Computer Security
[EN] securityvulns.ru no-pyccku


F5 Firepass URL redirection
Published:22.10.2012
Source:
SecurityVulns ID:12658
Type:remote
Threat Level:
3/10
Description:Uncontrolled redirection from my.activation.cns.php3 page.
Original documentdocumentYGN Ethical Hacker Group, F5 FirePass SSL VPN 4xxx Series | Arbitrary URL Redirection (22.10.2012)

IBM Lotus Notes Traveler security vulnerabilities
Published:22.10.2012
Source:
SecurityVulns ID:12659
Type:remote
Threat Level:
5/10
Description:Crossite scripting, crossite request forgery, URL redirection.
Affected:IBM : Lotus Notes Traveler 8.5
CVE:CVE-2012-4825 (Multiple cross-site scripting (XSS) vulnerabilities in servlet/traveler/ILNT.mobileconfig in IBM Lotus Notes Traveler before 8.5.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) userId or (2) address parameter in a getClientConfigFile action.)
 CVE-2012-4824 (Open redirect vulnerability in servlet/traveler in IBM Lotus Notes Traveler 8.5.3 before 8.5.3.3 Interim Fix 1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirectURL parameter.)
Original documentdocumentMustLive, BF, XSS, CSRF and Redirector vulnerabilities in IBM Lotus Notes Traveler (22.10.2012)

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:22.10.2012
Source:
SecurityVulns ID:12660
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:OPENX : OpenX 2.8
 CMSQLITE : CMSQLITE 1.3
 VBULLETIN : Vbulletin 4.1
 WORDPRESS : Wordfence Security 3.3
 ATUTOR : ATutor 1.2
 SUBRION : Subrion CMS 2.2
 JCORE : jCore 1.0
 SILVERSTRIPE : SilverStripe 2.4
 TEMPLATECMS : Template CMS 2.1
 CAMPAIGNENTERPRI : Campaign Enterprise 11
 WORDPRESS : Wordpress Social Discussions 6.1
 WORDPRESS : Wordpress Slideshow 2.1
 UNIRGY : uStoreLocator 2.0
 FILEBOUND : FileBound On-Site 6.1
 VOLK : vOlk Botnet Framework 4.0
 OMNISTAR : Omnistar Document Manager 8.0
 INTERSPIRE : Interspire Email Marketer 6.0
 OMNISTAR : Omnistar Mailer 7.2
 PHPFREECHAT : phpFreeChat 1.4
 PHPTAX : phptax 0.8
 SWITCHVOX : Switchvox Asterisk 5.1
 AXIS : Axis VoIP Manager 2.1
 NEOBILL : NeoBill CMS 0.8
 ATLASSIAN : Confluence 3.5
 ATLASSIAN : Confluence 4.0
 ATLASSIAN : Confluence 4.1
 TORRENTTRADER : TorrentTrader 2.08
CVE:CVE-2012-5169 (Multiple cross-site scripting (XSS) vulnerabilities in file_manager/preview_top.php in ATutor AContent before 1.2-2 allow remote attackers to inject arbitrary web script or HTML via the (1) pathext, (2) popup, (3) framed, or (4) file parameter.)
 CVE-2012-5168 (ATutor AContent before 1.2-1 allows remote attackers to modify arbitrary user passwords or category names via a direct request to (1) user/index_inline_editor_submit.php or (2) course_category/index_inline_editor_submit.php.)
 CVE-2012-5167 (Multiple SQL injection vulnerabilities in ATutor AContent before 1.2-1 allow remote attackers to execute arbitrary SQL commands via the (1) field parameter to course_category/index_inline_editor_submit.php or (2) user/index_inline_editor_submit.php; or (3) id parameter to user/user_password.php.)
 CVE-2012-4990 (SQL injection vulnerability in admin/campaign-zone-link.php in OpenX 2.8.10 before revision 81823 allows remote attackers to execute arbitrary SQL commands via the ids[] parameter in a link action.)
 CVE-2012-4989 (Cross-site scripting (XSS) vulnerability in admin/plugin-index.php in OpenX 2.8.10 before revision 81823 allows remote attackers to inject arbitrary web script or HTML via the parent parameter in an info action.)
 CVE-2012-4902 (Multiple cross-site request forgery (CSRF) vulnerabilities in Template CMS 2.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an add action to admin/index.php or (2) conduct static PHP code injection attacks via the themes_editor parameter in an edit_template action to admin/index.php.)
 CVE-2012-4901 (Cross-site scripting (XSS) vulnerability in Template CMS 2.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the themes_editor parameter an add_template action to admin/index.php.)
 CVE-2012-4773 (Multiple cross-site request forgery (CSRF) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to hijack the authentication of administrators for requests that add, delete, or modify sensitive information, as demonstrated by adding an administrator account via an add action to admin/accounts/add/.)
 CVE-2012-4772 (SQL injection vulnerability in register/ in Subrion CMS before 2.2.3 allows remote attackers to execute arbitrary SQL commands via the plan_id parameter.)
 CVE-2012-4771 (Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) admin/accounts/, (2) admin/manage/, or (3) admin/manage/blocks/edit/; or (4) group parameter to admin/configuration/. NOTE: The f[accounts][fullname] and f[accounts][username] vectors are covered in CVE-2012-5452.)
 CVE-2012-4232 (SQL injection vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to execute arbitrary SQL commands via the memberloginid cookie.)
 CVE-2012-4231 (Cross-site scripting (XSS) vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to inject arbitrary web script or HTML via the path parameter.)
 CVE-2012-3824
 CVE-2012-3823
 CVE-2012-3822
 CVE-2012-3821
 CVE-2012-3820 (Multiple SQL injection vulnerabilities in Campaign11.exe in Arial Software Campaign Enterprise before 11.0.551 allow remote attackers to execute arbitrary SQL commands via the (1) SerialNumber field to activate.asp or (2) UID field to User-Edit.asp.)
Original documentdocumentJanek Vind, [waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08 (22.10.2012)
 documentIrIsT.Ir_(at)_gmail.com, [INTREST SEC] Atlassian Confluence Wiki XSS Vulnerability (22.10.2012)
 documentIrIsT.Ir_(at)_gmail.com, Vbulletin (blog_plugin_useradmin) v4.1.12 Sql Injection Vulnerability (22.10.2012)
 documentVulnerability Lab, Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, NeoBill CMS v0.8 Alpha - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Better WP Security v3.4.3 Wordpress - Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Switchvox Asterisk v5.1.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentpereira_(at)_secbiz.de, phptax 0.8 <= Remote Code Execution Vulnerability (22.10.2012)
 documentNetsparker Advisories, XSS Vulnerabilities in phpFreeChat (22.10.2012)
 documentVulnerability Lab, Omnistar Mailer v7.2 - Multiple Web Vulnerabilities (22.10.2012)
 documentVulnerability Lab, Interspire Email Marketer v6.0.1 - Multiple Vulnerabilites (22.10.2012)
 documentVulnerability Lab, Omnistar Document Manager v8.0 - Multiple Vulnerabilities (22.10.2012)
 documentVulnerability Lab, vOlk Botnet Framework v4.0 - Multiple Web Vulnerabilities (22.10.2012)
 documentlists_(at)_senseofsecurity.com, FileBound - Privilege Escalation Vulnerability - Security Advisory - SOS-12-010 (22.10.2012)
 documentSEC Consult Vulnerability Lab, SEC Consult SA-20121017-1 :: Unirgy uStoreLocator SQL Injection - Magento extension (22.10.2012)
 documentJanek Vind, [waraxe-2012-SA#092] - Multiple Vulnerabilities in Wordpress Slideshow Plugin (22.10.2012)
 documentJanek Vind, [waraxe-2012-SA#093] - Multiple Vulnerabilities in Wordpress Social Discussions Plugin (22.10.2012)
 documentVulnerability Lab, CMSQLITE v1.3.2 - Multiple Web Vulnerabiltiies (22.10.2012)
 documentMustLive, Multiple vulnerabilities in Megapolis.Portal Manager (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Template CMS (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in OpenX (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in jCore (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Subrion CMS (22.10.2012)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in AContent (22.10.2012)
 documentYGN Ethical Hacker Group, SilverStripe CMS 2.4.7 <= Arbitrary URL Redirection (22.10.2012)
 documentYGN Ethical Hacker Group, SilverStripe CMS 2.4.7 <= Persistent Cross Site Scripting Vulnerability (22.10.2012)
 documentMustLive, XSS and IAA vulnerabilities in Wordfence Security for WordPress (22.10.2012)

CA ARCserve Backup security vulnerabilities
Published:22.10.2012
Source:
SecurityVulns ID:12661
Type:remote
Threat Level:
7/10
Description:Security vulnerabilities in RPC requests handling.
CVE:CVE-2012-2972 (The (1) server and (2) agent components in CA ARCserve Backup r12.5, r15, and r16 on Windows do not properly validate RPC requests, which allows remote attackers to cause a denial of service (service crash) via a crafted request.)
 CVE-2012-2971 (The server in CA ARCserve Backup r12.5, r15, and r16 on Windows does not properly process RPC requests, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted request.)
Original documentdocumentCA, CA20121018-01: Security Notice for CA ARCserve Backup (22.10.2012)

Palo Alto Networks GlobalProtect certificate spoofing
Published:22.10.2012
Source:
SecurityVulns ID:12662
Type:m-i-t-m
Threat Level:
5/10
Description:Server certificate is no checked
Original documentdocumentMicha.Borrmann_(at)_SySS.de, MitM-vulnerability in Palo Alto Networks GlobalProtect (22.10.2012)

modsecurity for Apache protection bypass
Published:22.10.2012
Source:
SecurityVulns ID:12663
Type:remote
Threat Level:
4/10
Description:It's possible to bypass filtering with double '\r' in boundary identifier.
Affected:MODSECURITY : ModSecurity 2.6
Original documentdocumentSEC Consult Vulnerability Lab, SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass (22.10.2012)

SonicWALL EMail Security multiple security vulnerabilities
Published:22.10.2012
Source:
SecurityVulns ID:12664
Type:remote
Threat Level:
5/10
Description:Crossite scripting, crossite request forgery, etc.
Affected:SONICWALL : SonicWalls UTM Email Security 7.3
Original documentdocumentVulnerability Lab, SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities (22.10.2012)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod