Full Disclosure
Posted by Uğur Cihan KOÇ on Apr 15
#Document Title:
============
Huawei SEQ Analyst – XML External Entity Injection (XXE)
#Release Date:
===========
15 Apr 2015
#CVE-ID:
=======
CVE-2015-2346
#Product & Service Introduction:
=======================
SEQ Analyst is a platform for business quality monitoring and management by
individual user and multiple vendors in a quasi-realtime and retraceable
manner
More Details & Manual ;…
Posted by Emilio Casbas on Apr 15
desenmascara.me (in English can be translated as: Unmask me) is an online PoC tool whose goal is: to raise web security
awareness among web owners in order to help decrease the constant rise of compromised websites.
The desenmascara.me PoC calculate a score also known as ‘security awareness value’ of any website (neither resources
nor crawling) based on all the metadata available.
Basically the score is based on a simple calculation…
Posted by Akhil Das on Apr 15
Hi
I have explained a way to take over unsecured Apache Spark clusters, you
can find whole write up here :
http://codebreach.in/blog/2015/03/arbitary-code-execution-in-unsecured-apache-spark-cluster/
Here’s the Exploit-db: http://www.exploit-db.com/exploits/36562/
Can i request for a CVE?
Thanks
Best Regards
Posted by Jing Wang on Apr 15
*Comsenz SupeSite CMS 7.0 Stored XSS (Cross-site Scripting) Security
Vulnerabilities*
Exploit Title: Comsenz SupeSite CMS 7.0 Stored XSS Security Vulnerabilities
Product: Supesite CMS (Content Management System)
Vendor: ComSenz
Vulnerable Versions: 6.0.1UC 7.0
Tested Version: 7.0
Advisory Publication: April 15, 2015
Latest Update: April 15, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version…
Posted by Jing Wang on Apr 15
*Webs ID Reflected XSS (Cross-site Scripting) Security Vulnerabilities*
Exploit Title: Webs ID /login.jsp &error Parameter Reflected XSS
(Cross-site Scripting) Security Vulnerabilities
Vendor: Webs, Inc
Product: Webs ID
Vulnerable Versions:
Tested Version:
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base…
Posted by Jing Wang on Apr 15
*NetCat CMS 3.12 HTML Injection Security Vulnerabilities*
Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML
Injection Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1
Tested Version: 3.12
Advisory Publication: April 15, 2015
Latest Update: April 15, 2015
Vulnerability Type: Improper Input Validation [CWE-20]
CVE…
Posted by Jing Wang on Apr 15
*NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities*
Exploit Title: NetCat CMS 3.12 Multiple Directory Traversal Security
Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1
Tested Version: 3.12
Advisory Publication: April 14, 2015
Latest Update: April 14, 2015
Vulnerability Type: Improper Limitation of a Pathname to a Restricted…
Posted by Jing Wang on Apr 15
*Opoint Media Intelligence Unvalidated Redirects and Forwards (URL
Redirection) Security Vulnerabilities*
Exploit Title: Opoint Media Intelligence click.php? &noblink parameter URL
Redirection Security Vulnerabilities
Vendor: Opoint
Product: Opoint Media Intelligence
Vulnerable Versions:
Tested Version:
Advisory Publication: April 14, 2015
Latest Update: April 14, 2015
Vulnerability Type: URL Redirection to Untrusted Site (‘Open…
Posted by Tavis Ormandy on Apr 14
Hello, this is CVE-2015-1318 and CVE-2015-1862 (essentially the same bugs in
two different implementations, apport and abrt respectively). These were
discussed on the vendors list last week.
If the first character of kern.core_pattern sysctl is a pipe, the kernel
will invoke the specified program, and pass it the core on stdin. Apport
(Ubuntu) and Abrt (Fedora) use this feature to analyze and log crashes.
Since the introduction of containers,…
Posted by Takeshi Terada on Apr 14
Hello list members,
We released a new technical whitepaper titled:
“Identifier based XSSI attacks”
CVE numbers:
CVE-2014-6345, CVE-2014-7939
URL:
http://www.mbsd.jp/Whitepaper/xssi.pdf
Introduction:
——————————-
Cross Site Script Inclusion (XSSI) is an attack technique (or a
vulnerability) that enables attackers to steal data of certain types
across origin boundaries, by including target data using SCRIPT tag in…