iPassword Manager version 2.6 suffers from script insertion vulnerabilities.
Monthly Archives: April 2015
Apple iOS 8.0.2 Authentication Bypass
Apple IOS versions 8.0 through 8.0.2 suffer from a lock bypass vulnerability.
HomeAdvisor Filter Bypass / Script Insertion
HomeAdvisor suffers from filter bypass and script insertion vulnerabilities.
Fedora EPEL 6 Security Update: dpkg-1.16.16-2.el6
Resolved Bugs
1092212 – CVE-2014-0471 dpkg: path traversal when unpacking a source package [epel-all]
1162166 – CVE-2014-8625 dpkg: format string vulnerability
1092210 – CVE-2014-0471 dpkg: path traversal when unpacking a source package
1162169 – CVE-2014-8625 dpkg: format string vulnerability [epel-all]
1103026 – CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
1210748 – CVE-2015-0840 dpkg: source package integrity verification bypass
1103028 – CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
1210750 – CVE-2015-0840 dpkg: source package integrity verification bypass [epel-all]<br
Security update to 1.16.16
Fedora EPEL 7 Security Update: dpkg-1.16.16-1.el7
Resolved Bugs
1149590 – Build dpkg for EPEL7
1092212 – CVE-2014-0471 dpkg: path traversal when unpacking a source package [epel-all]
1103026 – CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
1162166 – CVE-2014-8625 dpkg: format string vulnerability
1210748 – CVE-2015-0840 dpkg: source package integrity verification bypass
1092210 – CVE-2014-0471 dpkg: path traversal when unpacking a source package
1103028 – CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
1162169 – CVE-2014-8625 dpkg: format string vulnerability [epel-all]
1210750 – CVE-2015-0840 dpkg: source package integrity verification bypass [epel-all]<br
Security update to 1.16.16
CVE-2015-0704
Multiple cross-site request forgery (CSRF) vulnerabilities in API features in Cisco Unified MeetingPlace 8.6(1.9) allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCus95884.
CVE-2015-0705
Cross-site request forgery (CSRF) vulnerability in the SOAP API endpoints of the web-services directory in Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts, aka Bug ID CSCus97494.
CVE-2015-3035
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
IC3 Warns of Cyber Attacks Focused on Law Enforcement and Public Officials
Original release date: April 21, 2015
The Internet Crime Complaint Center (IC3) has issued an alert warning that law enforcement personnel and public officials may be at an increased risk of cyber attacks. Doxing—the act of gathering and publishing individuals’ personal information without permission—has been observed. Hacking collectives may exploit publicly available information identifying officers or officials, their employers, and their families. These target groups should protect their online presence and exposure.
Users are encouraged to review the IC3 Alert for details and refer to US-CERT Tip ST06-003 for information on staying safe on social network sites.
This product is provided subject to this Notification and this Privacy & Use policy.
Renewed Attention on Android Apps Failing SSL Validation
CERT researcher Will Dormann presented an update on his research looking at Android apps that fail to validate SSL; Google meanwhile, says it will get stricter with enforcement.