Category Archives: Full Disclosure

Full Disclosure

CVE-2017-5900

Posted by Luke Symons on Mar 27

Hi,
Mitre has provided the following with the CVE number: CVE-2017-5900

there is a Stored XSS vulnerability in a NetComm router’s model NB16WV-02
running version NB16WV_R0.09, If authorized user is able to inject the
following string

POC:
Authenticated user is required:
http://<router_IP>/hdd.htm?rc=&S801F0334=/dkmvc%3C/script
%3E%3Cscript%3Ealert%28String.fromCharCode%28101,90,101,90%29
%29%3C/script%3Ed29f

Stored XSS will be…

APPLE-SA-2017-03-27-1 Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac; Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS

Posted by Apple Product Security on Mar 27

APPLE-SA-2017-03-27-1 Pages 6.1, Numbers 4.1, and Keynote 7.1
for Mac; Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS are now
available and address the following:

Export
Available for: macOS 10.12 Sierra or later, iOS 10 or later
Impact: The contents of password-protected PDFs exported from iWork
may be exposed
Description: iWork used weak 40-bit RC4 encryption for password-
protected PDF exports. This issue was addressed by changing iWork…

Vulnerabilities in Transcend Wi-Fi SD Card

Posted by MustLive on Mar 27

Hello list!

All your photos and videos are belong to me. If they are on Transcend flash
card :-).

There are Predictable Resource Location, Brute Force and Cross-Site Request
Forgery vulnerabilities in Transcend Wi-Fi SD Card.

————————-
Affected products:
————————-

Vulnerable is the next model: Transcend Wi-Fi SD Card 16 GB, Firmware v.1.8.
This model with other firmware versions and other Transcend models also…

pfsense 2.3.2: CSRF

Posted by Curesec Research Team (CRT) on Mar 27

Security Advisory – Curesec Research Team

1. Introduction

Affected Product: pfsense 2.3.2
Fixed in: 2.3.3
Fixed Version Link: https://pfsense.org/download/
Vendor Website: https://www.pfsense.org/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 02/06/2017
Disclosed to public: 03/24/2017
Release mode: Coordinated Release
CVE: requested via DWF
Credits Tim Coen of…

pfsense 2.3.2: XSS

Posted by Curesec Research Team (CRT) on Mar 27

Security Advisory – Curesec Research Team

1. Introduction

Affected Product: pfsense 2.3.2
Fixed in: 2.3.3
Fixed Version Link: https://pfsense.org/download/
Vendor Website: https://www.pfsense.org/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 02/06/2017
Disclosed to public: 03/24/2017
Release mode: Coordinated Release
CVE: requested via DWF
Credits Tim Coen of…

pfsense 2.3.2: Code Execution

Posted by Curesec Research Team (CRT) on Mar 27

Security Advisory – Curesec Research Team

1. Introduction

Affected Product: pfsense 2.3.2
Fixed in: 2.3.3
Fixed Version Link: https://pfsense.org/download/
Vendor Website: https://www.pfsense.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 02/06/2017
Disclosed to public: 03/24/2017
Release mode: Coordinated Release
CVE: requested via DWF
Credits Tim…

[FOXMOLE SA 2017-01-25] inoERP – Multiple Issues

Posted by FOXMOLE Advisories on Mar 27

=== FOXMOLE – Security Advisory 2017-01-25 ===

inoERP – Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~

Affected Versions
=================
inoERP 0.6.1

Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: inoERP
Vendor URL: http://inoideas.org/ / https://github.com/inoerp/inoERP
Credits: FOXMOLE…

[CVE-2017-7240] Miele Professional PG 8528 – Web Server Directory Traversal

Posted by Jens Regel on Mar 24

Title:
======
Miele Professional PG 8528 – Web Server Directory Traversal

Author:
=======
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG

CVE-ID:
=======
CVE-2017-7240

Risk Information:
=================
Risk Factor: Medium
CVSS Base Score: 5.0
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
CVSS Temporal Score: 3.9

Timeline:
=========
2016-11-16 Vulnerability discovered
2016-11-10…

Defense in depth — the Microsoft way (part 47): "AppLocker bypasses are not serviced via monthly security roll-ups"

Posted by Stefan Kanthak on Mar 24

Hi @ll,

Windows 8 and newer versions (Windows 7 and Windows Server 2008 R2
with KB2532445 or KB3125574 installed too) don’t allow unprivileged
callers to circumvent AppLocker and SAFER rules via

LoadLibraryEx(TEXT(“<arbitrary DLL>”), NULL, LOAD_IGNORE_CODE_AUTHZ_LEVEL);

See <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
and <https://support.microsoft.com/kb/2532445>

| LOAD_IGNORE_CODE_AUTHZ_LEVEL…

Defense in depth — the Microsoft way (part 46): no checks for common path handling errors in "Application Verifier"

Posted by Stefan Kanthak on Mar 24

Hi @ll,

according to <https://msdn.microsoft.com/en-us/library/aa480483.aspx>
Microsoft’s “Application Verifier” [°] should detect the well-known
beginner’s error <https://cwe.mitre.org/data/definitions/428.html>:

| Checking for Proper Use of CreateProcess
|
| Calls to the CreateProcess API function are subject to attack if
| parameters are not specified correctly. AppVerifier generates an
| error if…