Open-Xchange versions 7.6.0 and below suffer from absolute path traversal, server-side request forgery, XXE injection, and cross site scripting vulnerabilities.

Briefcase version 4.0 suffers from code execution and local file inclusion vulnerabilities.

The PASSWORDS’14 Norway Call For Papers has been announced. It will take place December 8th through the 10th, 2014 in Trondheim, Norway.

Aztech DSL5018EN, DSL705E, and DSL705EU ADSL modems/routers suffer from broken session management, denial of service, file exposure, and parameter tampering vulnerabilities.

Maligno is an open source penetration testing tool written in python, that serves Metasploit payloads. It generates shellcode with msfvenom and transmits it over HTTP or HTTPS. The shellcode is encrypted with AES and encoded with Base64 prior to transmission.

Red Hat Security Advisory 2014-1188-01 – OpenStack Dashboard provides administrators and users with a graphical interface to access, provision, and automate cloud-based resources. A cross-site scripting flaw was found in the way orchestration templates were handled. An owner of such a template could use this flaw to perform XSS attacks against other Horizon users. It was found that network names were not sanitized. A malicious user could use this flaw to perform XSS attacks against other Horizon users by creating a network with a specially crafted name.

Red Hat Security Advisory 2014-1187-01 – KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Linux OpenStack Platform. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to supply a malicious image file to QEMU or to helper tools used in image conversion by services such as Glance and Nova could potentially use these flaws to cause memory corruption, resulting in a crash or possibly arbitrary code execution.

HP Security Bulletin HPSBOV03099 – Potential security vulnerabilities have been identified with HP OpenVMS running OpenSSL. The vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or disclose information. Revision 1 of this advisory.

Ubuntu Security Notice 2346-1 – Tim Ruehsen discovered that curl incorrectly handled partial literal IP addresses. This could lead to the disclosure of cookies to the wrong site, and malicious sites being able to set cookies for others. Tim Ruehsen discovered that curl incorrectly allowed cookies to be set for Top Level Domains (TLDs). This could allow a malicious site to set a cookie that gets sent to other sites.

Red Hat Security Advisory 2014-1193-01 – Apache Axis is an implementation of SOAP. It can be used to build both web service clients and servers. It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject’s Common Name field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.