Ubuntu Security Notice 2748-1 – Benjamin Randazzo discovered an information leak in the md (multiple device) driver when the bitmap_info.file is disabled. A local privileged attacker could use this to obtain sensitive information from the kernel. Lureau discovered that the vhost driver did not properly release the userspace provided log file descriptor. A privileged attacker could use this to cause a denial of service (resource exhaustion). Various other issues were also addressed.

Centreon version 2.6.1 suffers from a stored cross site scripting vulnerability.

WordPress Appointment Booking Calendar plugin 1.1.7 suffers from a remote SQL injection vulnerability.

PCMan FTP Server version 2.0.7 suffers from a directory traversal vulnerability.

Vtiger CRM versions 6.3 and below suffer from an authenticated remote code execution vulnerability.

Centreon version 2.6.1 suffers from a command injection vulnerability. The POST parameter ‘persistant’ which serves for making a new service run in the background is not properly sanitized before being used to execute commands. This can be exploited to inject and execute arbitrary shell commands as well as using cross site request forgery attacks.

IconLover version 5.4.5 suffers from a stack buffer overflow vulnerability.

Photos in Wifi version 1.0.1 suffers from a remote shell upload vulnerability.