Computer Security
[EN] securityvulns.ru no-pyccku


Cisco Unified Customer Voice Portal multiple security vulnerabilities
Published:10.05.2013
Source:
SecurityVulns ID:13074
Type:remote
Threat Level:
7/10
Description:DoS, privilege escalation code execution, files access.
Affected:CISCO : Cisco Unified Customer Voice Portal 9.0
CVE:CVE-2013-1225 (Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to read arbitrary files via a Resource Manager (1) HTTP or (2) HTTPS request containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCub38366.)
 CVE-2013-1224 (Directory traversal vulnerability in the Resource Manager in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to overwrite arbitrary files via a crafted (1) HTTP or (2) HTTPS request that triggers incorrect parameter validation, aka Bug ID CSCub38369.)
 CVE-2013-1223 (The log viewer in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly validate an unspecified parameter, which allows remote attackers to read arbitrary files via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38372.)
 CVE-2013-1222 (The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to launch arbitrary custom web applications via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38379.)
 CVE-2013-1221 (The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to execute arbitrary code via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38384.)
 CVE-2013-1220 (The CallServer component in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to cause a denial of service (call-acceptance outage) via malformed SIP INVITE messages, aka Bug ID CSCua65148.)
Files:Multiple Vulnerabilities in Cisco Unified Customer Voice Portal Software

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:10.05.2013
Source:
SecurityVulns ID:13075
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:UMISOFT : UMI.CMS 2.9
 VIDEOJS : VideoJS 3.0
 VIDEOJS : VideoJS 4.0
 VIDEOJS : Video.js for Drupal 2.2
 VIDEOJS : bo:VideoJS for Joomla 2.1
 TELEMETA : Telemeta 1.4
 NETAPP : OnCommand System Manager 2.1
 ACTUATE : Actuate 10
CVE:CVE-2013-3322
 CVE-2013-3321
 CVE-2013-3320
 CVE-2013-2754 (Cross-site request forgery (CSRF) vulnerability in Umisoft UMI.CMS before 2.9 build 21905 allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via a request to admin/users/add/user/do/.)
Original documentdocumentddivulnalert_(at)_ddifrontline.com, DDIVRT-2013-53 Actuate 'ActuateJavaComponent' Multiple Vulnerabilities (10.05.2013)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20130507-0 :: Multiple vulnerabilities in NetApp OnCommand System Manager (10.05.2013)
 documentMustLive, Vulnerabilities in multiple web applications with VideoJS (10.05.2013)
 documentMustLive, Vulnerabilities in VideoJS (10.05.2013)
 documentHigh-Tech Bridge Security Research, Cross-Site Request Forgery (CSRF) in UMI.CMS (10.05.2013)

telepathy-idle insufficient certificate check
Published:10.05.2013
Source:
SecurityVulns ID:13076
Type:m-i-t-m
Threat Level:
5/10
Description:Server certificate is not checked
Affected:TELEPATHYIDLE : telepathy-idle
CVE:CVE-2007-6746 (telepathy-idle before 0.1.15 does not verify (1) that the issuer is a trusted CA, (2) that the server hostname matches a domain name in the subject's Common Name (CN), or (3) the expiration date of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.)
Original documentdocumentUBUNTU, [USN-1821-1] telepathy-idle vulnerability (10.05.2013)

Fujitsu notebooks privilege escalation
Published:10.05.2013
Source:
SecurityVulns ID:13077
Type:local
Threat Level:
5/10
Description:Untrusted path to executables.
Original documentdocumentStefan Kanthak, Re: Vulnerabilities in Windows 8 Professional x64 factory preinstallation of Fujitsu Lifebook A512 [continued] (10.05.2013)
 documentStefan Kanthak, Vulnerability in "Fujitsu Desktop Update" (for Windows) (10.05.2013)

EMC Documentum multiple security vulnerabilities
Published:10.05.2013
Source:
SecurityVulns ID:13078
Type:remote
Threat Level:
5/10
Description:Session fixation, crossite scripting.
Affected:EMC : Documentum 6.7
CVE:CVE-2013-0939 (EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allow remote attackers to obtain sensitive information via vectors involving cross-origin frame navigation, related to a "Cross Frame Scripting" issue.)
 CVE-2013-0938 (Cross-site scripting (XSS) vulnerability in EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2013-0937 (Session fixation vulnerability in EMC Documentum Webtop before 6.7 SP2, Documentum WDK before 6.7 SP2, Documentum Taskspace before 6.7 SP2, and Documentum Records Manager before 6.7 SP2 allows remote attackers to hijack web sessions via unspecified vectors.)
Original documentdocumentEMC, ESA-2013-021: EMC Documentum Multiple Vulnerabilities (10.05.2013)

EMC AlphaStor buffer overflow
Published:10.05.2013
Source:
SecurityVulns ID:13079
Type:remote
Threat Level:
6/10
Description:Buffer overflow on commands parsing in AlphaStor Library Control Program.
Affected:EMC : AlphaStor 4.0
CVE:CVE-2013-0946 (Buffer overflow in the Library Control Program (LCP) in EMC AlphaStor 4.0 before build 910 allows remote attackers to execute arbitrary code via crafted commands.)
Original documentdocumentEMC, ESA-2013-037: EMC AlphaStor Buffer Overflow Vulnerability (10.05.2013)

Apache Tomcat security vulnerabilities
Published:10.05.2013
Source:
SecurityVulns ID:13080
Type:remote
Threat Level:
6/10
Description:DoS, session fixation, information leakage.
Affected:APACHE : Tomcat 6.0
 APACHE : Tomcat 7.0
CVE:CVE-2013-2071 (java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.)
 CVE-2013-2067 (java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.)
 CVE-2012-3544 (Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.)
Original documentdocumentAPACHE, CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException (10.05.2013)
 documentAPACHE, [SECURITY] CVE-2013-2067 Session fixation with FORM authenticator (10.05.2013)
 documentAPACHE, [SECURITY] CVE-2012-3544 Chunked transfer encoding extension size is not limited (10.05.2013)

EMC RSA Authentication Agent crossite scripting
Published:10.05.2013
Source:
SecurityVulns ID:13081
Type:remote
Threat Level:
5/10
Affected:EMC : RSA Authentication Agent 7.1
CVE:CVE-2013-0942 (Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Agent 7.1 before 7.1.1 for Web for Internet Information Services, and 7.1 before 7.1.1 for Web for Apache, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Original documentdocumentEMC, ESA-2013-031: RSA® Authentication Agent Cross-Site Scripting (XSS) Vulnerability (10.05.2013)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod