BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 8 min 7 sec ago

Sierra Library Services Platform Multiple Vulnerability Disclosure

August 29, 2014 - 4:54am

Posted by Romano, Christian on Aug 29

Product: Sierra Library Services Platform
Vendor: Innovative Interfaces Inc
Vulnerable Version: 1.2_3
Tested Version: 1.2_3
Vendor Notification: June 19, 2014
Public Disclosure: August 26, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5136
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory...
Categories:

Re: SaaS Marketing platform Hubspot export vulnerability

August 28, 2014 - 11:44am

Posted by security on Aug 28

We at HubSpot take the concerns of the security community seriously, and continuously work to improve our posture in
this ever-changing field. We do have predefined roles in the application which allow our customers to segment users
permissions based on their role. These horizontal permissions are quite common among SaaS vendors.

The export functionality mentioned does have existing auditing capability in the back end. For exports, we have...
Categories:

[SECURITY] [DSA 3014-1] squid3 security update

August 28, 2014 - 11:15am

Posted by Salvatore Bonaccorso on Aug 28

-------------------------------------------------------------------------
Debian Security Advisory DSA-3014-1 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
August 28, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : squid3
CVE ID : CVE-2014-3609
Debian Bug :...
Categories:

SEC Consult SA-20140828-0 :: F5 BIG-IP Reflected Cross-Site Scripting

August 28, 2014 - 8:38am

Posted by SEC Consult Vulnerability Lab on Aug 28

SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: F5 BIG-IP
vulnerable version: <= 11.5.1
fixed version: > 11.6.0
impact: Medium
CVE number: CVE-2014-4023
homepage: https://f5.com/
found: 2014-07-07
by: Stefan...
Categories:

Aerohive Hive Manager and Hive OS Multiple Vulnerabilities

August 28, 2014 - 5:55am

Posted by Disclosure on Aug 28

( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=....
Categories:

[The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert

August 28, 2014 - 5:45am

Posted by Pedro Ribeiro on Aug 28

Hi,

You can read the usernames and MD5 hashed passwords of all the users
in the Device Expert application by sending an unauthenticated
request.
I am releasing this as a 0 day as ManageEngine have responded that
they do not consider this a priority and won't fix it in the near
future unless a customer requests it. See details below.

==========================================================================

"DeviceExpert is a...
Categories:

[SECURITY] [DSA 3013-1] s3ql security update

August 28, 2014 - 5:35am

Posted by Florian Weimer on Aug 28

-------------------------------------------------------------------------
Debian Security Advisory DSA-3013-1 security () debian org
http://www.debian.org/security/ Florian Weiemr
August 27, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : s3ql
CVE ID : CVE-2014-0485

Nikolaus Rath...
Categories:

Last CFP: ICETC2014 - IEEE - Poland (Deadline: Aug. 30)

August 27, 2014 - 5:44am

Posted by jackie on Aug 27

ICETC2014: International Conference on Education Technologies and
Computers

Technically co-sponsored by IEEE Poland Section
Lodz University of Technology, Lodz, Poland
September 22-24, 2014
http://goo.gl/axpR5f

The International Conference on Education Technologies and Computers
(ICETC2014) will be held at Lodz University of Technology, Lodz, Poland
on September 22-24, 2014. The event will be held over three days, with
presentations...
Categories:

[SECURITY] [DSA 3012-1] eglibc security update

August 27, 2014 - 5:34am

Posted by Florian Weimer on Aug 27

-------------------------------------------------------------------------
Debian Security Advisory DSA-3012-1 security () debian org
http://www.debian.org/security/ Florian Weimer
August 27, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : eglibc
CVE ID : CVE-2014-5119

Tavis Ormandy...
Categories:

SaaS Marketing platform Hubspot export vulnerability

August 27, 2014 - 5:19am

Posted by ehoward on Aug 27

Hubspot is a widely used SaaS marketing platform to email all your customers, collect data about them and attract new
customers. It's is common practice to keep customer lists in Hubspot to send newsletters or other email communication.
Hubspot has hardcoded roles that grant users access to various areas of the application.

Most user activity is tracked and can be audited, EXCEPT exporting.

A marketing level user can easily export a...
Categories:

Fwd: RFC 7359 on Layer 3 Virtual Private Network (VPN) Tunnel Traffic Leakages in Dual-Stack Hosts/Networks

August 27, 2014 - 5:08am

Posted by Fernando Gont on Aug 27

Folks,

FYI: <https://www.rfc-editor.org/rfc/rfc7359.txt>

Best regards,
Fernando Gont

-------- Forwarded Message --------
Subject: RFC 7359 on Layer 3 Virtual Private Network (VPN) Tunnel
Traffic Leakages in Dual-Stack Hosts/Networks
Date: Tue, 26 Aug 2014 18:23:00 -0700 (PDT)
From: rfc-editor () rfc-editor org
Reply-To: ietf () ietf org
To: ietf-announce () ietf org, rfc-dist () rfc-editor org
CC: drafts-update-ref () iana org,...
Categories:

Mathematica10.0.0 on Linux /tmp/MathLink vulnerability

August 27, 2014 - 4:56am

Posted by paul . szabo on Aug 27

The problem reported for Mathematica is present still at version 10.0.0
for the GUI interface (the command-line interface may be "safe").

Cheers,

Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

---

http://seclists.org/fulldisclosure/2010/May/176
http://seclists.org/fulldisclosure/2012/Apr/157...
Categories:

Encore Discovery Solution Multiple Vulnerability Disclosure

August 27, 2014 - 4:45am

Posted by Romano, Christian on Aug 27

Product: Encore Discovery Solution
Vendor: Innovative Interfaces Inc
Vulnerable Version: 4.3
Tested Version: 4.3
Vendor Notification: June 19, 2014
Public Disclosure: August 26, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-5127
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory Details:

Open Redirect...
Categories:

ESA-2014-081 RSA® Identity Management and Governance Aut hentication Bypass Vulnerability

August 26, 2014 - 12:15pm

Posted by Security Alert on Aug 26

ESA-2014-081 RSA® Identity Management and Governance Authentication Bypass Vulnerability

EMC Identifier: ESA-2014-081

CVE Identifier: CVE-2014-4619

Severity Rating: CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected products:
RSA IMG versions 6.5.x and 6.8.x

Summary:
RSA Identity Management and Governance announces security fixes to address potential authentication bypass
vulnerability when NovelIM systems are used for...
Categories:

LSE Leading Security Experts GmbH - LSE-2014-07-13 - Granding Grand MA 300 - Weak Pin Verification

August 26, 2014 - 4:53am

Posted by advisories on Aug 26

=== LSE Leading Security Experts GmbH - Security Advisory 2014-07-13 ===

Grand MA 300 Fingerprint Reader - Weak Pin Verification
------------------------------------------------------------------------

Affected Versions
=================
Grand MA 300/ID with firmware 6.60

Issue Overview
==============
Vulnerability Type: Weak Pin Verification
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: Granding
Vendor URL:...
Categories:

ntopng 1.2.0 XSS injection using monitored network traffic

August 26, 2014 - 4:41am

Posted by Steffen Bauch on Aug 26

ntopng 1.2.0 XSS injection using monitored network traffic

ntopng is the next generation version of the original ntop, a network
traffic probe and monitor that shows the network usage, similar to what
the popular top Unix command does.

The web-based frontend of the software is vulnerable to injection of
script code via forged HTTP Host: request header lines in monitored
network traffic.

HTTP Host request header lines are extracted using...
Categories:

[security bulletin] HPSBMU03076 rev.2 - HP Systems Insight Manager (SIM) on Linux and Windows running OpenSSL, Multiple Vulnerabilities

August 26, 2014 - 4:31am

Posted by security-alert on Aug 26

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04379485

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04379485
Version: 2

HPSBMU03076 rev.2 - HP Systems Insight Manager (SIM) on Linux and Windows
running OpenSSL, Multiple Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible....
Categories:

[WorldCIST'15]: Call for Workshops Proposals; Proceedings by Springer - Indexed by ISI, Scopus, DBLP, etc.

August 25, 2014 - 12:56pm

Posted by WorldCIST on Aug 25

------
WorldCIST'15 - 3rd World Conference on Information Systems and Technologies
Ponta Delgada, Azores *, Portugal
1 - 3 April 2015.
http://www.aisti.eu/worldcist15/
------
* Azores is ranked as the second most beautiful archipelago in the world by National Geographic.
------------

WORKSHOP FORMAT

The Information Systems and Technologies research and industrial community is invited to submit proposals of Workshops
for WorldCIST'15...
Categories:

MEHR Automation System Arbitrary File Download Vulnerability(persian portal)

August 25, 2014 - 12:45pm

Posted by cseye_ut on Aug 25

#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Title : MEHR Automation System Arbitrary File Download Vulnerability(persian portal)
# Author : alieye
# vendor : http://shakhesrayane.ir/
# Contact : cseye_ut () yahoo com
# Risk : High
# Class: Remote
#
# Google Dork:
# intext:"Poshtibani () ShakhesRayane ir"
# intext:"Shakhes Rayane Sepahan"
#...
Categories:

[SECURITY] [DSA 3011-1] mediawiki security update

August 25, 2014 - 5:16am

Posted by Salvatore Bonaccorso on Aug 25

-------------------------------------------------------------------------
Debian Security Advisory DSA-3011-1 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
August 23, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : mediawiki
CVE ID : CVE-2014-5241 CVE-2014-5243...
Categories: