Posted by Dirk-Willem van Gulik on Apr 03
ninka license identification tool
insufficient escaping of external input
CVE-2017-7239 / CVSS 9.3
1.06
The ninka license identification tool does not properly escape
special characters in the files it encounters – such as the ‘&’.
In case of an alien code bases; or a code base that is brought in for
examination – a third party may doctor the file names as to cause
a…
Posted by David Coomber on Apr 03
Trend Micro Enterprise Mobile Security Android Application – MITM SSL
Certificate Vulnerability (CVE-2016-9319)
BackBox Linux 4.6 allows remote attackers to cause a denial of service (ksoftirqd CPU consumption) via a flood of packets with Martian source IP addresses (as defined in RFC 1812 section 5.3.7). This product enables net.ipv4.conf.all.log_martians by default.
The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow physically proximate attackers to obtain sensitive information from process memory in opportunistic circumstances by reading a workstation screen during use of a –write-out argument ending in a ‘%’ character, which leads to a heap-based buffer over-read.
The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex Software, Inc. Ghostscript 9.20 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PostScript document.
Small and medium-sized businesses (SMBs) are the biggest targets of cybercriminals, and they often don’t have the necessary budgets, people, processes, and products to protect themselves. Because of this, SMBs are increasingly turning their cybersecurity protection over to managed service providers (MSPs).
