Posted by Lukasz Miedzinski on Aug 18
Title: UNIT4TETA TETA WEB – Authorization Bypass vulnerability
Author: Lukasz Miedziński
Date: 08. January 2015
CVE: CVE-2015-1173
Affected software :
===================
UNIT4TETA TETA WEB 22.62.3.4 – newest version
Older versions are probably affected too.
Exploit was tested on :
======================
UNIT4TETA TETA WEB 22.62.3.4 – newest version
Description :
=============
TETA Web (former TETA Galactica) is an Internet platform…
Posted by Curesec Research Team (CRT) on Aug 18
Phorum 5.2.19: Reflected XSS (IIS only) and Open Redirect
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: Phorum 5.2.19
Fixed in: 5.2.20
Fixed Version Link: http://www.phorum.org/downloads/phorum_5_2_20.zip
Vendor Contact: webmaster () phorum org
Vulnerability Type: Reflected XSS (IIS only) and Open Redirect
Remote Exploitable: Yes
Reported to vendor:…
Posted by Curesec Research Team (CRT) on Aug 18
Bolt 2.2.4: Code Execution
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: Bolt 2.2.4
Fixed in: 2.2.5
Fixed Version Link: http://bolt.cm/distribution/archive/bolt-2.2.5.zip
Vendor Contact: Website: https://bolt.cm
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 07/14/2015
Disclosed to public: 08/17/2015…
Posted by Curesec Research Team (CRT) on Aug 18
ModX Revolution 2.3.5-pl: Reflected Cross Site Scripting Vulnerability
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: ModX Revolution 2.3.5-pl
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: hello () modx com
Vulnerability Type: Reflected XSS
Remote Exploitable: Yes
Reported to vendor: 07/14/2015
Disclosed to public:…
The Core Infrastructure Initiative, which has funded OpenSSL among other open source security projects, announced a badge program that evaluates secure development best practices.
Cross-site scripting (XSS) vulnerability in the Navigate module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
The Hostmaster (Aegir) module 6.x-2.x before 6.x-2.4 and 7.x-3.x before 7.x-3.0-beta2 for Drupal allows remote attackers to execute arbitrary PHP code via a crafted file in the directory used to write Apache vhost files for hosted sites in a multi-site environment.
The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not properly restrict access to Storage API fields attached to entities that are not nodes, which allows remote attackers to have unspecified impact via unknown vectors.
Open redirect vulnerability in the Chamilo integration module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.
SQL injection vulnerability in the Novalnet Payment Module Ubercart module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.