Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools.
Monthly Archives: October 2015
Are healthcare organizations ready to get serious about security … now?
ESET security researcher Lysa Myers looks at a few of the questions she has been hearing more often about the recent surfeit of insurer breaches.
The post Are healthcare organizations ready to get serious about security … now? appeared first on We Live Security.
Revive Adserver 3.2.1 CSRF / XSS / Local File Inclusion
Revive Adserver versions 3.2.1 and below suffer from improper access controls, cross site request forgery, cross site scripting, local file inclusion, and various other vulnerabilities.
Colorbox – Access bypass – Less Critical – SA-CONTRIB-2015-156
- Advisory ID: DRUPAL-SA-CONTRIB-2015-156
- Project: Colorbox (third-party module)
- Version: 7.x
- Date: 2015-October-07
- Security risk: 8/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All
- Vulnerability: Access bypass
Description
This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal.
The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site.
This vulnerability is mitigated by the fact that an attacker must have permission to post comments with a text format that allows links.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Colorbox 7.x-2.x versions prior to 7.x-2.10.
Drupal core is not affected. If you do not use the contributed Colorbox module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Colorbox module for Drupal 7.x, upgrade to Colorbox 7.x-2.10
Also see the Colorbox project page.
Reported by
Fixed by
- Fredrik Jonsson the module maintainer
- Ben Dougherty of the Drupal Security Team
Coordinated by
- Ben Dougherty of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
TestLink 1.9.13 Cross Site Scripting
TestLink version 1.9.13 suffers from multiple cross site scripting vulnerabilities.
TestLink 1.9.13 SQL Injection
TestLink version 1.9.13 suffers from a remote SQL injection vulnerability.
Zope Management Interface 4.3.7 Cross Site Request Forgery
Zope Management Interface version 4.3.7 suffers from a cross site request forgery vulnerability.
Netgear N300 Authentication Bypass
Netgear N300 routers suffer from an authentication bypass vulnerability that allows for complete compromise.
Huawei 3G Routers CSRF / DoS / Bypass / Information Disclosure
Huawei 3G routers suffer from authentication bypass, cross site request forgery, denial of service, and various other vulnerabilities.
WordPress Support Ticket System 1.2 SQL Injection
WordPress Support Ticket System plugin version 1.2 suffers from a remote SQL injection vulnerability.