Monthly Archives: October 2014

Full Disclosure

Fonality trixbox CE remote root exploit

Posted by Simo Ben youssef on Oct 17

#!/usr/bin/perl
#
# Title: Fonality trixbox CE remote root exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered & Coded: 2 June 2014
# Published: 17 October 2014
# MorXploit Research
# http://www.MorXploit.com
# Software: trixbox CE
# Version: trixbox-2.8.0.4.iso
# Vendor url: http://www.fonality.com/
# Download: http://sourceforge.net/projects/asteriskathome/files/trixbox%20CE/
# Vulnerable file:…

Full Disclosure

Multiple unauthenticated SQL injections and unauth enticated remote command injection in Centreon <= 2.5.2 and Centreon Enterprise Server <= 2.2|3.0

Posted by yoloswag on Oct 17

# Multiple unauthenticated SQL injections and unauthenticated remote
command injection in Centreon <= 2.5.2 and Centreon Enterprise Server <=
2.2|3.0
#
# Product link: http://www.centreon.com/
# CVE references
# |- CVE-2014-3828: Unauthenticated SQL injections
# |- CVE-2014-3829: Unauthenticated remote command injection
# CERT/CC reference: VU#298796
# Author: MaZ…

Full Disclosure

XSS vulnerabilities in Megapolis.Portal Manager

Posted by MustLive on Oct 17

Hello list!

These are Cross-Site Scripting vulnerabilities in Megapolis.Portal Manager.

It’s commercial CMS from Softline-IT (earlier Softline), which in
particularly widespread among Ukrainian government sites (including
ministry, parliament, two special services and many other web sites). In
2012 I already wrote about multiple vulnerabilities in Megapolis.Portal
Manager (http://securityvulns.ru/docs28651.html).

These particular…

Fedora

Fedora EPEL 5 Security Update: drupal7-7.32-1.el5

Resolved Bugs
1120641 – CVE-2014-5019 CVE-2014-5020 CVE-2014-5021 CVE-2014-5022 drupal7: multiple vulnerabilities (SA-CORE-2014-003)
1120643 – drupal7: multiple vulnerabilities (SA-CORE-2014-003) [epel-all]
1127538 – CVE-2014-5265 CVE-2014-5266 CVE-2014-5267 drupal: denial of service issue (SA-CORE-2014-004)
1127542 – drupal7: drupal: denial of service issue (SA-CORE-2014-004) [epel-all]
1153402 – CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005)
1153404 – CVE-2014-3704 drupal7: SQL injection leading to code execution and privilege escalation (SA-CORE-2014-005) [epel-all]<br
Update to upstream 7.32 security release for SA-CORE-2014-005, CVE-2014-3407
Update to upstream 7.31 release for SA-CORE-2014-004
This is a bugfix release. For complete details refer to: https://www.drupal.org/drupal-7.30-release-notes
Fixes SA-CORE-2014-003. For details refer to: https://www.drupal.org/drupal-7.29-release-notes

Fedora

Fedora EPEL 6 Security Update: pylint-1.3.1-1.el6,python-astroid-1.2.1-2.el6,python-logilab-common-0.62.1-2.el6

Resolved Bugs
1060304 – CVE-2014-1838 CVE-2014-1839 python-logilab-common: multiple temporary file vulnerabilities
1060306 – python-logilab-common: multiple temporary file vulnerabilities [epel-all]
1141440 – [PATCH] pylint has broken glib detection on f21<br
Rebase to current upstream pylint v1.3.1
Fixes CVE-2014-1838 and CVE-2014-1839
Fix GLib detection (#1141440)