Cross-site scripting (XSS) vulnerability in the easy_social_admin_summary function in the Easy Social module 7.x-2.x before 7.x-2.11 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a block title.
Monthly Archives: October 2014
CVE-2014-8318
Cross-site scripting (XSS) vulnerability in the Webform module 6.x-3.x before 6.x-3.20, 7.x-3.x before 7.x-3.20, and 7.x-4.x before 7.x-4.0-beta2 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a field label title, when two fields have the same form_key.
Ubuntu Security Notice USN-2386-1
Ubuntu Security Notice 2386-1 – A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to expose sensitive data over the network. Several vulnerabilities were discovered in the OpenJDK JRE related to data integrity. Several vulnerabilities were discovered in the OpenJDK JRE related to information disclosure. An attacker could exploit these to expose sensitive data over the network. CVE-2014-6531) Various other issues were also addressed.
Debian Security Advisory 3053-1
Debian Linux Security Advisory 3053-1 – Several vulnerabilities have been found in OpenSSL, the Secure Sockets Layer library and toolkit.
SAP Patches DoS Flaw in Netweaver
SAP has released a fix for a remotely exploitable denial-of-service in its Netweaver platform. The bug is confirmed to affect several versions of the platform and may be present in others, as well. Researchers at Core Security discovered the vulnerability and reported it to SAP in June. Netweaver is a platform that allows users to build and […]
Information Disclosure vulnerability in Dynamic Content Elements (dce)
Release Date: October 17, 2014
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: all versions of 0.7.x, 0.8.x, 0.9.x, 0.10.x, 0.11.4 and below of 0.11.x
Vulnerability Type: Information Disclosure
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:H/RL:OF/RC:C
Problem Description: The extension provides a functionality to check for extension updates. Along with this functionality, installation environment data is automatically reported to the infrastructure of the extension author without user interaction.
Solution: Updated version 0.11.5 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/dce/0.11.5/t3x/. The new extension version provides a configuration option to enable the described behaviour.
Credits: Credits go to Georg Ringer who discovered and reported the issue and Armin Vieweg who quickly responded & resolved this issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Android Lollipop offers password protection against factory resets
The latest version of Android, nicknamed Lollipop, will offer a new feature that could make stolen phones a whole lot less valuable to thieves: the ability to only allow factory resets when entering a password.
The post Android Lollipop offers password protection against factory resets appeared first on We Live Security.
Drupal Releases Security Advisory
Original release date: October 17, 2014
Drupal has released a security advisory to address an application program interface (API) vulnerability (CVE-2014-3704) that could allow an attacker to execute arbitrary SQL commands on an affected system.
This vulnerability affects all Drupal core 7.x versions prior to 7.32.
US-CERT advises users and administrators review Drupal’s Security Advisory and apply the necessary update or patch.
This product is provided subject to this Notification and this Privacy & Use policy.
Improper Access Control vulnerability in extension fal_sftp (fal_sftp)
Release Date: October 17, 2014
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: 0.2.4, 0.2.5
Vulnerability Type: Improper Access Control
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
Problem Description: Configured permissions of newly created files and folders for the sFTP driver are set incorrectly.
Solution: Updated version 0.2.6 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/fal_sftp/0.2.6/t3x/. Please check your existing setup and fix permission if needed! Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Jost Baron who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Privacy online – what you can do (and what you can’t)
Many of us have moments when we need, or want, to be more private online – when searching for a new job, for instance, or when having a private business conversation.
The post Privacy online – what you can do (and what you can’t) appeared first on We Live Security.
