Category Archives: Full Disclosure

Full Disclosure

BookFresh – Persistent Clients Invite Vulnerability

Posted by Vulnerability Lab on Nov 07

Document Title:
===============
BookFresh – Persistent Clients Invite Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1351

Release Date:
=============
2014-10-28

Vulnerability Laboratory ID (VL-ID):
====================================
1351

Common Vulnerability Scoring System:
====================================
3.9

Product & Service Introduction:…

SeasonApps iTransfer 1.1 – Persistent UI Vulnerability

Posted by Vulnerability Lab on Nov 07

Document Title:
===============
SeasonApps iTransfer 1.1 – Persistent UI Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1347

Release Date:
=============
2014-10-27

Vulnerability Laboratory ID (VL-ID):
====================================
1347

Common Vulnerability Scoring System:
====================================
2.5

Product & Service Introduction:…

Insecure management of login credentials in PicsArt Photo Studio for Android [STIC-2014-0426]

Posted by Programa STIC on Nov 06

Fundación Dr. Manuel Sadosky – Programa STIC Advisory
http://www.fundacionsadosky.org.ar

Insecure management of login credentials in PicsArt Photo Studio for
Android

1. *Advisory Information*

Title: Insecure management of login credentials in PicsArt Photo
Studio for Android
Advisory ID: STIC-2014-0426
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-06
Date of last update: 2014-11-06
Vendors…

WordPress bulletproof-security <=.51 multiple vulnerabilities

Posted by Pietro Oliva on Nov 06

Vulnerability title: WordPress bulletproof-security <=.51 multiple
vulnerabilities
Author: Pietro Oliva
CVE: CVE-2014-7958, CVE-2014-7959, CVE-2014-8749
Vendor: AITpro
Product: bulletproof-security
Affected version: bulletproof-security <= .51
Vulnerabilities fixed in version: .51.1

Details:

xss vulnerability (CVE-2014-7958):

POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php
HTTP/1.1…

[The ManageOwnage Series, part VI]: 0day database info and superuser credential disclosure in EventLog Analyser

Posted by Pedro Ribeiro on Nov 06

Hi,

This is the 6th part of the ManageOwnage series. For previous parts see [1].

This time we have two 0 day vulns (CVE-2014-6038 and 6039) that can be
abused to dump information from the database and obtain the superuser
credentials for Windows and AS/400 hosts which are managed by EventLog
Analyzer. A Metasploit module has also been released and should be
integrated in the framework in the next few days [2].

I’m releasing these as a 0…

DAVOSET v.1.2.2

Posted by MustLive on Nov 06

Hello participants of Mailing List.

After making public release of DAVOSET
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html),
I’ve made next update of the software. At 31st of October DAVOSET v.1.2.2
was released – DDoS attacks via other sites execution tool
(http://websecurity.com.ua/davoset/).

Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I

GitHub:…

CVE-2014-8558 – JExperts Tecnologia – Channel Software Escalation Access Issues

Posted by Luciano Pedreira on Nov 06

CVE-2014-8558 – JExperts Tecnologia / Channel Software Escalation Access
Issues
Vendor Notified: 2014-10-27

INTRODUCTION:

The Channel Platform is an enterprise software project management (or
project management) developed by Brazilian company JExperts Technology and
present at thousands clients private enterprise and government enterprise.
This software consists of an integrated set of solutions in the areas of
strategy, projects and processes….

CVE-2014-8557 – JExperts Tecnologia – Channel Software Cross Site Scripting Issues

Posted by Luciano Pedreira on Nov 06

CVE-2014-8557 – JExperts Tecnologia / Channel Software Cross Site Scripting
Issues
Vendor Notified: 2014-10-27

INTRODUCTION:

The Channel Platform is an enterprise software project management (or
project management) developed by Brazilian company

JExperts Technology and present at thousands clients private enterprise and
government enterprise. This software consists of an integrated set of
solutions in the areas of strategy, projects and…

XCloner WordPress/Joomla! backup Plugin v3.1.1 (WordPress) v3.5.1 (Joomla!) Vulnerabilities

Posted by Larry W. Cashdollar on Nov 06

Title: XCloner WordPress/Joomla! backup Plugin v3.1.1 (WordPress) v3.5.1 (Joomla!) Vulnerabilities
Author: Larry W. Cashdollar, @_larry0
Date: 10/17/2014
Download: https://wordpress.org/plugins/xcloner-backup-and-restore/
Download: http://extensions.joomla.org/extensions/access-a-security/site-security/backup/665
Downloads: WordPress 313,647 Joomla! 515745 StandAlone 69175
Website: http://www.xcloner.com
Advisory:…

SEC Consult SA-20141106-0 :: XXE & XSS & Arbitrary File Write vulnerabilities in Symantec Endpoint Protection

Posted by SEC Consult Vulnerability Lab on Nov 06

SEC Consult Vulnerability Lab Security Advisory < 20141106-0 >
=======================================================================
title: XXE & XSS & Arbitrary File Write vulnerabilities
product: Symantec Endpoint Protection
vulnerable version: 12.1.4023.4080
fixed version: 12.1.5 (RU 5)
impact: Critical
CVE number: CVE-2014-3437, CVE-2014-3438, CVE-2014-3439…