Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager (BPM) 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2015-0106
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
CVE-2015-0136
powervc-iso-import in IBM PowerVC 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 places an access token on the command line during IVM and PowerKVM management, which allows local users to obtain sensitive information by listing the process.
CVE-2015-0527
EMC Documentum xCelerated Management System (xMS) 1.1 before P14 stores cleartext Windows Service credentials in a batch file during Documentum Platform and xCelerated Composition Platform (xCP) provisioning, which allows local users to obtain sensitive information by reading a file.
CVE-2015-0137
IBM PowerVC Standard 1.2.0.x before 1.2.0.4 and 1.2.1.x before 1.2.2 validates Hardware Management Console (HMC) certificates only during the pre-login stage, which allows man-in-the-middle attackers to spoof devices via a crafted certificate.
CVE-2015-0817
The asm.js implementation in Mozilla Firefox before 36.0.3, Firefox ESR 31.x before 31.5.2, and SeaMonkey before 2.33.1 does not properly determine the cases in which bounds checking may be safely skipped during JIT compilation and heap access, which allows remote attackers to read or write to unintended memory locations, and consequently execute arbitrary code, via crafted JavaScript.
CVE-2015-0818
Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation.
Windows Local WebDAV NTLM Reflection Elevation of Privilege
Posted by James Forshaw on Mar 24
Windows Local WebDAV NTLM Reflection Elevation of Privilege
Platform: Windows 8.1 Update, Windows 7
Class: Elevation of Privilege
Disclosure Date: 18th March 2015
Reference: https://code.google.com/p/google-security-research/issues/detail?id=222
Summary:
A default installation of Windows 7/8 can be made to perform a NTLM
reflection attack through WebDAV which allows a local user to elevate
privileges to local system. It can also be used to…
DSA-3204 python-django – security update
Daniel Chatfield discovered that python-django, a high-level Python web
development framework, incorrectly handled user-supplied redirect URLs.
A remote attacker could use this flaw to perform a cross-site scripting
attack.
CEEA-2015:0717 CentOS 5 tzdata Enhancement Update
CentOS Errata and Enhancement Advisory 2015:0717 Upstream details at : https://rhn.redhat.com/errata/RHEA-2015-0717.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 6cd1206807384458d156a57a5bc991da98c00fbd612346d52cb4e5b972036bbf tzdata-2015b-1.el5.i386.rpm 382537ac891f02a96366e5710e31acb0f72efd9acf38f416ac54e300bfb5044e tzdata-java-2015b-1.el5.i386.rpm x86_64: 26640ee07bac20ba9ff99bdf49a87688e10a6a23e26d5b79f3177ba5f89a0419 tzdata-2015b-1.el5.x86_64.rpm b0fc044ea5ed014face1db0f0347f58bfefb3adb3cbfa3e883c03b0476dff2ac tzdata-java-2015b-1.el5.x86_64.rpm Source: 7be7ef72b05ff1a319f0b153e711ba4423a391bd84dc6488064b52e3de8d4fa3 tzdata-2015b-1.el5.src.rpm