The ANAuthenticateResource method in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allows attackers to bypass JavaScript API execution restrictions via unspecified vectors, a different vulnerability than CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6713, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7616, CVE-2015-7618, CVE-2015-7619, and CVE-2015-7620.
Monthly Archives: October 2015
CVE-2015-7624
Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2015-5583, CVE-2015-6705, and CVE-2015-6706.
CVE-2015-7625
Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-7626, CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, and CVE-2015-7634.
CVE-2015-7626
Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-7625, CVE-2015-7627, CVE-2015-7630, CVE-2015-7633, and CVE-2015-7634.
Microsoft Trusted Boot Security Feature Bypass
An attacker with administrative access to a Windows machine with UEFI Secure Boot enabled may bypass code signing policy checks by putting intentionally-malformed configuration options in the boot configuration database (BCD).
ZyXEL PMG5318-B20A OS Command Injection
ZyXEL PMG5318-B20A suffers from a command injection vulnerability via the ping function.
ElasticSearch Snapshot API Directory Traversal
This Metasploit module exploits a directory traversal vulnerability in ElasticSearch, allowing an attacker to read arbitrary files with JVM process privileges, through the Snapshot API.
HP Security Bulletin HPSBGN03515 1
HP Security Bulletin HPSBGN03515 1 – Potential security vulnerabilities have been identified with HP Smart Profile Server Data Analytics Layer (SPS DAL). These vulnerabilities could be exploited remotely to allow Cross-Site Scripting (XSS) or disclosure of information. Revision 1 of this advisory.
Blat 2.7.6 Buffer Overflow
Blat version 2.7.6 suffers from a stack buffer overflow vulnerability.
Twilio – Moderately Critical – Access bypass – SA-CONTRIB-2015-157
- Advisory ID: DRUPAL-SA-CONTRIB-2015-157
- Project: Twilio (third-party module)
- Version: 7.x
- Date: 2015-October-14
- Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Access bypass
Description
This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages.
The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended.
This vulnerability is mitigated by the fact that an attacker must have access to a session with the role that has the permission “access administration pages”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Twilio 7.x-1.x versions prior to 7.x-1.11
Drupal core is not affected. If you do not use the contributed Twilio module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Twilio module for Drupal 7.x, upgrade to Twilio 7.x-1.11
Grant the permission “administer twilio” to any roles that should be able to administer the Twilio module.
Also see the Twilio project page.
Reported by
- Ivo Van Geertruyen of the Drupal Security Team
- Pere Orga i Esteve of the Drupal Security Team
Fixed by
- Arvin Singla the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version: