Category Archives: Full Disclosure

Full Disclosure

Full Disclosure

IT Hot Topics 2015 Call for Papers

Posted by Squirrel Herder Productions on Jan 22

Carolina Advanced Digital, Inc. <http://www.cadincweb.com/> has opened the
CFP <http://cfp.hottopicsconference.com> for their 13th annual IT HotTopics
Conference
<http://www.cvent.com/events/it-hot-topics-conference/event-summary-78f9e7c592844307b345397bc2cb1a09.aspx>
and
Golf Torney, at the stunning Grandover Resort and Spa, in Greensboro, North
Carolina, U.S.A.

Conference: May 6th & 7th

CFP:…

Full Disclosure

Multiple stored/reflecting XSS- and SQLi-vulnerabilities and unrestricted file-upload in ferretCMS v. 1.0.4-alpha

Posted by Steffen Rösemann on Jan 22

Advisory:
Advisory ID: SROEADV-2015-10
Author: Steffen Rösemann
Affected Software: ferretCMS v. 1.0.4-alpha
Vendor URL: https://github.com/JRogaishio/ferretCMS
Vendor Status: vendor will patch eventually
CVE-ID: –

Tested on:

– Firefox 35, Iceweasel 31
– Mac OS X 10.10, Kali Linux 1.0.9a

==========================
Vulnerability Description:
==========================

The content management system ferretCMS v.1.0.4, which is currently in
alpha…

Full Disclosure

Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS & Open Redirect Security Vulnerabilities

Posted by Jing Wang on Jan 22

*Alibaba Taobao, AliExpress, Tmall, Online Electronic Shopping Website XSS
& Open Redirect Security Vulnerabilities*

*Domains Basic:*
Alibaba Taobao, AliExpress, Tmall are the top three online shopping
websites belonging to Alibaba.

Vulnerability Discover:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore….

Full Disclosure

CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

Posted by Jing Wang on Jan 22

*CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*

Exploit Title: Smartwebsites SmartCMS v.2 Multiple XSS Security
Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9557
Credit: Wang Jing [MAS, Nanyang Technological…

Full Disclosure

CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerabilities

Posted by Jing Wang on Jan 22

*CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerabilities*

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security
Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference:…

Full Disclosure

Re: full name disclosure information leak in google drive

Posted by forgottenpassword on Jan 22

You can use the “forgot password” feature on a google account to find
out someone’s full name.

Test it out for yourself:

https://www.google.com/accounts/recovery/
Select “I don’t know my password”
Enter bonsaiviking () gmail com (or another gmail address)

https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address

Dan

Full Disclosure

USAA mobile app gives away personal data; fix released

Posted by David Longenecker on Jan 22

The USAA Mobile app for Android, prior to version 7.10.1 (released 19
January), contains an information disclosure vulnerability. I have
submitted a CVE-Assign request for this issue but do not yet have a CVE
assigned. The issue is demonstrated with sanitized screen captures at
http://dnlongen.blogspot.com/CVE-2015-USAA

By design, the USAA Mobile app for Android allows users to select whether
to log out immediately upon task-switching (i.e….

Full Disclosure

PhotoSync 1.1.3 Android – Command Inject Vulnerability

Posted by Vulnerability Lab on Jan 22

Document Title:
===============
PhotoSync 1.1.3 Android – Command Inject Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1410

Release Date:
=============
2015-01-21

Vulnerability Laboratory ID (VL-ID):
====================================
1410

Common Vulnerability Scoring System:
====================================
5.2

Product & Service Introduction:…

Full Disclosure

Program-O v2.4.6 – Multiple Web Vulnerabilities

Posted by Vulnerability Lab on Jan 22

Document Title:
===============
Program-O v2.4.6 – Multiple Web Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1414

Release Date:
=============
2015-01-21

Vulnerability Laboratory ID (VL-ID):
====================================
1414

Common Vulnerability Scoring System:
====================================
6.3

Product & Service Introduction:
===============================…

Full Disclosure

SEC Consult SA-20150122-0 :: Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced (SDCS:SA) & SCSP

Posted by SEC Consult Vulnerability Lab on Jan 22

SEC Consult Vulnerability Lab Security Advisory < 20150122-0 >
=======================================================================
title: Multiple critical vulnerabilities
products: Symantec Data Center Security: Server Advanced (SDCS:SA)
Symantec Critical System Protection (SCSP)
vulnerable version: see: Vulnerable / tested versions
fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 -…