HP Security Bulletin HPSBMU03611 1 – Multiple potential security vulnerabilities have been identified with the Matrix Operating Environment on Windows and Linux that could be exploited remotely resulting in Denial of Service (DoS), Unauthorized Access, Execution of arbitrary code, Cross-site scripting (XSS), Disclosure of Sensitive Information, Code Execution, and locally resulting in Cross-site Request Forgery (CSRF). Revision 1 of this advisory.
Monthly Archives: May 2016
Charging Mobile Devices Could Put Data at Risk
Smartphones can be compromised when charged using a standard USB connection hooked up to a computer, Kaspersky Lab has discovered in a proof-of-concept experiment.
Registered the wrong email with paypal? Say goodbye to your money…
Every type of person is a PayPal person. Each day, hundreds of well-known investors and business magnates are added to the list, like Peter Thiel, one of the original Facebook investors, or the South African tycoon Elon Musk, who is the CEO of both Tesla and SpaceX.
A good part of the internet already uses PayPal. It has become the leading digital payment service because of its overall excellence: it is convenient, simple-to-use, and for the most part, safe. Another part of its success is due to the fact that, often, it is the only payment method available, leaving those who want to complete their purchase only one option: to create a PayPal account.
Don’t have an account but are considering getting one? Be very careful while completing the new user form. The slightest mistake made while typing the email address can have very serious consequences. This is a not only a problem for PayPal, but for the worldwide web, but PayPal’s case is particularly important because with the service, our money is, literally, on-the-line.
The slightest mistake when typing your email can have very serious consequences
“Pay” attention to the simple things
While registering for an account, always look for two fields to enter your email address: one to fill in and one to verify. What if there isn’t a blank space to verify your email? Proceed with caution. If you complete the email incorrectly, your account information could be sent to another email address, and ultimately your profile could be controlled by another person.
You aren’t required to check your email for a “confirmation” before you begin to use the PayPal service. You do not need to click a link sent to your Inbox to prove that you’re the owner of the email account. So if you type the wrong email, a stranger could kick you out of your account (they only have to change your password!) A stranger could gain access to your money because of one silly mistake.
Many important websites share this problem, like the popular car share service, Uber. However, the consequences of a log-in error while using PayPal are much graver than with other companies because the company sells itself on being a safe site for internet payments.
The post Registered the wrong email with paypal? Say goodbye to your money… appeared first on Panda Security Mediacenter.
HP Data Protector A.09.00 Command Execution
HP Data Protector version A.09.00 suffers from an arbitrary command execution vulnerability.
Graphite2 NameTable::getName Out-Of-Bounds Read
Graphite2 suffers from multiple heap-based out-of-bounds reads in NameTable::getName.
Graphite2 TtfUtil::CmapSubtable4NextCodepoint Buffer Overread
Graphite2 suffers from a heap-based over-read in TtfUtil::CmapSubtable4NextCodepoint.
[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections
Posted by Julien Ahrens on May 25
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: XenAPI for XenForo
Vendor URL: github.com/Contex/XenAPI
Type: SQL Injection [CWE-89]
Date found: 2016-05-20
Date published: 2016-05-23
CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: –
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE…
CVE-2016-4803 dotCMS – Email Header Injection
Posted by Elar Lang on May 25
Title: CVE-2016-4803 dotCMS – Email Header Injection
Credit: Elar Lang / https://security.elarlang.eu
Vulnerability: Email Header Injection
Vulnerable version: before 3.5 / 3.3.2
CVE: CVE-2016-4803
Vendor: dotCMS (http://dotcms.com/)
# Description
dotCMS has an email sending functionality at path /dotCMS/sendEmail/
Some parameters are vulnerable to Email Header Injection.
# Preconditions
There is no pre-condition on authentication or on…
Re: Teampass v2.1.26 – Stored Cross Site Scripting Vulnerability
Posted by Ulisses Montenegro on May 25
This looks very similar to the persistent XSS reported a while ago on the
Teampass github, is it the same vulnerability?
https://github.com/nilsteampassnet/TeamPass/issues/1244
On 25 May 2016 at 19:10, Vulnerability Lab <research () vulnerability-lab com>
wrote:
Graphite2 TtfUtil::CheckCmapSubtable12 Buffer Overread
Graphite2 suffers from a heap-based over-read in TtfUtil::CheckCmapSubtable12.