SQL injection vulnerability in views/zero_transact_user.php in the administrative backend in ZeroCMS 1.3.3, 1.3.2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the user_id parameter in a Modify Account action. NOTE: The article_id parameter to zero_view_article.php vector is already covered by CVE-2014-4034.
Monthly Archives: February 2015
CVE-2015-1444
Multiple cross-site scripting (XSS) vulnerabilities in the web administration frontend in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30 allow remote attackers to inject arbitrary web script or HTML via the (1) conntrack.cgi, (2) index.cgi, (3) log_syslog.cgi, (4) problems.cgi, (5) status.cgi, (6) status_network.cgi, or (7) status_system.cgi script in admin/.
CVE-2015-1467
Multiple SQL injection vulnerabilities in Translations in Fork CMS before 3.8.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) language[] or (2) type[] parameter to private/en/locale/index.
CVE-2015-1512
Multiple cross-site scripting (XSS) vulnerabilities in FancyFon FAMOC before 3.17.4 allow remote attackers to inject arbitrary web script or HTML via the (1) LoginForm[username] to ui/system/login or the (2) order or (3) myorgs to index.php.
CVE-2015-1513
SQL injection vulnerability in SIPhone Enterprise PBX allows remote attackers to execute arbitrary SQL commands via the Username.
CVE-2015-1514
Multiple SQL injection vulnerabilities in FancyFon FAMOC before 3.17.4 allow (1) remote attackers to execute arbitrary SQL commands via the device ID REST parameter (PATH_INFO) to /ajax.php or (2) remote authenticated users to execute arbitrary SQL commands via the order parameter to index.php.
Kaspersky Lab Achieves VMware Ready – vCloud Airâ„¢ Status under Access Tier in vCloud Airâ„¢ Air® ISV Program
Anthem ‘Medical’ Hack – What should you do?
Anthem Blue Cross Blue Shield, a medical insurance provider in the US, was subject to serious data breach that included personal information of its members past and present.
The data stolen includes names, birthdays, medical IDs/social security numbers, street address, email addresses and employment information including income data.
The type of data that has been reported to have been stolen means that this breach is potentially much more serious than most of the large data breaches we saw last year. These hacks were primarily of credit card and transaction data.
Generally, when credit card account details are taken, victims can limit the damage by stopping their card and changing their password. Credit card companies will also cover most of the liability.
The difference with this theft though is that stolen data is a lot more difficult to track than a simple financial transaction. Social security and insurance information can be used for anything from a false insurance claim to collecting prescription drugs.
If you think that this data breach may affect you then you should carefully check your next health insurance bill. Be sure to check that all the claims are indeed yours and dispute things that seem strange.
It’s important to catch the misuse of your insurance quickly before medical debt notices are issued because of unpaid bills. That could lead to credit rating issues or in the worst case, you could be refused insurance due to a condition that you don’t actually suffer from.
As a precaution here some other actions you should take, not forgetting the above one of checking medical statements:
- Ensure your online accounts are not using the same email password combination that you may have had stored with Anthem; change any that are the same as your Anthem details.
- Keep a close watch on your credit reports. This will help you identify if someone is using your identity to take a line of credit in your name. Most credit scoring agencies allow you to run a report for free at least once.
- Spammers may send emails that look like they are coming from Anthem. Make sure to carefully scrutinize these emails – don’t click on links that look suspicious – and if in doubt contact Anthem to ensure it’s an official communication.
- Moving forward, avoid using the same email address or identity across multiple online accounts. For example, have a primarily email address used for recovery of forgotten passwords and account information. Have a secondary email address for offline and online retail transactions. Have a third for financial accounts and sensitive information.
Follow me on twitter @tonyatavg