IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
Monthly Archives: December 2014
CVE-2014-8024 (jabber_guest)
The API in the Guest Server in Cisco Jabber, when the HTML5 CORS feature is used, allows remote attackers to obtain sensitive information by sniffing the network during an HTTP (1) GET or (2) POST request, aka Bug ID CSCus19789.
CVE-2014-8025 (jabber_guest)
The API in the Guest Server in Cisco Jabber, when HTML5 is used, allows remote attackers to obtain sensitive information by sniffing the network during an HTTP (1) GET or (2) POST response, aka Bug ID CSCus19801.
CVE-2014-8026 (jabber_guest)
Cross-site scripting (XSS) vulnerability in the Guest Server in Cisco Jabber allows remote attackers to inject arbitrary web script or HTML via a (1) GET or (2) POST parameter, aka Bug ID CSCus08074.
oCERT Releases Advisory for Unpatched UnZip Vulnerability
Original release date: December 22, 2014
The Open Source Computer Security Incident Response Team (oCERT) has released an advisory addressing vulnerabilities in all versions of UnZip. Exploitation of these vulnerabilities may allow a remote attacker to take control of an affected system if a user opens a specially crafted zip file.
US-CERT recommends users and administrators to review the oCERT Advisory for more details.
This product is provided subject to this Notification and this Privacy & Use policy.
DSA-3110 mediawiki – security update
A flaw was discovered in mediawiki, a wiki engine: thumb.php outputs
wikitext messages as raw HTML, potentially leading to cross-site
scripting (XSS).
DSA-3112 sox – security update
Michele Spagnuolo of the Google Security Team dicovered two heap-based
buffer overflows in SoX, the Swiss Army knife of sound processing
programs. A specially crafted wav file could cause an application using
SoX to crash or, possibly, execute arbitrary code.
Libtiff 4.0.3 Integer Overflow
Libtiff version 4.0.3 suffers from an integer overflow vulnerability that results in an out-of-bounds memory read.
Vulnerabilities in Samsung SyncThru Web Service
Posted by MustLive on Dec 22
Hello list!
There are Information Leakage and Insufficient Authorization vulnerabilities
in SyncThru Web Service. This is web application for Samsung printers,
particularly I found it with Samsung ML-1865W and other printers. Earlier I
informed Samsung about it.
————————-
Affected products:
————————-
Vulnerable are SyncThru Web Service, Network Firmware 6.01 and previous
versions (there are 7 different…
Re: CVE-2014-9330: Libtiff integer overflow in bmp2tiff
Posted by Paris Zoumpouloglou on Dec 22
It’s true utilities are pretty buggy. I’ve stumbled upon many duplicate
bugs in the tracker, probably because of all the afl action 🙂
What is also worth noting (I didn’t notice at first) is that the latest
available stable source code of libtiff (found here
http://download.osgeo.org/libtiff/) hasn’t been updated since 2012.
Since then many bugs have been reported which have been fixed in the CVS
repo and distribution…