AnchorCMS – PHP Object Injection (CVE-2015-5687) and More

Posted by Scott Arciszewski on Aug 27

In the near future on an IRC server near you:

CVE-2015-5687 (PHP Object Injection in AnchorCMS)
=================================================

Out of the box, AnchorCMS defaults to store all session state in a
cookie (contrast this with only storing a unique identifier in a
cookie which references a server-side storage mechanism, such as a
temporary file or a database row).

Aside: If you have paid attention to my past work with Laravel,…

CSRF/XSS vulnerability in Private Only could allow an attacker to do almost anything an admin user can (WordPress plugin)

Posted by dxw Security on Aug 27

Details
================
Software: Private Only
Version: 3.5.1
Homepage: http://wordpress.org/plugins/private-only/
Advisory report:
https://security.dxw.com/advisories/csrfxss-vulnerability-in-private-only-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/
CVE: CVE-2015-5483
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
CSRF/XSS vulnerability in Private Only could allow an attacker to do almost…

Publicly exploitable XSS in WordPress plugin Navis Documentcloud (WordPress plugin)

Posted by dxw Security on Aug 27

Details
================
Software: Navis DocumentCloud
Version: 0.1
Homepage: https://wordpress.org/plugins/navis-documentcloud/
Advisory report: https://security.dxw.com/advisories/publicly-exploitable-xss-in-wordpress-plugin-navis-documentcloud/
CVE: CVE-2015-2807
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)

Description
================
Publicly exploitable XSS in WordPress plugin Navis Documentcloud

Vulnerability
================
This…

nullcon se7en CFP is open

Posted by nullcon on Aug 27

Dear Friends,

Welcome to nullcon se7en!

$git commit -a <sin>

<sin> := wrath | pride | lust | envy | greed | gluttony | sloth

nullcon is an annual security conference held in Goa, India. The focus
of the conference is to showcase the next generation of offensive and
defensive security technology. We happily open doors to researchers
and hackers around the world working on the next big thing in security
and request…

CESA-2015:1693 Critical CentOS 5 firefox SecurityUpdate

CentOS Errata and Security Advisory 2015:1693 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1693.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
4accd0ef78beb2cffe7de1eb2cb077d3260d2be1254241b94dcabd5429668ffa  firefox-38.2.1-1.el5.centos.i386.rpm

x86_64:
4accd0ef78beb2cffe7de1eb2cb077d3260d2be1254241b94dcabd5429668ffa  firefox-38.2.1-1.el5.centos.i386.rpm
ee12a3a8a5ef058838bb608ec2f7bedb4033c0a4494b14e562d0567f98b8fad6  firefox-38.2.1-1.el5.centos.x86_64.rpm

Source:
c90518b13fdd40682ddfed92ebff461d50ba1b4504e553119caf965de91e5892  firefox-38.2.1-1.el5.centos.src.rpm



Mozilla Releases Security Updates for Firefox

Original release date: August 27, 2015

The Mozilla Foundation has released security updates to address a critical vulnerability in Firefox and Firefox ESR. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 40.0.3
  • Firefox ESR 38.2.1

US-CERT encourages users and administrators to review the Security Advisories for Firefox and Firefox ESR and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

CESA-2015:1693 Critical CentOS 6 firefox SecurityUpdate

CentOS Errata and Security Advisory 2015:1693 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1693.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
1de25353a5da5a88b766f833b08fd919232f64d8c4bd22c21dc7a2a942a5882f  firefox-38.2.1-1.el6.centos.i686.rpm

x86_64:
1de25353a5da5a88b766f833b08fd919232f64d8c4bd22c21dc7a2a942a5882f  firefox-38.2.1-1.el6.centos.i686.rpm
cde86c052706e5e98ab2fd10657d9e538e0f30ba96765f2f31986a60e1f49c5e  firefox-38.2.1-1.el6.centos.x86_64.rpm

Source:
e798d96ab134c3116832be3e7245e144d2a4929fc413114e7e501303ac7e6d89  firefox-38.2.1-1.el6.centos.src.rpm



CESA-2015:1693 Critical CentOS 7 firefox SecurityUpdate

CentOS Errata and Security Advisory 2015:1693 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1693.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
ccd6daae6b5970ffd6d52ea9ef5b7fe86f7fe70433769e107da8e6e120f5cdda  firefox-38.2.1-1.el7.centos.i686.rpm
8f0427d72b51874513dcff75cea91a9ad9c6df842274fa10962599793f07cb0e  firefox-38.2.1-1.el7.centos.x86_64.rpm

Source:
39557ff01ea4da417e94adec1aa984713f4228164e660abec3fbb8357cff126d  firefox-38.2.1-1.el7.centos.src.rpm