Full Disclosure
Posted by Advisories on Feb 03
Mogwai Security Advisory MSA-2015-02
———————————————————————-
Title: Hewlett-Packard UCMDB – JMX-Console Authentication
Bypass
CVE-ID: CVE-2014-7883
Product: Hewlett-Packard Universal CMDB (UCMDB)
Affected versions: UCMDB 10.10 (Other versions might also be affected)
Impact: high
Remote: yes
Product link:…
Posted by Jing Wang on Feb 03
*My Little Forum Multiple XSS Security Vulnerabilities*
Exploit Title: My Little Forum Multiple XSS Security Vulnerabilities
Vendor: My Little Forum
Product: My Little Forum
Vulnerable Versions: 2.3.3 2.2 1.7
Tested Version: 2.3.3 2.2 1.7
Advisory Publication: Feb 2, 2015
Latest Update: Feb 2, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM)…
Posted by Rahul Sasi on Feb 03
I wrote a blog post last week regarding a small project I was working on my
free time “Learning about Drones and security issues” . And a youtube demo
video titled “Maldrone first malware for drones”. The blog is a preview of
few things I would be presenting at my upcoming talk at Nullcon
<http://nullcon.net/website/goa-15/about-speakers.php> .
Video: https://www.youtube.com/watch?v=5SlWdl4ZuAI
Blog:…
Posted by Adam Caudill on Feb 02
Calling all Makers, Hackers, Red Teams, Blue Teams, or anyone who wants to rant about security and privacy! The first
ever BSides Knoxville is scheduled for May 15th, 2015 @ Scruffy City Hall, and we’re looking for creative, cutting-edge
presentations. Whether you’ve devised a new attack against internet-connected gas pumps or discovered a new behavioral
analysis technique for identifying botnet C&C, we want to hear from you!…
Posted by Stefan Kanthak on Feb 02
“Brandon Perry” <bperry.volatile () gmail com> wrote:
Or do you mean exploits like this one:
<http://seclists.org/fulldisclosure/2014/May/163>
EVERY developer should know that
* his/her software is not the only application installed on a users PC;
* the outdated or vulnerable components s/he delivers and ínstalls can
be called by every other application or malware running on a users PC!
JFTR: the MSVCRT DLL of Visual…
Posted by Stefan Kanthak on Feb 02
“Brandon Perry” <bperry.volatile () gmail com> wrote:
Do you mean something like
Copy %COMSPEC% Program.exe
MakeCAB.Exe Program.exe
Delete Program.exe
WUSA.Exe “%CD%Program.ex_” /Extract:%SystemDrive%
which according to the MSRC (which Apple usually refers to) does not qualify
since it only exploits the braindead autoelevation of the user account
control in its default setting, although every user of…
Posted by Joey Fowler on Feb 02
Hi David,
“nice” is an understatement here.
I’ve done some testing with this one and, while there *are* quirks, it most
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.
As long as the page(s) being framed don’t contain X-Frame-Options headers
(with `deny` or `same-origin` values), it executes successfully. Pending
the payload being injected, most Content Security Policies are also
bypassed (by…
Posted by Jing Wang on Feb 02
*About Group (about.com <http://about.com>) All Topics (At least 99.88%
links) Vulnerable to XSS & Iframe Injection Security Attacks, About.com
Open Redirect Security Vulnerabilities*
*Vulnerability Description:*
About.com all “topic sites” are vulnerable to XSS (Cross-Site Scripting)
and Iframe Injection (Cross Frame Scripting) attacks. This means all
sub-domains of about.com are affected. Based on a self-written program,…
Posted by Jing Wang on Feb 02
*CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site
Scripting) Security Vulnerabilities*
Exploit Title: OptimalSite CMS /display_dialog.php image Parameter XSS
Security Vulnerability
Vendor: OptimalSite
Product: OptimalSite Content Management System (CMS)
Vulnerable Versions: V.1 V2.4
Tested Version: V.1 V2.4
Advisory Publication: Feb 2, 2015
Latest Update: Feb 2, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE…
Posted by ITAS TEAM on Feb 02
# Exploit Title: Sefrengo CMS v1.6.1 – Multiple SQL Injection
Vulnerabilities
# Vendor: http://www.sefrengo.org/
# Download link: http://forum.sefrengo.org/index.php?showtopic=3368 (
https://github.com/sefrengo-cms/sefrengo-1.x/tree/22c0d16bfd715631ed317cc990785ccede478f07
)
# CVE ID: CVE-2015-1428
# Vulnerability: SQL Injection
# Affected version: Sefrengo CMS v1.6.1
# Fixed version: Sefrengo CMS v1.6.2
#…