Posted by Paris Zoumpouloglou on Apr 28

== Background ==

libarchive is a library for manipulating different streaming archive
formats, including certain tar variants, several cpio formats, and both
BSD and GNU ar variants.

== Affected software ==

bsdtar

== Version ==

All tests were performed using commit
296efb3db188fa4bf7b0e7b5c61d404f9145f0ab

== Description ==

Initial fuzzing was performed using afl-fuzzer

Using a crafted tar file bsdtar can perform an out-of-bounds memory…

Posted by Jaanus on Apr 28

http://jaanuskp.blogspot.com/2015/04/stored-xss-in-ebay-messages-filenames.html

There is vulnerability in ebay that allows XSS attacks to be sent over the
messages. Ebay has not managed to fix it in more then a year!

Posted by John Page on Apr 28

Document Title:
===============
Wing FTP Server Admin 4.4.5 – CSRF & Cross Site Scripting Vulnerabilities

Release Date:
=============
2015-04-28

apparitionsec ID (AS-ID):
====================================
AS-WFTP0328

Common Vulnerability Scoring System:
====================================
Overall CVSS Score 8.9

Product:
===============================
Wing FTP Server is a Web based administration FTP client that supports
following…

Posted by C0r3dump3d on Apr 28

Curiously we had the same problem when we tried to communicate to
Wordpress the vulnerability CVE-2014-9034
(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034). We
tried, repeatedly, to contact WP through HackerOne and email, but did
not respond. Only through the intervention of the CERT/CC, and last
about six months they showed the necessary interest.

Andres.

El 27/04/15 a las 23:33, Winni Neessen escribió:

Posted by Vulnerability Lab on Apr 28

Document Title:
===============
PayPal Inc Bug Bounty #114 – JDWP Remote Code Execution Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1474

Video: http://www.vulnerability-lab.com/get_content.php?id=1474

Vulnerability Magazine:
http://magazine.vulnerability-db.com/?q=articles/2015/04/28/paypal-inc-bug-bounty-jdwp-remote-code-execution-vulnerability

Release Date:
=============…

Posted by Vulnerability Lab on Apr 28

Document Title:
===============
SonicWall SonicOS 7.5.0.12 & 6.x – Client Side Cross Site Scripting Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1359

Release Date:
=============
2015-04-23

Vulnerability Laboratory ID (VL-ID):
====================================
1359

Common Vulnerability Scoring System:
====================================
3

Product & Service…

Posted by Calum Hutton on Apr 28

This is a follow up to an earlier post, highlighting an XSS and information disclosure vulnerability in versions of
Untangle 9-11

The previous post is shown in full below this post.

Additional un-patched vectors have been discovered that allow for these issues to be exploited with increased
feasibility.

The vectors exist due to improper handling of uploaded files, and insufficient validation and sanitisation of their
contents.

Two…

Posted by Scott Arciszewski on Apr 27

“We also welcome bug reports for the open source projects WordPress,
BuddyPress, and bbPress.”

Oh, I see. I was mistaken.

Posted by Ryan Dewhurst on Apr 27

They’re registered as part of Automattic – https://hackerone.com/automattic

Posted by Winni Neessen on Apr 27

Am 27.04.2015 um 16:55 schrieb Hanno Böck <hanno () hboeck de>:

Looks like the WP team published an official fix:
https://wordpress.org/news/2015/04/wordpress-4-2-1/ <https://wordpress.org/news/2015/04/wordpress-4-2-1/>

“A few hours ago, the WordPress team was made aware of a cross-site
scripting vulnerability, which could enable commenters to compromise a
site. The vulnerability was discovered by Jouko Pynnönen.“

Winni