Computer Security
[EN] securityvulns.ru no-pyccku


F5 BIG-IP Application Security Manager crossite scripting
Published:14.01.2015
Source:
SecurityVulns ID:14208
Type:remote
Threat Level:
2/10
Description:self-XSS
Original documentdocumentPeter Lapp, [Corrected] Stored XSS Vulnerability in F5 BIG-IP Application Security Manager (14.01.2015)

Multiple snom IP phones vulnerabilities
Published:14.01.2015
Source:
SecurityVulns ID:14209
Type:remote
Threat Level:
5/10
Description:Crossite scripting, CSRF, directory traversal, authentication bypass, privilege escalation, code execution, backdoor access.
Original documentdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20150113-0 :: Multiple critical vulnerabilities in all snom desktop IP phones (14.01.2015)

Apache qpid DoS
Published:14.01.2015
Source:
SecurityVulns ID:14210
Type:remote
Threat Level:
5/10
Description:Multiple assert()s.
CVE:CVE-2015-0203
Original documentdocumentAPACHE, CVE-2015-0203: Apache Qpid's qpidd can be crashed by authenticated user (14.01.2015)

Microsoft Windows multiple security vulnerabilities
Published:14.01.2015
Source:
SecurityVulns ID:14211
Type:library
Threat Level:
8/10
Description:Multiple Internet Explorer vulnerabilities, VBScript Scripting Engine code execution, graphics system JPEG parsing information leakage.
Affected:MICROSOFT : Windows Vista
 MICROSOFT : Windows 8
 MICROSOFT : Windows 2008 Server
 MICROSOFT : Windows 7
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows 2012 Server
CVE:CVE-2014-8966 (Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6376 (Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6329.)
 CVE-2014-6375 (Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6374 (Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6373 (Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6369 (Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6368 (Microsoft Internet Explorer 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability.")
 CVE-2014-6366 (Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6365 (Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6328.)
 CVE-2014-6363 (vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Internet Explorer 6 through 11 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability.")
 CVE-2014-6355 (The Graphics Component in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly process JPEG images, which makes it easier for remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Graphics Component Information Disclosure Vulnerability.")
 CVE-2014-6330 (Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability.")
 CVE-2014-6329 (Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6327 and CVE-2014-6376.)
 CVE-2014-6328 (Microsoft Internet Explorer 8 through 11 allows remote attackers to bypass the XSS filter via a crafted attribute of an element in an HTML document, aka "Internet Explorer XSS Filter Bypass Vulnerability," a different vulnerability than CVE-2014-6365.)
 CVE-2014-6327 (Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-6329 and CVE-2014-6376.)
Files: Microsoft Security Bulletin MS14-080 - Critical Cumulative Security Update for Internet Explorer (3008923)
  Microsoft Security Bulletin MS14-084 - Critical Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (3016711)
  Microsoft Security Bulletin MS14-085 - Important Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure (3013126)

Microsoft Office multiple security vulnerabilities
Published:14.01.2015
Source:
SecurityVulns ID:14212
Type:client
Threat Level:
8/10
Description:Memory corruptions, index overflows, use-after-free, uninitialized pointers.
Affected:MICROSOFT : Office 2007
 MICROSOFT : Office 2012
 MICROSOFT : Office 2010
 MICROSOFT : Office 2013
CVE:CVE-2014-6364 (Use-after-free vulnerability in Microsoft Office 2007 SP3; 2010 SP2; 2013 Gold, SP1, and SP2; and 2013 RT Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability.")
 CVE-2014-6361 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 Gold and SP1, Excel 2013 RT Gold and SP1, and Office Compatibility Pack allow remote attackers to execute arbitrary code via a crafted Office document, aka "Excel Invalid Pointer Remote Code Execution Vulnerability.")
 CVE-2014-6360 (Microsoft Excel 2007 SP3, Excel 2010 SP2, and Office Compatibility Pack allow remote attackers to execute arbitrary code via a crafted Office document, aka "Global Free Remote Code Execution in Excel Vulnerability.")
 CVE-2014-6357 (Use-after-free vulnerability in Microsoft Office 2010 SP2, Office 2013 Gold and SP1, Office 2013 RT Gold and SP1, Office for Mac 2011, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 Gold and SP1, and Office Web Apps 2010 SP2 and 2013 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Use After Free Word Remote Code Execution Vulnerability.")
 CVE-2014-6356 (Array index error in Microsoft Word 2007 SP3, Word 2010 SP2, and Office Compatibility Pack SP3 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Invalid Index Remote Code Execution Vulnerability.")
Files: Microsoft Security Bulletin MS14-081 - Critical Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution (3017301)
  Microsoft Security Bulletin MS14-082 - Important Vulnerability in Microsoft Office Could Allow Remote Code Execution (3017349)
  Microsoft Security Bulletin MS14-083 - Important Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (3017347)

Kodi / XBMC crossite scripting
Published:14.01.2015
Source:
SecurityVulns ID:14213
Type:remote
Threat Level:
5/10
Description:Crossite scripting in web interface.
Affected:KODI : Kodi 14.0
Original documentdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20150113-2 :: Cross-Site Request Forgery in XBMC / Kodi (14.01.2015)

HP Insight Control server deployment information disclosure
Published:14.01.2015
Source:
SecurityVulns ID:14214
Type:remote
Threat Level:
5/10
CVE:CVE-2014-7881 (Cross-site scripting (XSS) vulnerability in the server in HP Insight Control allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Original documentdocumentHP, [security bulletin] HPSBMU03230 rev.1 - HP Insight Control server deployment Remote Disclosure of Information (14.01.2015)

GNU binutils multiple security vulnerabilities
Published:14.01.2015
Source:
SecurityVulns ID:14215
Type:library
Threat Level:
6/10
Description:Multiple memory corruptions.
Affected:GNU : binutils 2.25
CVE:CVE-2014-8738 (The _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.)
 CVE-2014-8737 (Multiple directory traversal vulnerabilities in GNU binutils 2.24 and earlier allow local users to delete arbitrary files via a .. (dot dot) or full path name in an archive to (1) strip or (2) objcopy or create arbitrary files via (3) a .. (dot dot) or full path name in an archive to ar.)
 CVE-2014-8504 (Stack-based buffer overflow in the srec_scan function in bfd/srec.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted file.)
 CVE-2014-8503 (Stack-based buffer overflow in the ihex_scan function in bfd/ihex.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a crafted ihex file.)
 CVE-2014-8502 (Heap-based buffer overflow in the pe_print_edata function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly have other unspecified impact via a truncated export table in a PE file.)
 CVE-2014-8501 (The _bfd_XXi_swap_aouthdr_in function in bfd/peXXigen.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) and possibly have other unspecified impact via a crafted NumberOfRvaAndSizes field in the AOUT header in a PE executable.)
 CVE-2014-8485 (The setup_group function in bfd/elf.c in libbfd in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted section group headers in an ELF file.)
 CVE-2014-8484 (The srec_scan function in bfd/srec.c in libdbfd in GNU binutils before 2.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a small S-record.)
Original documentdocumentDEBIAN, [SECURITY] [DSA 3123-2] binutils-mingw-w64 security update (14.01.2015)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod