The O2 Connection Manager’s service suffers from an unquoted search path issue impacting the Import WiFi ‘TGCM_ImportWiFiSvc’ service for Windows. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.

O2 Connection Manager suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable files with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (Full) for ‘Everyone’ group, making the entire directory ‘O2 Connection Manager’ and its files and sub-dirs world-writable.

WordPress Google Calendar Events plugin version 2.0.1 suffers from a cross site scripting vulnerability.

WordPress Contact Form DB plugin version 2.8.13 suffers from a cross site scripting vulnerability.

This bulletin summary lists nine released Microsoft security bulletins for October, 2014.

The debugenableplugins request parameter in Twiki versions 4.x, 5.x, and 6.0.0 allows arbitrary Perl code execution.

Twiki versions 4.x, 5.x, and 6.0.0 suffer from a file upload bypass vulnerability.