Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to the (1) CSVServlet or (2) CReportPDFServlet servlet.
Monthly Archives: December 2014
CVE-2014-5446 (manageengine_it360, manageengine_netflow_analyzer)
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename parameter.
CVE-2014-6034 (manageengine_it_plus, manageengine_it360, manageengine_opmanager)
Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter.
CVE-2014-6035 (manageengine_opmanager)
Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.
CVE-2014-6036 (manageengine_it_plus, manageengine_it360, manageengine_opmanager)
Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.
CVE-2014-7867 (manageengine_it_plus, manageengine_it360, manageengine_opmanager)
SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.
CVE-2014-7868 (manageengine_it_plus, manageengine_it360, manageengine_opmanager)
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
Apple Security Advisory 2014-12-3-1
Apple Security Advisory 2014-12-3-1 – Safari 8.0.1, Safari 7.1.1, and Safari 6.2.1 are now available and address cross-origin CSS loading and multiple memory handling vulnerabilities.
PayPal bug bounty catches account-hijacking vulnerability
Popular internet payment provider PayPal has fixed an exploit that would have allowed hackers to take over an account with a single click, reports The Register.
The post PayPal bug bounty catches account-hijacking vulnerability appeared first on We Live Security.
Firefox 34 disables SSL 3.0 and tackles eight security fixes
Firefox 34, the latest version of the Mozilla’s popular web browser has disabled support for SSL 3.0 in reaction to the POODLE exploit, reported by We Live Security back in October.
The post Firefox 34 disables SSL 3.0 and tackles eight security fixes appeared first on We Live Security.