Full Disclosure
Posted by Alex Haynes on Feb 02
CVE-2014-5360 Landesk Management Suite XSS (Cross-Site Scripting) Security Vulnerability
Exploit Title: Landesk Management Suite Cross-Site scripting vulnerabilityProduct: Landesk Management SuiteVulnerable
Versions: 9.5 (possible previous versions), 9.6Tested Version: 9.5Advisory Publication: Feb 02, 2015Latest Update: Feb
02, 2015Vulnerability Type: Cross-Site Scripting [CWE-79]CVE Reference: CVE-2014-5360Credit: Alex Haynes
Advisory Details:…
Posted by Stefan Kanthak on Feb 01
Hi @ll,
See <http://seclists.org/bugtraq/2014/Oct/164>,
<http://seclists.org/fulldisclosure/2014/Oct/109>,
<http://seclists.org/fulldisclosure/2014/Aug/44>,
<http://seclists.org/fulldisclosure/2014/Aug/33> and
<http://seclists.org/fulldisclosure/2014/Jul/30> for the
prequel.
The just released iTunes 12.1 for Windows comes again with
outdated and VULNERABLE 3rd party libraries.
In AppleMobileDeviceSupport.msi:
*…
Posted by Steffen Rösemann on Feb 01
Advisory: SQL injection vulnerabilities in zerocms <= v.1.3.3
Advisory ID: SROEADV-2015-13
Author: Steffen Rösemann
Affected Software: zerocms <= v.1.3.3 (released 23rd-Jan-2015)
Vendor URL: http://aas9.in/zerocms/
Vendor Status: platform will be moving to Rails4
CVE-ID: –
==========================
Vulnerability Description:
==========================
Content management system Zerocms v. 1.3.3 suffers from SQL injection
vulnerabilities….
Posted by Stefan Kanthak on Feb 01
Hi @ll,
on Windows, the command line an application receives can differ
from the command line the calling application supplies to
CreateProcess*().
The documentation of GetCommandLine()
<https://msdn.microsoft.com/en-us/library/ms683156.aspx> tells:
| Note The name of the executable in the command line that
| the operating system provides to a process is not necessarily
| identical to that in the command line that the calling process
|…
Posted by Onur Yilmaz on Feb 01
Information
————
Advisory by Netsparker.
Name: XSS Vulnerability in Banner Effect Header
Affected Software : Banner Effect Header
Affected Versions: 1.2.7 and possibly below
Vendor Homepage : https://wordpress.org/plugins/banner-effect-header/
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-1384
Netsparker Advisory Reference : NS-15-002
Description
———–
By exploiting a Cross-site scripting…
Posted by Jing Wang on Feb 01
CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities
Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a 1.0b1 1.0b2
Tested Version: 0.5.2a 1.0b1 1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
Credit: Wang Jing [MAS, Nanyang Technological University (NTU),…
Posted by David Leo on Feb 01
Deusen just published code and description here:
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.
Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.
How To Use
1. Close the popup window(“confirm” dialog) after three seconds.
2. Click “Go”.
3. After 7 seconds, “Hacked by Deusen” is actively…
Posted by jack ana on Jan 30
Posted by omarbv on Jan 30
Hello,
As expected, now you can buy your ticket for Rooted CON 2015, from 5th
to 7th March in Madrid (Spain).
As in the previous edition, all talks will be in Spanish and English,
with live translation.
Some talks have been announced last week:
Abel Valero – Dismantling Webex
Adrián Villa – Bypassing DRM Protections at Content Delivery Networks
Alejandro Ramos – Red and Blue: two teams with two flavors
Andrzej Dereszowski – Turla:…
Posted by Mohammad Reza Faghani on Jan 30
A new trojan is propagating through Facebook which was able to infect more
than 110,000 users only in only two days.
*Propagation*:
The trojan tags the infected user’s friends in an enticing post. Upon
opening the post, the user will get a preview of a porn video which
eventually stops and asks for downloading a (fake) flash player to continue
the preview. The fake flash player is the downloader of the actual malware.
*Background*:
We have…