Posted by Curesec Research Team (CRT) on Sep 15

Security Advisory – Curesec Research Team

1. Introduction

Affected Product: MyBB 1.8.6
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://www.mybb.com/
Vulnerability Type: CSRF, Weak Hashing, Plaintext Passwords
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode: Full Disclosure / Informational
CVE: n/a
Credits Tim Coen of…

Posted by Curesec Research Team (CRT) on Sep 15

Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Kajona 4.7
Fixed in: 5.0
Fixed Version Link: https://www.kajona.de/en/Downloads/
downloads.get_kajona.html
Vendor Website: https://www.kajona.de/
Vulnerability Type: XSS & Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE:…

Posted by Curesec Research Team (CRT) on Sep 15

Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Peel Shopping 8.0.2
Fixed in: 8.0.3
Fixed Version Link: www.peel-shopping.com
Vendor Website: www.peel-shopping.com
Vulnerability Type: Object Injection
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec…

Posted by Nightwatch Cybersecurity on Sep 15

Original at:
https://wwws.nightwatchcybersecurity.com/2016/09/14/advisory-insecure-transmission-of-data-in-android-applications-developed-with-adobe-air-cve-2016-6936/

Summary

Android applications developed with Adobe AIR send data back to Adobe
servers without HTTPS while running. This can allow an attacker to
compromise the privacy of the applications’ users. This has been fixed
in Adobe AIR SDK release v23.0.0.257.

Details

Adobe AIR is a…

Posted by MustLive on Sep 15

Hello list!

There are multiple vulnerabilities in ASUS Wireless Router RT-N10. There are
Code Execution, Cross-Site Scripting and URL Redirector Abuse
vulnerabilities.

————————-
Affected products:
————————-

Vulnerable are the next models: ASUS RT-N10, RT-N10E, RT-N10LX and RT-N10U
with different versions of firmware. I checked in RT-N10 with firmware
version 1.9.2.7.

Asus ignored vulnerabilities in RT-G32,…

Posted by Nguyen Anh Quynh on Sep 15

Greetings,
(cc: Thanh Nguyen, VNSecurity)

We are excited to release Keypatch 2.0, a better assembler for IDA Pro!

This new version of Keypatch brings some important features, as follows.

– Fix some issues with ARM architecture (including Thumb mode)
– Better support for Python 2.6 & older IDA versions (confirmed to work on
IDA 6.4)
– Save original instructions (before patching) in IDA comments.
– NOP padding also works when new instruction…

Posted by redrain root on Sep 12

Airmail is a popular email client on iOS and OS X.
I found a vulnerability in airmail of the latest version which could cause
a file:// xss and arbitrary file read.

Author: redrain, yu.hong () chaitin com
Date: 2016-08-15
Version: 3.0.2 and earlier
Platform: OS X and iOS
Site: http://airmailapp.com/
Vendor: http://airmailapp.com/
Vendor Notified: 2016-08-15

Vulnerability:
There is a file:// xss in airmail version 3.0.2 and earlier.
The app can…

Posted by Sysdream Labs on Sep 12

# Cross-site scripting vulnerability found on www.google.fr

We were able to identify a cross-site scripting (XSS) vulnerability in the main domain of Google: www.google.fr.

### Description

Cross-site scripting is a kind of vulnerability that allows an attacker to send malicious code, usually in the form of
Javascript, to another user. Exploiting an XSS may lead to private information compromise, cookie theft or even browser
take over….

Posted by Julien Ahrens on Sep 12

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: XenForo ToggleME plugin
Vendor URL: https://xenforo.com/community/resources/toggleme.137/
Type: Cross-Site Scripting [CWE-79]
Date found: 2016-09-06
Date published: 2016-09-11
CVSSv3 Score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
CVE: –

2. CREDITS
==========
This vulnerability was discovered…

Posted by Dawid Golunski on Sep 12

Vulnerability: MySQL Remote Root Code Execution / Privilege Escalation 0day
CVE: CVE-2016-6662
Severity: Critical
Affected MySQL versions (including the latest):
<= 5.7.15
<= 5.6.33
<= 5.5.52

Discovered by:
Dawid Golunski
http://legalhackers.com

An independent research has revealed multiple severe MySQL vulnerabilities.
This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662.
The vulnerability affects MySQL…