BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 38 min 37 sec ago

JSPMyAdmin SQL Injection, CSRF & XSS Vulnerabilities

1 hour 53 min ago

Posted by apparitionsec on May 29

Credits: John Page ( hyp3rlinx )
Domains: hyp3rlinx.altervista.org

Source:
http://hyp3rlinx.altervista.org/advisories/AS-JSPMYADMIN0529.txt

Vendor:
code.google.com/p/jsp-myadmin

Product:
JSPAdmin 1.1 is a Java web based MySQL database management system.

Advisory Information:
================================================
JSPMyAdmin 1.1 SQL Injection, CSRF & XSS Vulnerabilities

SQL Injection
CSRF
XSS

Vulnerability Details:...
Categories:

[SECURITY] [DSA 3274-1] virtualbox security update

2 hours 2 min ago

Posted by Moritz Muehlenhoff on May 29

-------------------------------------------------------------------------
Debian Security Advisory DSA-3274-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 28, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : virtualbox
CVE ID : CVE-2015-3456

Jason Geffner...
Categories:

[security bulletin] HPSBHF03340 rev.1 - HP ThinPro Linux and HP Smart Zero Core running HP Easy Setup Wizard, Local Unauthorized Access, Elevation of Privilege

May 28, 2015 - 12:21pm

Posted by security-alert on May 28

UPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04692275
Version: 1

HPSBHF03340 rev.1 - HP ThinPro Linux and HP Smart Zero Core running HP Easy
Setup Wizard, Local Unauthorized Access, Elevation of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-05-27
Last Updated: 2015-05-27

Potential Security Impact: Local unauthorized access, elevation of privilege

Source:...
Categories:

Audacity 2.0.5 contains Arbitrary DLL Injection Code Execution

May 28, 2015 - 7:13am

Posted by mystyle_rahul on May 28

A local dll injection vulnerability has been discovered in the official Audacity 2.0.5.
Since the program is not specified with a fully qualified path name the program uses a fixed path to look for specific
files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom
version of the file or library in the path, the program will load it before the legitimate version. This allows a local...
Categories:

CVE-2015-1835: ...

May 28, 2015 - 6:40am

Posted by Dirk-Willem van Gulik on behalf of Apache Cordova on May 28

CVE-2015-1835: Remote exploit of secondary configuration variables in
Apache Cordova on Android

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Cordova Android up to 4.0.1 (3.7.2 excluded)

Description:

Android applications built with the Cordova framework that don't have
explicit values set in Config.xml can have undefined configuration
variables set by Intent. This...
Categories:

[SEARCH-LAB advisory] More than fifty vulnerabilities in D-Link NAS and NVR devices

May 28, 2015 - 6:33am

Posted by Gergely Eberhardt on May 28

Overwiew
--------
SEARCH-LAB performed an independent security assessment on four
different D-Link devices. The assessment has identified altogether 53
unique vulnerabilities in the latest firmware (dated 30-07-2014).
Several vulnerabilities can be abused by a remote attacker to execute
arbitrary code and gain full control over the devices. We list below
several of the problematic areas, where the most critical findings were
discovered:
-...
Categories:

DbNinja 3.2.6 Flash XSS Vulnerabilities

May 28, 2015 - 6:25am

Posted by apparitionsec on May 28

# Exploit Title: DbNinja Flash XSS Exploit
# Google Dork: intitle: Flash XSS
# Date: May 27, 2015
# Exploit Author: John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: www.dbninja.com
# Software Link: www.dbninja.com
# Version: 3.2.6
# Tested on: Windows 7
# Category: Flash XSS
# CVE : NA

Source:
http://hyp3rlinx.altervista.org/advisories/AS-DBNINJA0527.txt

Product:
DbNinja is a web based application for MySQL database...
Categories:

DbNinja 3.2.6 Flash XSS Vulnerabilities

May 28, 2015 - 6:18am

Posted by apparitionsec on May 28

# Exploit Title: DbNinja Flash XSS Exploit
# Google Dork: intitle: Flash XSS
# Date: May 27, 2015
# Exploit Author: John Page (hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: www.dbninja.com
# Software Link: www.dbninja.com
# Version: 3.2.6
# Tested on: Windows 7
# Category: Flash XSS
# CVE : NA

Source:
http://hyp3rlinx.altervista.org/advisories/AS-DBNINJA0527.txt

Product:
DbNinja is a web based application for MySQL database...
Categories:

[Onapsis Security Advisory 2015-006] SAP HANA Information Disclosure via SQL IMPORT FROM statement

May 27, 2015 - 1:43pm

Posted by Onapsis Research Labs on May 27

Onapsis Security Advisory ONAPSIS-2015-006: SAP HANA Information
Disclosure via SQL IMPORT FROM statement

1. Impact on Business
=====================

Under certain conditions some SAP HANA Database commands could be
abused by a remote authenticated attacker to access information which
is restricted.
This could be used to gain access to confidential information.

Risk Level: Medium

2. Advisory Information
=======================

- Public...
Categories:

[Onapsis Security Advisory 2015-007] SAP HANA Log Injection Vulnerability

May 27, 2015 - 1:35pm

Posted by Onapsis Research Labs on May 27

Onapsis Security AdvisoryONAPSIS-2015-007: SAP HANA Log Injection
Vulnerability

1. Impact on Business
=====================

Under certain conditions the SAP HANA XS engine is vulnerable to
arbitrary log
injection, allowing remote authenticated attackers to write arbitrary
information in log files.
This could be used to corrupt log files or add fake content misleading
an administrator.

Risk Level: Medium

2. Advisory Information...
Categories:

Thycotic Password Manager Secret Server iOS Application - MITM SSL Certificate Vulnerability

May 27, 2015 - 6:23am

Posted by David Coomber on May 27

Thycotic Password Manager Secret Server iOS Application - MITM SSL
Certificate Vulnerability
Categories:

[SECURITY] [DSA 3268-2] ntfs-3g security update

May 27, 2015 - 6:14am

Posted by Salvatore Bonaccorso on May 27

-------------------------------------------------------------------------
Debian Security Advisory DSA-3268-2 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
May 26, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ntfs-3g
CVE ID : CVE-2015-3202
Debian Bug :...
Categories:

CVE-2015-4084 - WordPress Free Counter Plugin [Stored XSS]

May 27, 2015 - 6:06am

Posted by pan . vagenas on May 27

# Exploit Title: WordPress Free Counter Plugin [Stored XSS]
# Date: 2015/05/25
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://www.free-counter.org
# Software Link: https://wordpress.org/plugins/free-counter/
# Version: 1.1
# Tested on: WordPress 4.2.2
# Category: webapps
# CVE: CVE-2015-4084

1. Description

Any authenticated or non-authenticated user can perform a stored XSS attack simply...
Categories:

[SECURITY] [DSA 3273-1] tiff security update

May 26, 2015 - 5:58am

Posted by Moritz Muehlenhoff on May 26

-------------------------------------------------------------------------
Debian Security Advisory DSA-3273-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
May 25, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2014-8127 CVE-2014-8128...
Categories:

Synology Photo Station multiple Cross-Site Scripting vulnerabilities

May 25, 2015 - 10:09am

Posted by Securify B.V. on May 25

------------------------------------------------------------------------
Synology Photo Station multiple Cross-Site Scripting vulnerabilities
------------------------------------------------------------------------
Han Sahin, May 2015

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Multiple reflected Cross-Site scripting vulnerabilities...
Categories:

Reflected Cross-Site Scripting in Synology DiskStation Manager

May 25, 2015 - 9:59am

Posted by Securify B.V. on May 25

------------------------------------------------------------------------
Reflected Cross-Site Scripting in Synology DiskStation Manager
------------------------------------------------------------------------
Han Sahin, May 2015

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site scripting vulnerability was found in...
Categories:

Command injection vulnerability in Synology Photo Station

May 25, 2015 - 9:51am

Posted by Securify B.V. on May 25

------------------------------------------------------------------------
Command injection vulnerability in Synology Photo Station
------------------------------------------------------------------------
Han Sahin, May 2015

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A command injection vulnerability was found in Synology Photo Station,...
Categories:

[SECURITY] [DSA 3265-2] zendframework regression update

May 25, 2015 - 6:39am

Posted by Alessandro Ghedini on May 25

-------------------------------------------------------------------------
Debian Security Advisory DSA-3265-2 security () debian org
http://www.debian.org/security/ Alessandro Ghedini
May 24, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : zendframework

The update for zendframework issued as...
Categories:

[SECURITY] [DSA 3272-1] ipsec-tools security update

May 25, 2015 - 6:32am

Posted by Salvatore Bonaccorso on May 25

-------------------------------------------------------------------------
Debian Security Advisory DSA-3272-1 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
May 23, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : ipsec-tools
CVE ID : CVE-2015-4047
Debian Bug :...
Categories:

[SECURITY] [DSA 3271-1] nbd security update

May 25, 2015 - 6:24am

Posted by Alessandro Ghedini on May 25

-------------------------------------------------------------------------
Debian Security Advisory DSA-3271-1 security () debian org
http://www.debian.org/security/ Alessandro Ghedini
May 23, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : nbd
CVE ID : CVE-2013-7441 CVE-2015-0847
Debian Bug...
Categories: