Multiple SQL injection vulnerabilities in TopicsViewer 3.0 Beta 1 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) edit_block.php, (2) edit_cat.php, (3) edit_note.php, or (4) rmv_topic.php in admincp/.
CVE-2014-10024 (directshowdemuxfilter, player, web_player)
Multiple integer signedness errors in DirectShowDemuxFilter, as used in Divx Web Player, Divx Player, and other Divx plugins, allow remote attackers to execute arbitrary code via a (1) negative or (2) large value in a Stream Format (STRF) chunk in an AVI file, which triggers a heap-based buffer overflow.
CVE-2014-10025 (dap-1360_firmware)
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 with firmware 2.5.4 and earlier allow remote attackers to hijack the authentication of unspecified users for requests that change the (1) Enable Wireless, (2) MBSSID, (3) BSSID, (4) Hide Access Point, (5) SSID, (6) Country, (7) Channel, (8) Wireless mode, or (9) Max Associated Clients setting via a crafted request to index.cgi.
CVE-2014-10026 (dap-1360_firmware)
index.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows remote attackers to bypass authentication and obtain sensitive information by setting the client_login cookie to admin.
CVE-2014-10027 (dap-1360_firmware)
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 router with firmware 2.5.4 and earlier allow remote attackers to hijack the authentication of unspecified users for requests that (1) change the MAC filter restrict mode, (2) add a MAC address to the filter, or (3) remove a MAC address from the filter via a crafted request to index.cgi.
CVE-2014-10028 (dap-1360_firmware)
Cross-site scripting (XSS) vulnerability in D-Link DAP-1360 router with firmware 2.5.4 and later allows remote attackers to inject arbitrary web script or HTML via the res_buf parameter to index.cgi when res_config_id is set to 41.
CVE-2014-10029 (fluxbb)
SQL injection vulnerability in profile.php in FluxBB before 1.4.13 and 1.5.x before 1.5.7 allows remote attackers to execute arbitrary SQL commands via the req_new_email parameter.
CVE-2014-10030 (fluxbb)
Open redirect vulnerability in forums/login.php in FluxBB before 1.4.13 and 1.5.x before 1.5.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
US military’s CENTCOM Twitter account hacked – were they not using 2FA?
Twitter and YouTube accounts run by the US military’s Central Command are hijacked by hackers claiming to back Islamic State.
The post US military’s CENTCOM Twitter account hacked – were they not using 2FA? appeared first on We Live Security.
SEC Consult SA-20150113-0 :: Multiple critical vulnerabilities in all snom desktop IP phones
Posted by SEC Consult Vulnerability Lab on Jan 13
SEC Consult Vulnerability Lab Security Advisory < 20150113-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: snom IP phones
vulnerable version: all firmware versions <8.7.5.15, all firmware branches
of all snom desktop IP phones (3xx, 7xx, 8xx, etc)
are affected
fixed version: 8.7.5.15…