Monthly Archives: May 2015

Full Disclosure

Re: Concrete5 Security Advisory – Multiple XSS Vulnerabilities – CVE-2015-2250

Posted by Scott Arciszewski on May 14

I’m honestly surprised it took their team two months to fix this. I’ve
previously reported issues via HackerOne and they were on it within a day.

If anyone else is thinking about whitehatting up Concrete5, you might get a
faster response if you go through the HackerOne platform. Also, they’re
friendly and won’t pull a Daniel Kerr move on you if you tell them their
code is Swiss cheese. Speaking from experience here.

Security

Debian Security Advisory 3260-1

Debian Linux Security Advisory 3260-1 – Multiple security issues have been found in Iceweasel, Debian’s version buffer overflows and use-after-frees may lead to the execution of arbitrary code, privilege escalation or denial of service.

Security

Ubuntu Security Notice USN-2602-1

Ubuntu Security Notice 2602-1 – Jesse Ruderman, Mats Palmgren, Byron Campen, Steve Fink, Gary Kwong, Andrew McCreight, Christian Holler, Jon Coppeard, and Milan Sreckovic discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. Atte Kettunen discovered a buffer overflow during the rendering of SVG content with certain CSS properties in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. Various other issues were also addressed.