Due to a lack of standard encryption when transmitting sensitive information over the internet to a centralized monitoring service, the Eview EV-07S GPS Tracker discloses personally identifying information, such as GPS data and IMEI numbers, to any man-in-the-middle (MitM) listener.
Monthly Archives: March 2017
CVE-2017-5238
Due to a lack of bounds checking, several input configuration fields for the Eview EV-07S GPS Tracker will overflow data stored in one variable to another, overwriting the data of another field.
CVE-2017-5237
Due to a lack of authentication, an unauthenticated user who knows the Eview EV-07S GPS Tracker’s phone number can revert the device to a factory default configuration with an SMS command, “RESET!”
APPLE-SA-2017-03-27-1 Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac; Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS
Posted by Apple Product Security on Mar 27
APPLE-SA-2017-03-27-1 Pages 6.1, Numbers 4.1, and Keynote 7.1
for Mac; Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS are now
available and address the following:
Export
Available for: macOS 10.12 Sierra or later, iOS 10 or later
Impact: The contents of password-protected PDFs exported from iWork
may be exposed
Description: iWork used weak 40-bit RC4 encryption for password-
protected PDF exports. This issue was addressed by changing iWork…
CVE-2017-5900
Posted by Luke Symons on Mar 27
Hi,
Mitre has provided the following with the CVE number: CVE-2017-5900
there is a Stored XSS vulnerability in a NetComm router’s model NB16WV-02
running version NB16WV_R0.09, If authorized user is able to inject the
following string
POC:
Authenticated user is required:
http://<router_IP>/hdd.htm?rc=&S801F0334=/dkmvc%3C/script
%3E%3Cscript%3Ealert%28String.fromCharCode%28101,90,101,90%29
%29%3C/script%3Ed29f
Stored XSS will be…
pfsense 2.3.2: XSS
Posted by Curesec Research Team (CRT) on Mar 27
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: pfsense 2.3.2
Fixed in: 2.3.3
Fixed Version Link: https://pfsense.org/download/
Vendor Website: https://www.pfsense.org/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 02/06/2017
Disclosed to public: 03/24/2017
Release mode: Coordinated Release
CVE: requested via DWF
Credits Tim Coen of…
pfsense 2.3.2: CSRF
Posted by Curesec Research Team (CRT) on Mar 27
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: pfsense 2.3.2
Fixed in: 2.3.3
Fixed Version Link: https://pfsense.org/download/
Vendor Website: https://www.pfsense.org/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 02/06/2017
Disclosed to public: 03/24/2017
Release mode: Coordinated Release
CVE: requested via DWF
Credits Tim Coen of…
Vulnerabilities in Transcend Wi-Fi SD Card
Posted by MustLive on Mar 27
Hello list!
All your photos and videos are belong to me. If they are on Transcend flash
card :-).
There are Predictable Resource Location, Brute Force and Cross-Site Request
Forgery vulnerabilities in Transcend Wi-Fi SD Card.
————————-
Affected products:
————————-
Vulnerable is the next model: Transcend Wi-Fi SD Card 16 GB, Firmware v.1.8.
This model with other firmware versions and other Transcend models also…
pfsense 2.3.2: Code Execution
Posted by Curesec Research Team (CRT) on Mar 27
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: pfsense 2.3.2
Fixed in: 2.3.3
Fixed Version Link: https://pfsense.org/download/
Vendor Website: https://www.pfsense.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 02/06/2017
Disclosed to public: 03/24/2017
Release mode: Coordinated Release
CVE: requested via DWF
Credits Tim…
[FOXMOLE SA 2017-01-25] inoERP – Multiple Issues
Posted by FOXMOLE Advisories on Mar 27
=== FOXMOLE – Security Advisory 2017-01-25 ===
inoERP – Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
inoERP 0.6.1
Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: inoERP
Vendor URL: http://inoideas.org/ / https://github.com/inoerp/inoERP
Credits: FOXMOLE…