Posted by Egidio Romano on Nov 07
—————————————————————
Piwik <= 2.16.0 (saveLayout) PHP Object Injection Vulnerability
—————————————————————
[-] Software Link:
[-] Affected Versions:
Version 2.16.0 and prior versions.
[-] Vulnerability Description:
The vulnerability can be triggered through the saveLayout() method
defined in /plugins/Dashboard/Controller.php:
210….
With just two days before the presidential election, WikiLeaks late Sunday night published a new trove of emails apparently hacked from the Democratic National Committee (DNC).
The most recent dump of more than 8,000 emails came after the whistleblowing site, on a daily basis over last four weeks, has already leaked over 50,000 emails stolen from the key figure in the DNC – Hillary Clinton’s
Google patched a hole in its Gmail verification system last week that allowed an attacker to hijack a targeted Google Gmail account.
Almost 20,000 Tesco Bank customers have had their money stolen from their accounts after the banking arm of UK’s biggest retailer fall victim to a hacking attack this weekend.
As a result of the hack, Tesco Bank has frozen online transactions in an attempt to protect its customers from, what it described as, the “online criminal activity.”
However, customers can still use their debit and
A specially crafted script can cause the VBScript engine to access data before initializing it. An attacker that is able to run such a script in any application that embeds the VBScript engine may be able to control execution flow and execute arbitrary code. This includes all versions of Microsoft Internet Explorer.
Red Hat Security Advisory 2016-2659-01 – IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 6 to version 6 SR16-FP35. Security Fix: This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit.
Red Hat Security Advisory 2016-2658-01 – The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix: It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy() function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine’s memory and completely bypass Java sandbox restrictions.
Posted by Klaus Tichmann on Nov 07
Advisory ID: SYSS-2016-085
Product: AOS
Manufacturer: Aruba Networks
Affected Version(s): 6.3.1.19
Tested Version(s): 6.3.1.19 on an RAP-3 router
Vulnerability Type: Improper Authentication
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2016-09-06
Solution Date: —
Public Disclosure: 2016-11-07
CVE Reference: Not yet assigned
Author of Advisory: Klaus Tichmann, SySS GmbH…
Posted by Felix Matei on Nov 07
Dear Community
By comparing the advisory of NextCloud and OwnCloud I figured out that OwnCloud has multiple not patched
vulnerabilities.
You can see list here it seems all patches missing from latest Nextcloud 10.0.1 release in OwnCloud:
https://nextcloud.com/security/advisories. This seems to include XSS vulns and more.
An example exploit for one of the vulns would look like that:
http://demo.owncloud.org/index.php/apps/gallery/#…
Posted by Román Ramírez on Nov 07
Hello all:
We have opened the Call for Papers for our upcoming event in Madrid, Spain.
RootedCON is the biggest security event in Spain and one of the biggest of
Europe.
Here you can find attached the text for the CFP (EN, for english speakers,
ES, for spanish ones), and you if you prefer to access directly to the
form, here you can find it:
In English:
https://www.rootedcon.com/cfp/cfp2017-en/
In Spanish:…