Posted by Darya Maenkova on Jun 11

SAP <http://www.sap.com/>has released the monthly critical patch update
for June 2015. This patch update closes a lot of vulnerabilities in SAP
products. The most popular vulnerability is Missing Authorization Check.
This month, three critical vulnerabilities found by ERPScan researchers
Vahagn Vardanyan, Rustem Gazizov, and Diana Grigorieva were closed.

*Issues that were patched with the help of ERPScan*

Below are the details of SAP…

Posted by Jing Wang on Jun 11

*6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities*

Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1 v8.0
Tested Version: v7.1 v8.0
Advisory Publication: June 08, 2015
Latest Update: June 10, 2015
Vulnerability Type: Inadequate Encryption Strength [CWE-326]
CVE Reference: *
CVSS Severity (version 2.0):
Discover and Reporter: Wang Jing [School of Physical…

Posted by Jing Wang on Jun 11

*FC2 & Rakuten Online Websites Multiple XSS (Cross-site Scripting) and Open
Redirect Cyber Vulnerabilities *

FC2 and Rakuten are the first and second top ranking Japanese local online
websites. This post introduces several XSS (Cross-site Scripting) and Open
Redirect bugs of them.

The Alexa rank of fc2.com is 52 on February 18 2015 and the related rank in
Japan is 4. The Alexa rank of rakuten.co.jp is 64 on May 29 2015 and the
related rank…

Posted by Larry W. Cashdollar on Jun 11

Title: Path Traversal vulnerability in WordPress plugin se-html5-album-audio-player v1.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-06
Advisory: http://www.vapid.dhs.org/advisory.php?v=124
Download Site: https://wordpress.org/plugins/se-html5-album-audio-player/
Vendor: https://profiles.wordpress.org/sedevelops/
Vendor Notified: 2015-06-06
Vendor Contact: https://profiles.wordpress.org/sedevelops/
Description:
An HTML5 Album Audio…

Posted by Bruno Luiz on Jun 11

Subversion HTTP servers allow spoofing svn:author property values
for new revisions.

Summary:
========

Subversion’s mod_dav_svn server allows setting arbitrary svn:author
property values when committing new revisions. This can be accomplished
using a specially crafted sequence of requests. An evil-doer can fake
svn:author values on his commits. However, as authorization rules are
applied to the evil-doer’s true…