RSA Adaptive Authentication (On-Premise) versions 6.0.2.1 to 7.1 P3 (inclusive) are potentially vulnerable to an authentication bypass vulnerability, if a device binding request is sent in an AAOP challenge SOAP call.
Monthly Archives: December 2014
EMC Documentum Content Server Insecure Direct Object Reference
EMC Documentum Content Server may be vulnerable to an insecure direct object reference vulnerability where remote authenticated attackers with limited privileges may potentially obtain unauthorized read access or may be enabled to delete arbitrary files stored on the Content Server machine or network shares accessible from the Content Server machine. Affected versions include all EMC Documentum Content Server versions of 7.1, 7.0, 6.7 SP2, and all versions prior to 6.7 SP2.
ADSL2+ 2.05.C29GV XSS / URL Redirect / Command Injection
ADSL2+ version 2.05.C29GV suffers from cross site scripting, open redirect, and command injection vulnerabilities.
CVE-2014-8104
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet.
CVE-2014-8771
Multiple cross-site request forgery (CSRF) vulnerabilities in the admin area in X3 CMS 0.5.1 and 0.5.1.1 allow remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2014-8772
Cross-site scripting (XSS) vulnerability in the search_controller in X3 CMS 0.5.1 and 0.5.1.1 allows remote authenticated users to inject arbitrary web script or HTML via the search parameter.
CVE-2014-8773
MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter.
CVE-2014-8774
Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter.
CVE-2014-8775
MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2014-9018
Icecast before 2.4.1 transmits the output of the on-connect script, which might allow remote attackers to obtain sensitive information, related to shared file descriptors.