With the introduction of macOS Sierra 10.12, Apple has patched dozens of security vulnerabilities and also tackled a few Safari 10 bugs to boot.
Monthly Archives: September 2016
Mozilla Releases Security Updates
Original release date: September 20, 2016
Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.
Available updates include:
- Firefox 49
- Firefox ESR 45.4
Users and administrators are encouraged to review the Mozilla Security Advisories for Firefox and Firefox ESR and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
CVE-2016-6802
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
Apple Releases Security Updates
Original release date: September 20, 2016
Apple has released security updates to address vulnerabilities in macOS Server, macOS Sierra, and Safari. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.
US-CERT encourages users and administrators to review the Apple security pages for macOS Server, macOS Sierra, and Safari and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Blind SQL Injection in Exponent CMS <= v2.3.9
Posted by Manuel Garcia Cardenas on Sep 20
=============================================
MGC ALERT 2016-005
– Original release date: September 09, 2016
– Last revised: September 20, 2016
– Discovered by: Manuel García Cárdenas
– Severity: 7,1/10 (CVSS Base Score)
– CVE-ID: CVE-2016-7400
=============================================
I. VULNERABILITY
————————-
Blind SQL Injection in Exponent CMS <= v2.3.9
II. BACKGROUND
————————-
Exponent CMS is a…
Joomla! session id not hashed.
Posted by Blazej Adamczyk on Sep 20
Title: Joomla! session id not hashed
Author: Blazej Adamczyk (br0x)
Date: 2015-06-30
Download site: https://github.com/joomla/joomla-cms/releases/download/3.6.2/Joomla_3.6.2-Stable-Full_Package.zip
Version: 3.6.2 and below
Vendor: https://www.joomla.org/
Vendor Notified: 2016-09-20
Vendor Contact: https://www.joomla.org/
CVSS: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
Description:
The session_ids for all joomla users are stored in…
CVE-2016-6662
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib.
Apple Security Advisory 2016-09-20-6
Apple Security Advisory 2016-09-20-6 – The tvOS 10 advisory has been released to describe issues relating to memory corruption, code execution, and more.
Exponent CMS 2.3.9 Blind SQL Injection
Exponent CMS versions 2.3.9 and below suffer from a remote blind SQL injection vulnerability.
Cybersecurity is a process, not a one-time solution
Digitization – the use of social, mobile, analytics, and cloud technologies to generate, process, store and communicate data – is transforming everything, with profound implications on how we learn, work and play.
“Digital transformation is not just a technology trend, it is at the center of business strategies across all industry segments and markets,” stated IDC.
