Full Disclosure
Posted by Ian Ling on Jun 16
[+] Credits: Ian Ling
[+] Website: iancaling.com
Vendor:
=================
www.ceragon.com
Product:
======================
-FibeAir IP-10
Vulnerability Type:
===================
Default Root Account
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Ceragon FibeAir IP-10 devices do not properly ensure that a user has
authenticated before granting them access to the web interface of the
device. The attacker simply…
Posted by Timothy D. Morgan on Jun 16
Python’s built-in URL library (“urllib2” in 2.x and “urllib” in 3.x)
is vulnerable to protocol stream injection attacks (a.k.a. “smuggling”
attacks) via the http scheme. If an attacker could convince a Python
application using this library to fetch an arbitrary URL, or fetch a
resource from a malicious web server, then these injections could
allow for a great deal of access to certain internal services.
URLs of…
Posted by Securify B.V. on Jun 15
————————————————————————
Microsoft Visio multiple DLL side loading vulnerabilities
————————————————————————
Yorick Koster, August 2015
————————————————————————
Abstract
————————————————————————
Multiple DLL side loading vulnerabilities were found in…
Posted by omarbv on Jun 15
Application
———–
KeyLemon offers convenient, secure and continuous biometric
authentication solutions based on face and speaker recognition.
To improve robustness to illumination and pose, as well as to provide
enhanced security against photo/video spoofing attacks, KeyLemon’s
latest face recognition algorithms take full benefit of 3D depth sense
cameras by efficiently combining depth, near-infrared and color
information….
Posted by Ian Ling on Jun 15
[+] Credits: Ian Ling
[+] Website: iancaling.com
[+] Source: http://blog.iancaling.com/post/145309944453/
Vendor:
=================
www.siklu.com/
Product:
======================
-EtherHaul EH-1200F/FX/TX, EH-2200F/FX, EH-600T/TL
-EtherHaul EH-1200/TL
Vulnerability Type:
===================
Default Root Account
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Siklu EtherHaul radios have a built-in, hidden root…
Posted by Nate Kettlewell on Jun 15
Java Deserialization in Solarwinds Virtualization Manager 6.3.1
Product: Solarwinds Virtualization Manager
Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1
Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016
Vulnerability Type: Deserialization of Untrusted Data [CWE-502]
CVE Reference: CVE-2016-3642
Risk Level: High
CVSSv2 Base Score: 10…
Posted by Nate Kettlewell on Jun 15
Product: Solarwinds Virtualization Manager
Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1
Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016
Vulnerability Type: Security Misconfiguration
CVE Reference: CVE-2016-3643
Risk Level: High
CVSSv3 Base Score: 7.8…
Posted by Nate Kettlewell on Jun 15
Java Deserialization in Solarwinds Virtualization Manager 6.3.1
Product: Solarwinds Virtualization Manager
Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1
Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016
Vulnerability Type: Deserialization of Untrusted Data [CWE-502]
CVE Reference: CVE-2016-3642
Risk Level: High
CVSSv2 Base Score: 10…
Posted by Stefan Kanthak on Jun 15
Hi @ll,
<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should
have fixed CVE-2014-1520 in Mozilla’s executable installers for
Windows … but does NOT!
JFTR: this type of vulnerability (really: a bloody stupid trivial
beginner’s error!) is well-known and well-documented as
<https://cwe.mitre.org/data/definitions/379.html>.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0. download…
Posted by Nate Kettlewell on Jun 15
Product: Solarwinds Virtualization Manager
Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1
Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016
Vulnerability Type: Security Misconfiguration
CVE Reference: CVE-2016-3643
Risk Level: High
CVSSv2 Base Score: 7.8…