Monthly Archives: December 2016

Full Disclosure

Reflected XSS in Social Pug – Easy Social Share Buttons could allow an attacker to do almost anything an admin user can (WordPress plugin)

Posted by dxw Security on Dec 10

Details
================
Software: Social Pug – Easy Social Share Buttons
Version: 1.1.2,1.2.5
Homepage: http://wordpress.org/plugins/social-pug/
Advisory report:
https://security.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
Reflected XSS in Social Pug…

Full Disclosure

CSRF vulnerability in Multisite Post Duplicator could allow an attacker to do almost anything an admin user can do (WordPress plugin)

Posted by dxw Security on Dec 10

Details
================
Software: Multisite Post Duplicator
Version: 0.9.5.1
Homepage: http://wordpress.org/plugins/multisite-post-duplicator/
Advisory report:
https://security.dxw.com/advisories/csrf-vulnerability-in-multisite-post-duplicator-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can-do/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
CSRF vulnerability in Multisite…

Debian

DSA-3730 icedove – security update

Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail client: Multiple memory safety errors,
same-origin policy bypass issues, integer overflows, buffer overflows
and use-after-frees may lead to the execution of arbitrary code or
denial of service.

Ubuntu

USN-3153-1: Oxide vulnerabilities

Ubuntu Security Notice USN-3153-1

9th December, 2016

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

  • oxide-qt
    – Web browser engine for Qt (QML plugin)

Details

Multiple vulnerabilities were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to conduct cross-site scripting (XSS) attacks,
read uninitialized memory, obtain sensitive information, spoof the
webview URL, bypass same origin restrictions, cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-5204,
CVE-2016-5205, CVE-2016-5207, CVE-2016-5208, CVE-2016-5209, CVE-2016-5212,
CVE-2016-5215, CVE-2016-5222, CVE-2016-5224, CVE-2016-5225, CVE-2016-5226,
CVE-2016-9650, CVE-2016-9652)

Multiple vulnerabilities were discovered in V8. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to obtain sensitive information, cause a denial of service
via application crash, or execute arbitrary code. (CVE-2016-5213,
CVE-2016-5219, CVE-2016-9651)

An integer overflow was discovered in ANGLE. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code. (CVE-2016-5221)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
liboxideqtcore0

1.19.4-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
liboxideqtcore0

1.19.4-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
liboxideqtcore0

1.19.4-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-5204,

CVE-2016-5205,

CVE-2016-5207,

CVE-2016-5208,

CVE-2016-5209,

CVE-2016-5212,

CVE-2016-5213,

CVE-2016-5215,

CVE-2016-5219,

CVE-2016-5221,

CVE-2016-5222,

CVE-2016-5224,

CVE-2016-5225,

CVE-2016-5226,

CVE-2016-9650,

CVE-2016-9651,

CVE-2016-9652