Fwd: CVE-2015-5257 – Weak Randomization of BridgeSecret for Apache Cordova Android
Monthly Archives: November 2015
Bugtraq: Fwd: CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions
Fwd: CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions
Apache Cordova 3.7.2 Whitelist Failure
Android applications created using Apache Cordova that use a remote server contain a vulnerability where whitelist restrictions are not properly applied. Improperly crafted URIs could be used to circumvent the whitelist, allowing for the execution of non-whitelisted Javascript. Versions 3.7.2 and below are affected.
Apache Cordova Android 3.6.4 BridgeSecret Weak Randomization
Apache Cordova Android versions 3.6.4 and below use a bridge that allows the Native Application to communicate with the HTML and Javascript that control the user interface. To protect this bridge on Android, the framework uses a BridgeSecret to protect it from third-party hijacking. However, the BridgeSecret is not sufficiently random and can be determined in certain scenarios.
RHSA-2015:2500-1: Critical: Red Hat JBoss Enterprise Application Platform 6.4 security update
Red Hat Enterprise Linux: Updated packages for the Apache commons-collections library for Red Hat
JBoss Enterprise Application Platform 6.4, which fix one security issue,
are now available for Red Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2015-7501
CVE-2009-5149
Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 have predictable technician passwords, which makes it easier for remote attackers to obtain access via the web management interface, related to a “password of the day” issue.
CVE-2015-6375
The debug-logging (aka debug cns) feature in Cisco Networking Services (CNS) for IOS 15.2(2)E3 allows local users to obtain sensitive information by reading an unspecified file, aka Bug ID CSCux18010.
CVE-2015-6376
Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence Video Communication Server (VCS) X8.5.1 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuv72412.
CVE-2015-7289
Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 have a hardcoded administrator password derived from a serial number, which makes it easier for remote attackers to obtain access via the web management interface, SSH, TELNET, or SNMP.
CVE-2015-7290
Cross-site scripting (XSS) vulnerability in adv_pwd_cgi in the web management interface on Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 allows remote attackers to inject arbitrary web script or HTML via the pwd parameter.