Posted by Securify B.V. on Mar 18
————————————————————————
Command injection vulnerability in network diagnostics tool of Websense
Appliance Manager
————————————————————————
Han Sahin, September 2014
————————————————————————
Abstract
————————————————————————
A command injection…
Posted by Securify B.V. on Mar 18
————————————————————————
Websense Email Security vulnerable to persistent Cross-Site Scripting in
audit log details view
————————————————————————
Han Sahin, September 2014
————————————————————————
Abstract
————————————————————————
Users of Websense Data…
Posted by Securify B.V. on Mar 18
————————————————————————
Websense Data Security DLP incident Forensics Preview is vulnerable to
Cross-Site Scripting
————————————————————————
Han Sahin, September 2014
————————————————————————
Abstract
————————————————————————
Users of Websense Data…
automount 5.0.8, when a program map uses certain interpreted languages, uses the calling user’s USER and HOME environment variable values instead of the values for the user used to run the mapped program, which allows local users to gain privileges via a Trojan horse program in the user home directory.
Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
This module provides a set of APIs and tools to improve the developer experience.
Among other many other things, CTools provides an autocomplete callback for finding entities by their titles or ID.
In CTools version 1.5, additional checks were created to defend against leaking titles for entities that the user doesn’t have access to. However, certain edge cases were found to leak this private data.
This vulnerability is mitigated by the fact that you must perform the autocomplete search on custom entities that don’t include an access query tag, or you must know the ID of the entity whose title you are trying to get.
Also, CTools did not sanitize user provided URLs when processing confirmation delete pages, thereby exposing an open redirect attack vector.
This vulnerability is mitigated by the fact that a module using CTools must allow for users to insert a malicious external URL that is sent to the confirmation page.
Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.
Install the latest version:
Also see the Chaos tool suite (ctools) project page.
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Webform is the module for making surveys, petitions, contests, personalized contact forms, and the like in Drupal.
The module doesn’t sufficiently sanitize component names when components are used to determine the e-mail addresses that may be sent upon webform submission.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/update nodes with an attached webform and (in 7.x-4.x releases) have the permission “edit webform components”.
Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.
Install the latest version:
Also see the Webform project page.
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Some days ago we showed you the Adaptive Defense Newsletter that we created with Gartner, and today we announce one about Panda Fusion.
This new Newsletter, entitled Management and Security, can you have one without the other? The part written by Panda explains how medium companies have difficulty managing their IT systems; heterogeneous, disperse and complex systems that aggravate their security.
What do we propose to solve this issue? Panda Fusion, the centralized and integrated cloud-based solution, provides the maximum protection against malware and at the same time manages and supports all their devices.
In addition, you will find Gartner Magic Quadrant last report: Magic Quadrant for Endpoint Protection Platforms, in which Panda is included as visionary.
Want access to this newsletter?
The post Management and Security, can you have one without the other? appeared first on MediaCenter Panda Security.
Red Hat Enterprise Linux: An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
Red Hat Product Security has rated this update as having Critical security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-0332, CVE-2015-0333, CVE-2015-0334, CVE-2015-0335, CVE-2015-0336, CVE-2015-0337, CVE-2015-0338, CVE-2015-0339, CVE-2015-0340, CVE-2015-0341, CVE-2015-0342
