Posted by Matteo Beccati on Dec 19

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2014-002
————————————————————————
http://www.revive-adserver.com/security/revive-sa-2014-002
————————————————————————
CVE-IDs: CVE-2014-8793, CVE-2014-8875
Date: 2014-12-17
Risk Level:…

Posted by Shahar Tal on Dec 19

Hey there,

Recently our group has uncovered a serious vuln in RomPager – the most popular web server in the world, found in
millions of embedded devices (mostly residential gateways / SOHO routers), which unfortunately allows gaining admin
access to the router from the WAN (port 80 access not required! 7547 works like a charm).

This is not the “rom-0” vulnerability revealed earlier this year. In fact, it’s about an order of…

Posted by MustLive on Dec 19

Hello list!

There are Brute Force and Cross-Site Scripting vulnerabilities in D-Link
DCS-2103 (IP camera). If previous Path Traversal and Full path disclosure
vulnerabilities were post-auth, then these BF and XSS vulnerabilities are
pre-auth.

————————-
Affected products:
————————-

Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. For BF
vulnerability version 1.20 and previous versions are…

Posted by Jing Wang on Dec 19

*CVE-2014-8752 JCE-Tech “Video Niche Script” XSS (Cross-Site Scripting)
Security Vulnerability*

Exploit Title: JCE-Tech “Video Niche Script” /view.php Multiple Parameters
XSS
Product: “Video Niche Script”
Vendor: JCE-Tech
Vulnerable Versions: 4.0
Tested Version: 4.0
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8752
Credit:…

Posted by Jing Wang on Dec 19

*CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting)
Security Vulnerability*

Exploit Title: TennisConnect “TennisConnect COMPONENTS System” /index.cfm
pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor: TennisConnect
Vulnerable Versions: 9.927
Tested Version: 9.927
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:…

Posted by Peter Thoeny on Dec 19

This is an advisory for TWiki Administrators: A specially crafted URL parameter to the WebSearch topic may expose a
cross-site scripting vulnerability.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for…

Posted by Peter Thoeny on Dec 19

This is an advisory for TWiki Administrators: The TWiki Variables QUERYSTRING and QUERYPARAMSTRING may expose a
cross-site scripting vulnerability.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki…

Posted by Ben Lincoln (F7EFC8C9 – FD) on Dec 19

Not sure if this is old news by now, but I haven’t seen it mentioned
anywhere.

I was writing some walkthroughs for the alpha version of Mimikatz 2.0,
and realized that since the “Silver Ticket” functionality involves one
of the Windows kerberos ticket encryption keys being the NTLM hash of
the account which receives the kerberos ticket, it’s possible to use it
to check passwords for IIS application pool service accounts…