Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses. The company said that all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability. This bug is […]
Monthly Archives: June 2015
SBA Research Vulnerability Disclosure – Multiple Critical Vulnerabilities in Koha ILS
Posted by Raschin Ghanad-Tavakoli on Jun 25
===============================================================================================
SBA Research Vulnerability Disclosure
===============================================================================================
title: Koha Unauthenticated SQL injection
product: Koha ILS
affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
fixed version:…
CVE-2015-1851
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.
CVE-2015-4220
Cross-site scripting (XSS) vulnerability in Cisco Unified Presence Server 9.1(1) allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq03773.
CVE-2015-4223
Cisco IOS XR 5.1.3 allows remote attackers to cause a denial of service (process reload) via crafted MPLS Label Distribution Protocol (LDP) packets, aka Bug ID CSCuu77478.
Stored XSS Flaw Patched in Thycotic Secret Server
Thycotic, a maker of access-control and other security products, has patched a stored cross-site scripting vulnerability in one of its products that could enable an attacker to steal a victim’s stored passwords. The vulnerability is in the company’s Secret Server product, which is designed to provide password management for enterprises. Marco Delai, a researcher at […]
How do you recover from a hack?
Recent high-profile data breaches have illustrated criminals’ insatiable appetite for data and financial reward. If you do get hacked, then, here’s how to recover.
The post How do you recover from a hack? appeared first on We Live Security.
Time to Patch: Loads of Security Issues in Adobe Reader and Microsoft Windows
Hacker Mateusz Jurczyk from Google’s Project Zero disclosed 15 remote execution vulnerabilities, most of them for Windows and the Adobe Type Manager Font Driver. He presented his findings at the Recon security conference and aptly named his research “One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation”.
According to his blog the most serious and interesting security issue he discovered so far was a really reliable BLEND instruction exploit. Jurczyk writes that “the extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far.”
He also shared two videos in which he shows how he successfully exploits the Adobe Reader 11.0.10 using the BLEND vulnerability (CVE-2015-3052), accompanied by sandbox escapes via ATMFD.DLL in the Windows Kernel as well as a “Registry Object” vulnerability on x64 builds (CVE-2015-0090).
Jurczyk reported all of his discoveres to Microsoft and Adobe which fixed the bugs in security bulletins MS15-021 (March), APSB15-10(May) and MS15-044 (May).
The post Time to Patch: Loads of Security Issues in Adobe Reader and Microsoft Windows appeared first on Avira Blog.
Recomendation: Flaw in K9 Web Protection 4.4.268
Posted by ICSS Security on Jun 25
A flaw exist in K9 Web Protection version 4.4.268 that allow any user to bypass the K9 Web Protection filter by using
proxies.
Proxies are well known to bypass ISP filters as well any parental block aplication such as K9 Web Protection.
For this test we have run 638 listed proxies and 25 could bypass the “Proxy Avoidance” category because they were
incorrectly categorized.
New iPhone update blocks apps from seeing other apps you’ve installed
Apple will reportedly introduce a new privacy update for the iPhone that will prevent installed iOS apps from seeing which other apps have been downloaded to the device.
The post New iPhone update blocks apps from seeing other apps you’ve installed appeared first on We Live Security.
