Centreon Web Interface versions 2.5.3 and below utilize an ECHO for logging SQL errors. This functionality can be abused for arbitrary code execution, and can be triggered via the login screen prior to authentication.

The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file ‘ICAMClient.jar’ into user’s browser which serves additional admin features. In the JAR file there is an account ‘rou’ with password ‘iris4000’ that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23 gaining access to sensitive information and/or FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.

The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote command execution vulnerability. The vulnerability exist due to several POST parameters in the ‘/html/SetSmarcardSettings.php’ script not being sanitized when using the exec() PHP function while updating the Smart Card Settings on the affected device. Calling the ‘$CommandForExe’ variable which is set to call the ‘/cgi-bin/setsmartcard’ CGI binary with the affected parameters as arguments allows the attacker to execute arbitrary system commands as the root user and bypass the biometric access control in place.

Huge IT Joomla Slider extension version 1.0.9 suffers from cross site scripting and remote SQL injection vulnerabilities.

Iris ID IrisAccess ICU 7000-2 is prone to multiple reflected cross site scripting vulnerabilities due to a failure to properly sanitize user-supplied input to the ‘HidChannelID’ and ‘HidVerForPHP’ POST parameters in the ‘SetSmarcardSettings.php’ script. Attackers can exploit this issue to execute arbitrary HTML and script code in a user’s browser session. The application also allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

DornCMS version 1.4 suffers from a persistent cross site scripting vulnerability.

The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMR_PLGBLT, EMR_BITBLT, EMR_STRETCHBLT, EMR_STRETCHDIBITS etc. The GDI+ implementation supports bitmaps compressed with the BI_RLE8 (8-bit Run-Length Encoding) compression algorithm, and performs the actual decompression in the gdiplus!DecodeCompressedRLEBitmap function. The buffer allocated to store the decompressed pixels is not cleared during or directly after the HeapAlloc() call, which causes it contain heap metadata and leftover data of previous allocations. The RLE compression algorithm makes it possible to skip some (in an extreme case: all) bytes in the output buffer; this could be achieved by using escape codes such as “End of line”, “End of bitmap” or “Delta”. If we start the compressed stream with the “End of bitmap” marker, the entirety of the memory region will remain uninitialized, which will in turn lead to displaying junk bytes as pixels. In the context of GDI+ clients which make it possible to read the rendered pixels back and send them to an attacker or use as part of a larger exploit chain, the bug could result in disclosure of sensitive data or defeat of exploit mitigations such as ASLR.

Red Hat Security Advisory 2016-1504-01 – The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: Multiple flaws were discovered in the Hotspot and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. Multiple denial of service flaws were found in the JAXP component in OpenJDK. A specially crafted XML file could cause a Java application using JAXP to consume an excessive amount of CPU and memory when parsed.

HP Security Bulletin HPSBST03603 1 – HPE StoreVirtual products running LeftHand OS has addressed stack based buffer overflows in glibc’s implementation of getaddrinfo(). This vulnerability could be remotely exploited to cause Denial of Service (DoS) or allow execution of arbitrary code on the host with the permissions of a user running glibc library. Revision 1 of this advisory.

Debian Linux Security Advisory 3630-1 – Secunia Research at Flexera Software discovered an integer overflow vulnerability within the _gdContributionsAlloc() function in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of this flaw to cause a denial-of-service against an application using the libgd2 library.