Monthly Archives: May 2015

NVD

CVE-2015-0701

Cisco UCS Central Software 1.2 and earlier allows remote attackers to execute arbitrary commands via a crafted HTTP request, aka Bug ID CSCut46961.

NVD

CVE-2015-0715

SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager 11.0(0.98000.225) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug IDs CSCut33447 and CSCut33608.

NVD

CVE-2015-0716

Cross-site request forgery (CSRF) vulnerability in the CUCReports page in Cisco Unity Connection 11.0(0.98000.225) and 11.0(0.98000.332) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut33659.

Mandriva

MDVSA-2015:230: squid

Updated squid packages fix security vulnerability:

Squid configured with client-first SSL-bump does not correctly validate
X509 server certificate domain / hostname fields (CVE-2015-3455).

Mandriva

MDVSA-2015:229: net-snmp

Updated net-snmp packages fix security vulnerability:

It was discovered that the snmp_pdu_parse() function could leave
incompletely parsed varBind variables in the list of variables. A
remote, unauthenticated attacker could exploit this flaw to cause a
crash or, potentially, execute arbitrary code.

Mandriva

MDVSA-2015:228: nodejs

Updated nodejs package fixes security vulnerability:

It was found that libuv does not call setgoups before calling
setuid/setgid. This may potentially allow an attacker to gain elevated
privileges (CVE-2015-0278).

The libuv library is bundled with nodejs, and a fixed version of
libuv is included with nodejs as of version 0.10.37. The nodejs
package has been updated to version 0.10.38 to fix this issue, as
well as several other bugs.