Posted by Vic Vandal on Oct 17
h4x0rs, stuff-breakers, InfoSec pros, g33k girls, international spies, and script kidz,
CarolinaCon-12 will occur on March 4th-6th 2016 in Raleigh NC (USA). We are now officially accepting
speaker/paper/demo submissions for the event.
Yes I know – CC-11 was billed as “the last CarolinaCon as we know it”. That was completely true. After holding
admission cost at $20 forever, rising production costs have forced an increase in…
Posted by David Sopas on Oct 17
Plugin link: https://wordpress.org/plugins/events-made-easy/
Active Installs: 10,000+
Version tested: 1.5.49
CVE Reference: Waiting
Original advisory:
https://www.davidsopas.com/events-made-easy-wordpress-plugin-csrf-persistent-xss/
Events Made Easy is a full-featured event management solution for
WordPress. Events Made Easy supports public, private, draft and recurring
events, locations management, RSVP (+ optional approval), Paypal,
2Checkout,…
Posted by ERPScan inc on Oct 17
ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS
service – Unauthorized Access
Application: SAP NetWeaver
Versions Affected: SAP NetWeaver AS JAVA, probably others
Vendor URL: http://SAP.com
Bugs: Unauthorized access
Sent: 20.04.2013
Reported: 21.04.2013
Vendor response: 21.04.2013
Date of Public Advisory: 13.10.2015
Reference: SAP Security Note 1945215
Author: Alexander Polyakov (ERPScan)
Description
1. ADVISORY INFORMATION…
[ISecAuditors Security Advisories] URL Open Redirect in Google generic TLD and ccTLD
Qualys Security Advisory – LibreSSL (CVE-2015-5333 and CVE-2015-5334)
Events Made Easy WordPress plugin CSRF + Persistent XSS
ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS service – Unauthorized Access
Red Hat Enterprise Linux: An updated Adobe Flash Player package that fixes three security issues is
now available for Red Hat Enterprise Linux 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-7645, CVE-2015-7647, CVE-2015-7648
16th October, 2015
A security issue affects these releases of Ubuntu and its
derivatives:
PostgreSQL could be made to crash or expose private information if it
handled specially crafted data.
Josh Kupershmidt discovered the pgCrypto extension could expose
several bytes of server memory if the crypt() function was provided a
too-short salt. An attacker could use this flaw to read private data.
(CVE-2015-5288)
Oskari Saarenmaa discovered that the json and jsonb handlers could exhaust
available stack space. An attacker could use this flaw to perform a denial
of service attack. This issue only affected Ubuntu 14.04 LTS and Ubuntu
15.04. (CVE-2015-5289)
The problem can be corrected by updating your system to the following
package version:
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
16th October, 2015
A security issue affects these releases of Ubuntu and its
derivatives:
Firefox could be made to expose sensitive information across origins
Abdulrahman Alqabandi and Ben Kelly discovered that the fetch() API did
not correctly implement the Cross Origin Resource Sharing (CORS)
specification. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to obtain sensitive
information from other origins. (CVE-2015-7184)
The problem can be corrected by updating your system to the following
package version:
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Firefox to make
all the necessary changes.