Multiple buffer overflows in the Autodesk FBX-SDK before 2017.1 can allow attackers to execute arbitrary code when reading or converting malformed DFX format files.
Monthly Archives: January 2017
CVE-2016-9303
Multiple buffer overflows in the Autodesk FBX-SDK before 2017.1 can allow attackers to execute arbitrary code or cause an infinite loop condition when reading or converting malformed FBX format files.
CVE-2016-9306
Multiple buffer overflows in the Autodesk FBX-SDK before 2017.1 can allow attackers to execute arbitrary code when reading or converting malformed DAE format files.
CVE-2016-9307
Multiple buffer overflows in the Autodesk FBX-SDK before 2017.1 can allow attackers to execute arbitrary code when reading or converting malformed 3DS format files.
Firefox 51 Begins Warning Users of Insecure HTTP Connections
Firefox 51 includes warnings to users landing on HTTP websites, and patches for nearly a half-dozen critical security vulnerabilities.
CVE-2017-5594
An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerability the remote attacker is able to reset the registered user’s password, when the debug toolbar is enabled. The password is successfully recovered using this exploit. The SecureLayer7 ID is SL7_PGKT_01.
InfiniteWP Client WordPress Plugin unauthenticated PHP Object injection vulnerability
Posted by Summer of Pwnage on Jan 25
————————————————————————
InfiniteWP Client WordPress Plugin unauthenticated PHP Object injection
vulnerability
————————————————————————
Yorick Koster, June 2016
————————————————————————
Abstract
————————————————————————
A PHP Object injection vulnerability…
Google Forms WordPress Plugin unauthenticated PHP Object injection vulnerability
Posted by Summer of Pwnage on Jan 25
————————————————————————
Google Forms WordPress Plugin unauthenticated PHP Object injection
vulnerability
————————————————————————
Yorick Koster, June 2016
————————————————————————
Abstract
————————————————————————
A PHP Object injection vulnerability was…
CMS Commander Client WordPress Plugin unauthenticated PHP Object injection vulnerability
Posted by Summer of Pwnage on Jan 25
————————————————————————
CMS Commander Client WordPress Plugin unauthenticated PHP Object
injection vulnerability
————————————————————————
Yorick Koster, June 2016
————————————————————————
Abstract
————————————————————————
A PHP Object injection…
SalesCloud – Critical – Unsupported – SA-CONTRIB-2017-008
- Advisory ID: DRUPAL-SA-CONTRIB-2017-008
- Project: Salescloud (third-party module)
- Version: 7.x
- Date: 2017-Jan-25
- Security risk: 19/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All
Description
This module Connects Drupal to SalesCloud’s API, a Commerce Platform as a Service.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- All versions
Drupal core is not affected. If you do not use the contributed salescloud module, there is nothing you need to do.
Solution
If you use the salescloud module for Drupal 7.x you should uninstall it.
Also see the salescloud project page.
Reported by
- Cash Williams of the Drupal Security Team
Fixed by
Not applicable
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity