All posts by 007admin

Full Disclosure

APPLE-SA-2017-03-22-1 iTunes for Windows 12.6

Posted by Apple Product Security on Mar 24

APPLE-SA-2017-03-22-1 iTunes for Windows 12.6

iTunes for Windows 12.6 is now available and addresses the following:

iTunes
Available for: Windows 7 and later
Impact: Multiple issues in SQLite
Description: Multiple issues existed in SQLite. These issues were
addressed by updating SQLite to version 3.15.2.
CVE-2013-7443
CVE-2015-3414
CVE-2015-3415
CVE-2015-3416
CVE-2015-3717
CVE-2015-6607
CVE-2016-6153

iTunes
Available for: Windows 7 and later…

Full Disclosure

APPLE-SA-2017-03-22-2 iTunes for Mac 12.6

Posted by Apple Product Security on Mar 24

APPLE-SA-2017-03-22-2 iTunes for Mac 12.6

iTunes for Mac 12.6 is now available and addresses the following:

iTunes
Available for: OS X version 10.9.5 or later
Impact: Multiple issues in SQLite
Description: Multiple issues existed in SQLite. These issues were
addressed by updating SQLite to version 3.15.2.
CVE-2013-7443
CVE-2015-3414
CVE-2015-3415
CVE-2015-3416
CVE-2015-3717
CVE-2015-6607
CVE-2016-6153

iTunes
Available for: OS X version…

Full Disclosure

[CVE-2017-6087] EON 5.0 Remote Code Execution

Posted by Sydream Labs on Mar 24

# [CVE-2017-6087] EON 5.0 Remote Code Execution

## Description

EyesOfNetwork (“EON”) is an OpenSource network monitoring solution.

## Remote Code Execution (authenticated)

The Eonweb code does not correctly filter arguments, allowing
authenticated users to execute arbitrary code.

**CVE ID**: CVE-2017-6087

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-78

**CVSS Base Score**: 7.6

**CVSS Vector…

Full Disclosure

[CVE-2017-6088] EON 5.0 Multiple SQL Injection

Posted by Sydream Labs on Mar 24

# [CVE-2017-6088] EON 5.0 Multiple SQL Injection

## Description

EyesOfNetwork (“EON”) is an OpenSource network monitoring solution.

## SQL injection (authenticated)

The Eonweb code does not correctly filter arguments, allowing
authenticated users to inject arbitrary SQL requests.

**CVE ID**: CVE-2017-6088

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-89

**CVSS Base Score**: 6.0

**CVSS Vector…

Full Disclosure

[CVE-2017-5869] Nuxeo Platform remote code execution

Posted by Sydream Labs on Mar 24

# Description

Nuxeo Platform is a content management system for enterprises (CMS).
It embeds an Apache Tomcat server, and can be managed through a web
interface.

One of its features allows authenticated users to import files to the
platform.
By crafting the upload request with a specific “X-File-Name“ header,
one can successfuly upload a file at an arbitrary location of the server
file system.

It is then possible to upload a JSP script to…

Full Disclosure

[ERPSCAN-16-041] SAP NETWEAVER DIRECTORY CREATION OUTSIDE OF THE JVM

Posted by ERPScan inc on Mar 24

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver AS JAVA UMEADMIN component
Vendor URL: http://SAP.com
Bugs: Directory traversal
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 13.12.2016
Reference: SAP Security Note 2310790
Author: Mathieu Geli (ERPScan)

Description

1. ADVISORY INFORMATION
Title: [ERPSCAN-16-041] SAP NETWEAVER DIRECTORY CREATION OUTSIDE OF THE JVM
Advisory ID: [ERPSCAN-16-041]
Risk: medium…

Hackers News

US Senate Just Voted to Let ISPs Sell Your Web Browsing Data Without Permission

The ISPs can now sell certain sensitive data like your browsing history without permission, thanks to the US Senate.

The US Senate on Wednesday voted, with 50 Republicans for it and 48 Democrats against, to roll back a set of broadband privacy regulations passed by the Federal Communication Commission (FCC) last year when it was under Democratic leadership.

In October, the Federal

NVD

CVE-2017-5198

SolarWinds LEM (aka SIEM) before 6.3.1 has an incorrect sudo configuration, which allows local users to obtain root access by editing /usr/local/contego/scripts/hostname.sh.