BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 9 min 54 sec ago

Fwd: REWTERZ-20140103 - ManageEngine ServiceDesk Plus User Privileges Management Vulnerability

January 23, 2015 - 3:56am

Posted by Rewterz - Research Group on Jan 23

================================================================================
[REWTERZ-20140103] - Rewterz - Security Advisory
================================================================================

Title: ManageEngine ServiceDesk Plus User Privileges Management Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031...
Categories:

REWTERZ-20140102 - ManageEngine ServiceDesk Plus User Enumeration Vulnerability

January 23, 2015 - 3:48am

Posted by Rewterz - Research Group on Jan 23

================================================================================
[REWTERZ-20140102] - Rewterz - Security Advisory
================================================================================

Title: ManageEngine ServiceDesk Plus User Enumeration Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact:...
Categories:

REWTERZ-20140101 - ManageEngine ServiceDesk SQL Injection Vulnerability

January 23, 2015 - 3:41am

Posted by Rewterz - Research Group on Jan 23

================================================================================

[REWTERZ-20140101] - Rewterz - Security Advisory

================================================================================

Title: ManageEngine ServiceDesk SQL Injection Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact: High...
Categories:

[HITB-Announce] #HITB2015AMS Call for Papers 1st Round is Closing in 10 Days

January 23, 2015 - 3:32am

Posted by Hafez Kamal on Jan 23

Hi guys - Happy New Year!

Just a reminder that the first selection round for submissions to HITB
Security Conference 2015 in Amsterdam is closing at the end of January!
That's T - 10 days and counting!!!

===

Date: 26th - 29th May 2015
Venue: De Beurs van Berlage
Event Website: http://conference.hitb.org/hitbsecconf2015ams/

---

HITBSecConf is a deep-knowledge, highly technical conference and we're
looking for material which is new,...
Categories:

PhotoSync 1.1.3 Android - Command Inject Vulnerability

January 22, 2015 - 12:10pm

Posted by Vulnerability Lab on Jan 22

Document Title:
===============
PhotoSync 1.1.3 Android - Command Inject Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1410

Release Date:
=============
2015-01-21

Vulnerability Laboratory ID (VL-ID):
====================================
1410

Common Vulnerability Scoring System:
====================================
5.2

Product & Service Introduction:...
Categories:

Program-O v2.4.6 - Multiple Web Vulnerabilities

January 22, 2015 - 12:01pm

Posted by Vulnerability Lab on Jan 22

Document Title:
===============
Program-O v2.4.6 - Multiple Web Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1414

Release Date:
=============
2015-01-21

Vulnerability Laboratory ID (VL-ID):
====================================
1414

Common Vulnerability Scoring System:
====================================
6.3

Product & Service Introduction:
===============================...
Categories:

CVE-2015-1180-xss-eventsentry

January 22, 2015 - 9:40am

Posted by Sudhanshu Chauhan on Jan 22

CVE-2015-1180-xss-eventsentry

Information
----------------
Advisory by Octogence.
Name: Reflected XSS Vulnerability in EventSentry Web Reports Interface
Affected Software : EventSentry
Affected Versions: 3.1.0 and possibly below
Vendor Homepage : http://eventsentry.com/
Vulnerability Type : Cross-site Scripting
Severity : High
CVE ID: CVE-2015-1180

Impact
----------
An attacker can craft a URL with malicious JavaScript code which
executes in...
Categories:

CVE-2015-1179-xss-mango-automation-scada

January 22, 2015 - 9:32am

Posted by Sudhanshu Chauhan on Jan 22

CVE-2015-1179-xss-mango-automation-scada

Information
-----------------
Advisory by Octogence.
Name: Reflected XSS Vulnerability in Mango Automation SCADA/HMI software
Affected Software : Mango Automation
Affected Versions: 2.4.0 and possibly below
Vendor Homepage : http://infiniteautomation.com/
Vulnerability Type : Cross-site Scripting
Severity : High
CVE ID: CVE-2015-1179

Impact
----------
An attacker can craft a URL with malicious JavaScript...
Categories:

CVE-2015-1178-xss-x-cart-ecommerce

January 22, 2015 - 9:23am

Posted by Sudhanshu Chauhan on Jan 22

CVE-2015-1178-xss-x-cart-ecommerce

Information
----------------
Advisory by Octogence.
Name: Reflected XSS Vulnerability in X-CART e-Commerce software
Affected Software : X-Cart
Affected Versions: 5.1.8 and possibly below
Vendor Homepage : https://www.x-cart.com
Vulnerability Type : Cross-site Scripting
Severity : High
CVE ID: CVE-2015-1178

Impact
----------
An attacker can craft a URL with malicious JavaScript code which
executes in the...
Categories:

CVE-2015-1177-xss-exponent

January 22, 2015 - 9:15am

Posted by Sudhanshu Chauhan on Jan 22

CVE-2015-1177-xss-exponent

Information
----------------
Advisory by Octogence.
Name: Reflected XSS Vulnerability in Exponent CMS
Affected Software : Exponent
Affected Versions: 2.3.2 and possibly below
Vendor Homepage : http://www.exponentcms.org/
Vulnerability Type : Cross-site Scripting
Severity : High
CVE ID: CVE-2015-1177

Impact
----------
An attacker can craft a URL with malicious JavaScript code which
executes in the browser.

Technical...
Categories:

SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) & SCSP

January 22, 2015 - 9:04am

Posted by SEC Consult Vulnerability Lab on Jan 22

SEC Consult Vulnerability Lab Security Advisory < 20150122-0 >
=======================================================================
title: Multiple critical vulnerabilities
products: Symantec Data Center Security: Server Advanced (SDCS:SA)
Symantec Critical System Protection (SCSP)
vulnerable version: see: Vulnerable / tested versions
fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 -...
Categories:

CVE-2015-1176-xss-osticket

January 22, 2015 - 8:55am

Posted by Sudhanshu Chauhan on Jan 22

CVE-2015-1176-xss-osticket

Information
----------------
Advisory by Octogence.
Name: Reflected XSS Vulnerability in osTicket Ticket system
Affected Software : osTicket
Affected Versions: 1.9.4 and possibly below
Vendor Homepage : http://osticket.com/
Vulnerability Type : Cross-site Scripting
Severity : High
CVE ID: CVE-2015-1176

Impact
----------
An attacker can craft a URL with malicious JavaScript code which
executes in the browser....
Categories:

[slackware-security] samba (SSA:2015-020-01)

January 22, 2015 - 4:12am

Posted by Slackware Security Team on Jan 22

[slackware-security] samba (SSA:2015-020-01)

New samba packages are available for Slackware 14.1 and -current to
fix a security issue.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/samba-4.1.16-i486-1_slack14.1.txz: Upgraded.
This update is a security release in order to address CVE-2014-8143
(Elevation of privilege to Active Directory Domain Controller).
Samba's AD DC allows...
Categories:

Remote Desktop v0.9.4 Android - Multiple Vulnerabilities

January 22, 2015 - 4:03am

Posted by Vulnerability Lab on Jan 22

Document Title:
===============
Remote Desktop v0.9.4 Android - Multiple Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1413

Release Date:
=============
2015-01-20

Vulnerability Laboratory ID (VL-ID):
====================================
1413

Common Vulnerability Scoring System:
====================================
4.4

Product & Service Introduction:...
Categories:

iExplorer 3.6.3 - DLL Hijacking Exploit itunesmobiledevice.dll

January 22, 2015 - 3:54am

Posted by Vulnerability Lab on Jan 22

Document Title:
===============
iExplorer 3.6.3 - DLL Hijacking Exploit itunesmobiledevice.dll

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1415

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9600

CVE-ID:
=======
CVE-2014-9600

Release Date:
=============
2015-01-19

Vulnerability Laboratory ID (VL-ID):
====================================
1415

Common Vulnerability Scoring System:...
Categories:

[RT-SA-2014-010] AVM FRITZ!Box Firmware Signature Bypass

January 22, 2015 - 3:45am

Posted by RedTeam Pentesting GmbH on Jan 22

Advisory: AVM FRITZ!Box: Firmware Signature Bypass

The signature check of FRITZ!Box firmware images is flawed. Malicious
code can be injected into firmware images without breaking the RSA
signature. The code will be executed either if a manipulated firmware
image is uploaded by the victim or if the victim confirms an update on
the webinterface during a MITM attack.

Details
=======

Product: AVM FRITZ!Box 7490, 7390, 7270v3 and other models...
Categories:

PhotoSync v1.1.3 Android - Command Inject Vulnerability

January 22, 2015 - 3:38am

Posted by Vulnerability Lab on Jan 22

Document Title:
===============
PhotoSync v1.1.3 Android - Command Inject Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1410

Release Date:
=============
2015-01-21

Vulnerability Laboratory ID (VL-ID):
====================================
1410

Common Vulnerability Scoring System:
====================================
5.2

Product & Service Introduction:...
Categories:

[oCERT-2015-001] JasPer input sanitization errors

January 22, 2015 - 3:30am

Posted by Andrea Barisani on Jan 22

#2015-001 JasPer input sanitization errors

Description:

The JasPer project is an open source implementation for the JPEG-2000 codec.

The library is affected by an off-by-one error in a buffer boundary check in
jpc_dec_process_sot(), leading to a heap based buffer overflow, as well as
multiple unrestricted stack memory use issues in jpc_qmfb.c, leading to stack
overflow.

A specially crafted JPEG-2000 file can be used to trigger the...
Categories:

[security bulletin] HPSBUX03235 SSRT101750 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS)

January 20, 2015 - 9:24pm

Posted by security-alert on Jan 21

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04550240

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04550240
Version: 1

HPSBUX03235 SSRT101750 rev.1 - HP-UX Running BIND, Remote Denial of Service
(DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-01-20
Last...
Categories:

[SECURITY] [DSA 3134-1] sympa security update

January 20, 2015 - 9:16pm

Posted by Salvatore Bonaccorso on Jan 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-3134-1 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
January 20, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : sympa

A vulnerability has been discovered in the web...
Categories: