Full Disclosure
Posted by E Boogie on Oct 12
I’ve found a Content Security Policy bypass similar and related to the
same origin policy bypass in CVE-2014-6041.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041
I’ve tested this on an Android 4.3 tablet running a bunch of different
browsers, including Inbrowser, Firefox, and the default Android
browser on an emulator for Android 4.3.1.
HTML PoC:
<input type=button value=”test” onclick=”…
Posted by Alexandre Herzog on Oct 10
#######################################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#######################################################################
#
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Untrusted XML input parsing possible in SBOP Explorer
# Risk: High
# Effect: Remotely exploitable
#…
Posted by Alexandre Herzog on Oct 10
#######################################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#######################################################################
#
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Cross Site Flashing
# Risk: High
# Effect: Remotely exploitable
# Author: Stefan Horlacher
#…
Posted by Alexandre Herzog on Oct 10
#######################################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#######################################################################
#
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Potential information disclosure relating to SBOP Explorer
# Risk: Medium
# Effect: Remotely…
Posted by Alexandre Herzog on Oct 10
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: neuroML
# Version: <=v1.8.1 (Confirmed: v1.8.1)
# Vendor: neuroML.org
# CSNC ID: CSNC-2014-004
# CVD ID: <none>
# Subject: Multiple Vulnerabilities
# Risk: High
# Effect: Remotely exploitable
# Author:…
Posted by Michael Stroucken on Oct 09
I was a little bit worried about my Foswiki install, but it looks like
it has been untainting this parameter since Sun Dec 21 19:48:21 2008.
Greetings,
Michael.
Posted by Peter Thoeny on Oct 09
This is an advisory for TWiki administrators: Attaching a specially named file allows remote upload of an Apache
configuration file. This applies to native TWiki installations on Windows, the TWiki-VM (virtual machine) running in a
Windows server environment is not affected.
TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.
* Vulnerable Software Version
* Attack Vectors…
Posted by Peter Thoeny on Oct 09
This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code
execution.
TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.
* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki Production Release 6.0.0…
Posted by illwill on Oct 08
Posted by Onapsis Research Labs on Oct 08
Onapsis Security Advisory 2014-032: SAP BusinessObjects Persistent Cross
Site Scripting
1. Impact on Business
=====================
By exploiting this vulnerability a remote unauthenticated attacker would
be able to attack other users of the system.
Risk Level: Medium
2. Advisory Information
=======================
– Public Release Date: 2014-10-08
– Subscriber Notification Date: 2014-10-08
– Last Revised: 2014-09-17
-…