Cisco NX-OS 6.0(2)U6(1) through 6.0(2)U6(5) on Nexus 3000 devices and 6.0(2)A6(1) through 6.0(2)A6(5) and 6.0(2)A7(1) on Nexus 3500 devices has hardcoded credentials, which allows remote attackers to obtain root privileges via a (1) TELNET or (2) SSH session, aka Bug ID CSCuy25800.
Monthly Archives: March 2016
Cross-Site Scripting in extension "Apache Solr for TYPO3" (solr)
Release Date: March 03, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 2.8.3 and below, 3.0.0 to 3.0.1
Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)
Problem Description: The extension fails to properly sanitize user input. The vulnerability is exploitable only if the TypoScript setting search.keepExistingParametersForNewSearches is enabled (which is disabled by default).
Solution: Updated versions 2.8.4 and 3.0.2 are available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/solr/2.8.4/t3x/ and http://typo3.org/extensions/repository/download/solr/3.0.2/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Hendrik Nadler who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Cross-Site Scripting in extension "Extension Kickstarter" (kickstarter)
Release Date: March 03, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 0.5.3 and below
Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:N/I:N/A:N/E:F/RL:U/RC:C (What’s that?)
Problem Description: The extension fails to properly encode extension information in its edit mask. An admin backend user is needed to exploit the vulnerability.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension is no longer maintained and the author will not provide a security fix for the reported vulnerability. Please uninstall and delete the extension from your installation.
Credits: Credits go to Oliver Klee who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Multiple vulnerabilities in extension "Fe user statistic" (festat)
Release Date: March 03, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 0.3.2 and below
Vulnerability Type: Cross-Site Scripting, Insecure Unserialize and Information Disclosure
Severity: High
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C (What’s that?)
Problem Description: Failing to sanitize user input properly, festat is vulnerable to Cross-Site Scripting, Insecure Unserialize and Information Disclosure.
Solution: An updated version 0.3.3 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/festat/0.3.3/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Torben Hansen who discovered and reported this issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Cross-Site Scripting in extension "Google Sitemap" (enter_new_weeaar_googlesitemap)
Release Date: March 03, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 1.0.0 and below
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:U/RC:C (What’s that?)
Problem Description: This extension is a fork from the extension weeaar_googlesitemap.As the original extension this fork is susceptible to Cross-Site Scripting.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author failed in providing a security fix for the reported vulnerability in a decent amount of time. Please uninstall and delete the extension from your installation.
Credits: Credits go to Frederic Gaus who reported the fork.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Cross-Site Scripting in extension "List frontend users" (listfeusers)
Release Date: March 03, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 0.9.9 and below
Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:P (What’s that?)
Problem Description: The extension fails to properly sanitize data from TYPO3 fe_users records.
Solution: An updated version 0.9.11 is available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/listfeusers/0.9.11/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Torben Hansen who reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Information Disclosure in extension "UTOPIA" (ics_utopia)
Release Date: March 03, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 1.0.1 and below
Vulnerability Type: Information Disclosure
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:C/I:N/A:N/E:H/RL:U/RC:C (What’s that?)
Problem Description: The extension saves t3d exports to a public folder. This could lead to an information disclosure.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension is no longer maintained and the author will not provide a security fix for the reported vulnerability. Please uninstall and delete the extension from your installation.
Important note: You have to remove existing t3d files from your fileadmin folder manually!
Credits: Credits go to the security team member Helmut Hummel who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Can Scientists 'Upload Knowledge' Directly into your Brain to Teach New Skills?
Imagine the world where you do not have to make any efforts to learn new skills or knowledge.
Just like new programs are uploaded to a Robot to teach them new skills, What if new skills are uploaded to your brain to make you learn, say, playing Guitar, a whole language like French or German or anything else you wish?
Do you want a technique, if exists, to make this possible?
Of
From Cars to Toothbrushes and Everything in Between – MWC 2016
Mobile World Congress is the largest gathering of the mobile industry and takes place at the end of February every year. According to the latest attendance numbers, it was bigger and more attended than any previous congress. Every possible brand associated with smartphones you can think of was there and even some of the brands you may not know but they provide the stuff to make it all work behind the scenes.
There is a dramatic change afoot in this industry and it’s clear to see at MWC. The focus of this year’s show is very much about the Internet of Things (IoT). Most of us consider this to mean fitness trackers, a few connected fridges, and maybe for the select few, a car.
IoT is going to affect all of us in ways that we can’t yet imagine — everything will be connected and adding data to a world that will operate based on the analysis of everything around us. This may sound like a science-fiction movie, it’s not. There’s technology on its way that really does mean that there are very few things that won’t be connected.
What was hot at this year’s MWC 2016?
There is a device for tracking everything from fitness to air quality. While they’re exciting toys and gadgets for us to own and play with, the bigger story is how these stepping stones are being placed for a far more connected world. We continually hear about self-driving cars and other cool innovations, but for many of us these are still news stories rather than reality. One such company is Seat’s connected car tech that allows drivers to check the availability of parking spaces, access breakdown services and connect to household appliances.
Do you ever leave home in the morning having missed a tooth when brushing? With Oral-B’s smart toothbrush it will be a thing of the past! A smartphone app connects to the toothbrush and detects which teeth are still dirty.
Visa announced their new payment system, the Visa Ready program, which will allow transactions to be made from any suitable connected device. For anyone traveling through London recently, they may have seen people waving their phones on the tube payment terminals to pay for their trip. With the new service from Visa, this facility will be extended to other devices and use tokens rather than card details. This means that personal data is never transmitted in a similar way that Apple Pay and Android Pay work and should be considered a security enhancement over the current process.
Honda has already signed up to the program to use an in-car fuel app that will be integrated into their vehicles dashboards. Once the car is running low on fuel the driver will be automatically be directed to the nearest gas station. The app will know the exact amount of fuel needed and pay for the fuel and calculate the cost. Of course, this does mean the pump needs to accept wireless payments and you will still need to get out and actually put the fuel hose into the car.
Virtual reality
A technology that has been heard about for years is about to become both affordable and usable, and will soon establish itself as a normal part of our lives. I was lucky enough to get a full hands-on demo of Intel’s RealSense™ virtual reality technology that is being made available to developers in the next few months.
Put the headset on and be immersed in a virtual world where you can actually interact using your hands. Yes, they actually appear in the virtual world allowing you to move objects and to be part of what you are seeing. Or allow the headset to map, in real-time, the environment you are in and to add things to it — you can mix our physical world with a virtual one. For example using the demo headset I scanned a table and then a cat jumped up onto it. I moved away and the cat jumped off the table. The possibilities for this technology in our normal lives, especially if you are a gamer, are really exciting and I can’t wait to see them realized.
There is a common concern with all the new IoT devices and cool services that they deliver, that is one of security. With every connected device a new opportunity is created for hackers to attempt to breach the device and access your personal data. While many device manufacturers may create their products using a ‘secure by design’ approach, this may not be the case with the small innovative companies that have the hottest technology.
The concern should not stop with hackers. Devices are collecting data that we may not realize. This raises questions about who has access to our data and what is it being used for — did you read the privacy policy of every connected device you already own, and will you read the privacy policy of all the new ones? Unfortunately, the answer is most likely no. Besides presenting us with new and impressive connected devices, Mobile World Congress has also highlighted the need for us to be aware of the “what” and “who” is holding our data and for what intent.
Google Releases Security Update for Chrome
Original release date: March 02, 2016
Google has released Chrome version 49.0.2623.75 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.
Users and administrators are encouraged to review the Chrome Releases page and apply the necessary update.
This product is provided subject to this Notification and this Privacy & Use policy.