Platform Software before 4.4.5 in Cisco Unified Communications Domain Manager (CDM) 8.x has a hardcoded password for a privileged account, which allows remote attackers to obtain root access by leveraging knowledge of this password and entering it in an SSH session, aka Bug ID CSCuq45546.
Monthly Archives: July 2015
CVE-2015-4525
The log-gather implementation in the web administration interface in EMC Isilon OneFS 6.5.x.x through 7.1.1.x before 7.1.1.5 and 7.2.0.x before 7.2.0.2 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors.
Re: Microsoft Office – OLE Packager allows code execution in all Office versions, with macros disabled and high security templates applied
Posted by Stefan Kanthak on Jul 04
Kevin Beaumont wrote:
No, it fails when whitelisting is setup: the .JS payload is unpacked into
“%TEMP%” alias “%APPDATA%LocalTemp” alias “%USERPROFILE%AppDataLocalTemp”
where both SAFER alias Software Restriction Policies and AppLocker block its
execution.
JFTR: Windows Script Host is picky and runs scripts only if they have the
extensions .JS, .JSE, .VBS, .VBE, .WSC, .WSF and .WSH.
Windows Script…
Telegram API CSRF
Telegram API suffers from a Cross Site Request Forgery vulnerability. Note that this advisory has site-specific information.
Assange Seeks French Asylum
Mastercard Wants You To Pay With Your Face
DSA-3300 iceweasel – security update
Multiple security issues have been found in Iceweasel, Debian’s version
of the Mozilla Firefox web browser: Multiple memory safety errors,
use-after-frees and other implementation errors may lead to the
execution of arbitrary code or denial of service. This update also
addresses a vulnerability in DHE key processing commonly known as
the LogJam
vulnerability.
Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow
This Metasploit module exploits a buffer overflow on Adobe Flash Player when handling nellymoser encoded audio inside a FLV video, as exploited in the wild on June 2015. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160, Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466. Note that this exploit is effective against both CVE-2015-3113 and the earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression to the same root cause as CVE-2015-3043.
Reddit Is Revolting
Red Hat Security Advisory 2015-1207-01
Red Hat Security Advisory 2015-1207-01 – Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.