Monthly Archives: April 2016

NVD

CVE-2016-1377

Cross-site scripting (XSS) vulnerability in Cisco Unity Connection through 11.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCus21776.

NVD

CVE-2016-2001

HPE Universal CMDB Foundation 10.0, 10.01, 10.10, 10.11, and 10.20 allows remote attackers to obtain sensitive information or conduct URL redirection attacks via unspecified vectors.

NVD

CVE-2016-2118

The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka “BADLOCK.”

US-CERT

Samba Security Updates Address Badlock Vulnerabilities

Original release date: April 12, 2016

The Samba Team has released security updates that address vulnerabilities, collectively known as Badlock, affecting both Windows operating systems and Samba in UNIX-like platforms. Exploitation of these vulnerabilities may allow a remote attacker to take control of an affected system or create a denial-of-service condition.

Users and administrators are encouraged to review Samba Release News and Vulnerability Note VU#813296 for more information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Full Disclosure

[SE-2012-01] Yet another broken security fix in IBM Java 7/8

Posted by Security Explorations on Apr 12

Hello All,

We discovered that yet another fix for a security vulnerability in IBM
Java (Issue 70 [1] assigned CVE-2013-5456) we reported to the company
in 2013 hasn’t been fixed properly.

Again, the actual root cause of the issue hasn’t been addressed at all.
There were no security checks introduced anywhere in the code. The patch
primarily addressed the scenario illustrated by a Proof of Concept code.
It didn’t take into account…