Full Disclosure
Posted by Niemand Nie on May 23
ADVISORY INFORMATION
===================
Title: Multiple Reflected XSS vulnerabilities in Infobae Website
Date published: 2016-20-05
Vendors contacted: No answer received
Vendors website: http://www.infobae.com/
Discovered by: Joel Noguera [Independent Security Researcher]
Severity: Medium
AFFECTED PRODUCT
===================
Infobae it is a website of a famous newspaper from Argentina. It is well
known and has thousand of readers per day….
Posted by Osama Khalid on May 23
A SQL injection was found in Linknat VOS3000/VOS2009, a popular VoIP
softswitch, that could allow remote attackers to gain access to the
credentials stored in plain-text.
Application: Linknat VOS3000/VOS2009
Versions Affected: 2.1.1.5, 2.1.1.8, 2.1.2.0
Vendor URL: http://www.linknat.com/
Bug: SQLi (with DBA privileges)
Type: Remote
Resolution: Fixed, upgrade to 2.1.2.4
Reference: WooYun-2015-145458 -…
Posted by Bipin Gautam on May 23
Hi,
vulnerability summary : a design / process flaw
Severity : Moderate / High
In most automated control pannel software, for shared and custom web
hosting and in ISP, anyone can register / signup any domain after you
have a paid account for website hosting
– and the dns record of the added domain gets synced indiscriminately
in the local / ISP master DNS name server /resolver (for that
webhosting and ISP locally)
when any local website in…
Posted by David Spector on May 23
*MediaLink router MWN-WAPR300N – Several Vulnerabilities*
The vulnerabilities reported here are for the firmware version currently
being shipped by Amazon.com. This is hardware version 2.0, firmware
version V5.07.51_en_MDL01 . I have no knowledge of the behavior of
previous versions of this router. U.S. CERT/CC states that the
vulnerabilities I am reporting here have not previously been reported to
them.
*About*
The MediaLink wireless…
Posted by Julien Ahrens on May 23
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Postfix Admin
Vendor URL: sourceforge.net/projects/postfixadmin/
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2016-04-23
Date published: 2016-05-21
CVSSv3 Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
CVE: –
2. CREDITS
==========
This vulnerability was discovered and researched by Julien…
Posted by ERPScan inc on May 23
Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver AS JAVA 7.1 – 7.5
Vendor URL: http://SAP.com
Bugs: SQL injection
Send: 04.12.2015
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 09.02.2016
Reference: SAP Security Note 2101079
Author: Vahagn Vardanyan (ERPScan)
Description
1. ADVISORY INFORMATION
Title: SAP NetWeaver AS JAVA – SQL injection vulnerability
Advisory…
Posted by ERPScan inc on May 23
Application:SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver AS JAVA 7.1 – 7.5
Vendor URL: http://SAP.com
Bugs: information disclosure
Sent: 15.09.2015
Reported: 15.09.2015
Vendor response: 16.09.2015
Date of Public Advisory: 09.02.2016
Reference: SAP Security Note 2256846
Author: Vahagn Vardanyan (ERPScan)
Description
1. ADVISORY INFORMATION
Title: SAP NetWeaver AS JAVA – information disclosure vulnerability
Advisory…
Posted by Danny Kopping on May 18
I have found an identical vulnerability in Twitter and they gave me a
similar dismissive response. Should I submit another message with my method?
Posted by Etnies on May 17
Title: WSO2 SOA Enablement Server – Reflected Cross-Site Scripting
Authors: Jakub Pałaczyński, Łukasz Juszczyk
Date: 08. April 2016
Affected Software:
=============
WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616
Probably other versions are also vulnerable.
Proof of Concept:
============
PoC works only in IE browser – path is reflected in the response and needs
to be long enough to bypass IE’s 404 page…
Posted by Karn Ganeshen on May 17
[ICS] Meteocontrol WEB’log Multiple Vulnerabilities
*About MeteoControl WEB’log*
Meteocontrol is a Germany-based company that maintains offices in several
countries around the world, including the US, China, Italy, Spain, France,
Switzerland, and Israel.
The affected products, WEB’log, are web-based SCADA systems that provide
functions to manage energy and power configurations in different connected
(energy/industrial) devices….