Routers, Remote Code Execution, Disclosure of Informati (09.10.2013)

Apache OpenJPA code execution
Published:09.10.2013
Source:
SecurityVulns ID:13340
Type:library
Threat Level:
5/10
Description:User-controlled data it stored in local executable file.
Affected:APACHE : OpenJPA 1.2
 APACHE : OpenJPA 2.2
CVE:CVE-2013-1768 (The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.)
Original documentdocumentMANDRIVA, [ MDVSA-2013:246 ] openjpa (09.10.2013)

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:09.10.2013
Source:
SecurityVulns ID:13341
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:VANILLAFORUMS : Vanilla Forums 2.0
 ZABBIX : Zabbix 2.0
CVE:CVE-2013-5743
 CVE-2013-3528 (Unspecified vulnerability in the update check in Vanilla Forums before 2.0.18.8 has unspecified impact and remote attack vectors, related to "object injection.")
Original documentdocumentadvisories_(at)_enkomio.com, [SOJOBO-ADV-13-01] - Zenphoto 1.4.5.2 multiple vulnerabilities (09.10.2013)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20131004-0 :: SQL injection vulnerability in Zabbix (09.10.2013)
 documentEgidio Romano, [KIS-2013-09] Vanilla Forums <= 2.0.18.5 (class.utilitycontroller.php) PHP Object Injection Vulnerability (09.10.2013)

Synology DiskStation Manager multiple security vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13342
Type:remote
Threat Level:
5/10
Description:Multiple web interface vulnerabilities
Affected:SYNOLOGY : Synology DSM 4.3
Original documentdocumentAndrea Fabrizi, Synology DSM multiple vulnerabilities (09.10.2013)

VMWare ESX / ESXi NFC DoS
Published:09.10.2013
Source:
SecurityVulns ID:13343
Type:remote
Threat Level:
5/10
Description:Unhandled exception on Network File Copy protocol handling.
Affected:VMWARE : ESX 4.1
 VMWARE : ESXi 5.1
CVE:CVE-2013-1661 (VMware ESXi 4.0 through 5.1, and ESX 4.0 and 4.1, does not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to cause a denial of service (unhandled exception and application crash) by modifying the client-server data stream.)
Original documentdocumentVMWARE, NEW VMSA-2013-0011 VMware ESXi and ESX address an NFC Protocol Unhandled Exception (09.10.2013)

Cyber-Ark Vault user enumeration
Published:09.10.2013
Source:
SecurityVulns ID:13344
Type:remote
Threat Level:
4/10
Description:Servers unswers are different for wrong username and password.
Affected:CYBERARK : Cyber-Ark Vault 7.1
CVE:CVE-2012-6345
 CVE-2012-6344
Original documentdocumentmoshez_(at)_comsecglobal.com, CyberArk User Enumeration - Multiple vulnerabilities (09.10.2013)

AVTech digital video recorders multiple security vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13345
Type:remote
Threat Level:
5/10
Description:RTSP parsing buffer overflow, web interface buffer overflow, protection bypass.
Affected:AVTECH : AVTECH AVN801
CVE:CVE-2013-4982
 CVE-2013-4981 (Buffer overflow in cgi-bin/user/Config.cgi in AVTECH AVN801 DVR with firmware 1017-1003-1009-1003 and earlier, and possibly other devices, allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via a long string in the Network.SMTP.Receivers parameter.)
 CVE-2013-4980 (Buffer overflow in the RTSP Packet Handler in AVTECH AVN801 DVR with firmware 1017-1003-1009-1003 and earlier, and possibly other devices, allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via a long string in the URI in an RTSP SETUP request.)
Original documentdocumentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2013-0726 - AVTECH DVR multiple vulnerabilities (09.10.2013)

EPS Viewer buffer overflow
Published:09.10.2013
Source:
SecurityVulns ID:13346
Type:local
Threat Level:
4/10
Description:Buffer overflow on .EPS files parsing.
Affected:EPSVIEWER : EPS viewer 3.2
CVE:CVE-2013-4979 (Buffer overflow in the gldll32.dll module in EPS Viewer 3.2 and earlier allows remote attackers to execute arbitrary code via a crafted EPS file.)
Original documentdocumentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2013-0808 - EPS Viewer Buffer Overflow Vulnerability (09.10.2013)

Aloaha PDF Suite buffer overflow
Published:09.10.2013
Source:
SecurityVulns ID:13347
Type:local
Threat Level:
4/10
Description:Buffer overflow on PDF files parsing.
Affected:ALOAHA : AloahaPDFViewer 5.0
CVE:CVE-2013-4978 (Stack-based buffer overflow in AloahaPDFViewer 5.0.0.7 and earlier in Aloaha PDF Suite FREE allows remote attackers to execute arbitrary code via a crafted PDF file.)
Original documentdocumentCORE SECURITY TECHNOLOGIES ADVISORIES, [CORE-2013-0805] Aloaha PDF Suite Buffer Overflow Vulnerability (09.10.2013)

Cisco Secure Access Control Server authentication bypass
Published:09.10.2013
Source:
SecurityVulns ID:13348
Type:remote
Threat Level:
5/10
Description:Authentication bypass if EAP-FAST protocol is used.
Affected:CISCO : Secure Access Control Server 4.2
CVE:CVE-2013-3466 (The EAP-FAST authentication module in Cisco Secure Access Control Server (ACS) 4.x before 4.2.1.15.11, when a RADIUS server configuration is enabled, does not properly parse user identities, which allows remote attackers to execute arbitrary commands via crafted EAP-FAST packets, aka Bug ID CSCui57636.)
Files:Cisco Secure Access Control Server Remote Command Execution Vulnerability

IBM Lotus iNotes XSS
Published:09.10.2013
Source:
SecurityVulns ID:13350
Type:remote
Threat Level:
5/10
Description:Few crossite scripting vulnerabilities.
Affected:IBM : Lotus Domino 8.5
CVE:CVE-2013-0595 (Multiple cross-site scripting (XSS) vulnerabilities in iNotes 8.5.x in IBM Lotus Domino 8.5 before 8.5.3 FP5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka SPR PTHN95XNR3.)
 CVE-2013-0591 (Cross-site scripting (XSS) vulnerability in iNotes 8.5.x in IBM Lotus Domino 8.5 before 8.5.3 FP5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, aka SPR PTHN95XNR3, a different vulnerability than CVE-2013-0590.)
 CVE-2013-0590 (Cross-site scripting (XSS) vulnerability in iNotes 8.5.x in IBM Lotus Domino 8.5 before 8.5.3 FP5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, aka SPR PTHN95XNR3, a different vulnerability than CVE-2013-0591.)
Files:Security Bulletin: IBM iNotes vulnerabilities (CVE-2013-0590, CVE-2013-0591, CVE-2013-0595)

Asterisk security vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13351
Type:remote
Threat Level:
5/10
Description:Few DoS conditions on SIP parsing.
Affected:ASTERISK : Asterisk 11.5
Original documentdocumentASTERISK, AST-2013-005: Remote Crash when Invalid SDP is sent in SIP Request (09.10.2013)
 documentASTERISK, AST-2013-004: Remote Crash From Late Arriving SIP ACK With SDP (09.10.2013)

HP StoreOnce DoS
Published:09.10.2013
Source:
SecurityVulns ID:13352
Type:remote
Threat Level:
5/10
CVE:CVE-2013-2353 (Unspecified vulnerability in HP StoreOnce D2D Backup System 1.x before 1.2.19 and 2.x before 2.3.0 allows remote attackers to cause a denial of service via unknown vectors.)
Original documentdocumentHP, [security bulletin] HPSBST02897 rev.1 - HP StoreOnce D2D Backup System, Remote Denial of Service (DoS) (09.10.2013)

xpdf / poppler ESC sequences injection
Published:09.10.2013
Source:
SecurityVulns ID:13353
Type:library
Threat Level:
4/10
Description:Terminal control ESC sequences injection.
Affected:POPPLER : poppler 0.20
 XPDF : xpdf 3.03
CVE:CVE-2012-2142
Original documentdocumentSLACKWARE, [slackware-security] poppler (SSA:2013-233-03) (09.10.2013)
 documentSLACKWARE, [slackware-security] xpdf (SSA:2013-233-02) (09.10.2013)

HP Service Manager unauthorized access
Published:09.10.2013
Source:
SecurityVulns ID:13354
Type:remote
Threat Level:
6/10
Affected:HP : HP Service Manager 9.31
CVE:CVE-2013-4808 (Unspecified vulnerability in HP Service Manager 7.11, 9.21, 9.30, and 9.31 and Service Center 6.2.8 allows remote attackers to obtain privileged access via unknown vectors.)
Original documentdocumentHP, [security bulletin] HPSBMU02915 rev.1 - HP Service Manager, Remote Unauthenticated Access and Elevation of Privilege (09.10.2013)

libmobiledevices symbolic links vulnerability
Published:09.10.2013
Source:
SecurityVulns ID:13355
Type:library
Threat Level:
5/10
Description:Symbolic links vulnerability on emporary files creation.
Affected:LIBMOBILEDEVICE : libimobiledevice 1.1
CVE:CVE-2013-2142 (userpref.c in libimobiledevice 1.1.4, when $HOME and $XDG_CONFIG_HOME are not set, allows local users to overwrite arbitrary files via a symlink attack on (1) HostCertificate.pem, (2) HostPrivateKey.pem, (3) libimobiledevicerc, (4) RootCertificate.pem, or (5) RootPrivateKey.pem in /tmp/root/.config/libimobiledevice/.)
Original documentdocumentUBUNTU, [USN-1927-1] libimobiledevice vulnerability (09.10.2013)

Netgear ProSafe switches security vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13356
Type:remote
Threat Level:
5/10
Description:Information leakage, DoS.
Affected:NETGEAR : Netgear GS724T
 NETGEAR : Netgear GS716T
 NETGEAR : Netgear GS748T
 NETGEAR : Netgear GS510TP
 NETGEAR : GS752TPS
 NETGEAR : GS728TPS
 NETGEAR : GS728TS
 NETGEAR : GS725TS
 NETGEAR : GS752TXS
 NETGEAR : GS728TXS
CVE:CVE-2013-4776 (NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earlier, GS748Tv4 5.4.1.14, and GS510TP 5.0.4.4 allows remote attackers to cause a denial of service (reboot or crash) via a crafted HTTP request to filesystem/.)
 CVE-2013-4775 (NETGEAR ProSafe GS724Tv3 and GS716Tv2 with firmware 5.4.1.13 and earlier; GS748Tv4 with firmware 5.4.1.14; GS510TP with firmware 5.4.0.6; GS752TPS, GS728TPS, GS728TS, and GS725TS with firmware 5.3.0.17; and GS752TXS and GS728TXS with firmware 6.1.0.12 allows remote attackers to read encrypted administrator credentials and other startup configurations via a direct request to filesystem/startup-config.)
Original documentdocumentpost_(at)_encripto.no, Netgear ProSafe switches: Unauthenticated startup-config disclosure and Denial of Service (09.10.2013)

Samsung DVR security vulnerability
Published:09.10.2013
Source:
SecurityVulns ID:13357
Type:remote
Threat Level:
6/10
Description:Authentication bypass, information leakage.
Original documentdocumentAndrea Fabrizi, Samsung DVR authentication bypass (09.10.2013)

RSA Authentication Agent for PAM protection bypass
Published:09.10.2013
Source:
SecurityVulns ID:13358
Type:library
Threat Level:
5/10
Description:Login attepts are not limited.
Affected:EMC : RSA Authentication Agent for PAM 7.0
CVE:CVE-2013-3271 (EMC RSA Authentication Agent for PAM 7.0 before 7.0.2.1 enforces the maximum number of login attempts within the PAM-enabled application codebase, instead of within the Agent codebase, which makes it easier for remote attackers to discover correct login credentials via a brute-force attack.)
Original documentdocumentEMC, ESA-2013-047: RSA® Authentication Agent for PAM Unlimited Login Attempts Vulnerability (09.10.2013)

Evolution / libcamel messages encryption vulnerabilities
Published:09.10.2013
Source:
SecurityVulns ID:13359
Type:library
Threat Level:
5/10
Description:Under some conditions messages are encrypted with wrong key.
Affected:LIBCAMEL : libcamel 1.2
CVE:CVE-2013-4166
Original documentdocumentUBUNTU, [USN-1922-1] Evolution Data Server vulnerability (09.10.2013)

Microsoft Silverlight information leakage
updated since 09.10.2013
Published:05.11.2013
Source:
SecurityVulns ID:13337
Type:library
Threat Level:
5/10
Description:Memory content leakage.
Affected:MICROSOFT : Silverlight 5
CVE:CVE-2013-3896 (Microsoft Silverlight 5 before 5.1.20913.0 does not properly validate pointers during access to Silverlight elements, which allows remote attackers to obtain sensitive information via a crafted Silverlight application, aka "Silverlight Vulnerability.")
 CVE-2013-0074 (Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0 does not properly validate pointers during HTML object rendering, which allows remote attackers to execute arbitrary code via a crafted Silverlight application, aka "Silverlight Double Dereference Vulnerability.")
Original documentdocumentbugtraq_(at)_packetstormsecurity.org, [PSA-2013-1022-1] Microsoft Silverlight Invalid Typecast / Memory Disclosure (05.11.2013)
Files:Microsoft Security Bulletin MS13-087 - Important Vulnerability in Silverlight Could Allow Information Disclosure (2890788)

Instagram application security vulnerabilities
updated since 09.10.2013
Published:26.11.2013
Source:
SecurityVulns ID:13349
Type:local
Threat Level:
3/10
Description:Protection bypass.
Affected:INSTAGRAM : Instagram 4.1
Original documentdocumentpfohl_(at)_rt-solutions.de, Instagram Photo Upload and Flattr Money Redirection Vulnerability (26.11.2013)
 documentGeorg Lukas, Two Instagram Android App Security Vulnerabilities (09.10.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod