Posted by Nightwatch Cybersecurity Research on Apr 11

[Original post can be found here:
https://wwws.nightwatchcybersecurity.com/2017/04/09/advisory-chromeos-chromebooks-persist-certain-network-settings-in-guest-mode/]

SUMMARY

Certain network settings in ChromeOS / ChromeBooks persists between
reboots when set in guest mode. These issues have been reported to the
vendor but will not be fixed since the vendor considers them to be WAI
(Working As Intended). These attacks require physical access to…

Posted by Matthias Deeg on Apr 11

Advisory ID: SYSS-2015-035
Product(s): Password Safe and Repository Enterprise
Manufacturer: MATESO GmbH
Affected Version(s): 7.4.4 Build 2247
Tested Version(s): 7.4.4 Build 2247
Vulnerability Type: Violation of Secure Design Principles (CWE-657)
SQL Injection (CWE-89)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-07-09
Solution Date: 2016-10-18
Public Disclosure: 2017-04-10
CVE Reference: Not yet…

Posted by Maor Shwartz on Apr 11

This is a sample of a clear signed message.

—–BEGIN PGP SIGNATURE—–
Version: 2.6.2

iQCVAwUBMoSCcM4T3nOFCCzVAQF4aAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF
U5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh
DztuhjzJMEzwtm8KTKBnF/LJ9X05pSQUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz
CvynscaD+wA=
=Xb9n
—–END PGP SIGNATURE—–

attack_whoami.eml

Date: Fri, 04 Nov 2016 16:04:19 +0000
Message-ID:…

Posted by Matthias Deeg on Apr 11

Advisory ID: SYSS-2015-036
Product(s): Password Safe and Repository Enterprise
Manufacturer: MATESO GmbH
Affected Version(s): 7.4.4 Build 2247
Tested Version(s): 7.4.4 Build 2247
Vulnerability Type: Credentials Management (CWE-255)
Violation of Secure Design Principles (CWE-657)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2015-07-09
Solution Date: 2016-10-18
Public Disclosure: 2017-04-10
CVE Reference:…

Posted by Mark Wadham on Apr 11

Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with
a KLoader binary which it installs suid root the first time Proxifier is
run. This binary serves a single purpose which is to load and unload
Proxifier’s kernel extension.

Unfortunately it does this by taking the first parameter passed to it on
the commandline without any sanitisation and feeding it straight into
system().

This means not only can you load any…

Posted by Wester 95 on Apr 11

Hi team,

I would like to request one CVE for this vulnerability, thank you!

#################################

Description:
============

product:MyBB
Homepage:https://mybb.com/
vulnerable version:<1.8.11
Severity:High risk

===============

Proof of Concept:

=============

1.post a thread or reply any thread ,write:

[email=2″onmouseover=”alert(document.location)]hover me[/email]

then when user’s mouse hover it,XSS attack…

Posted by Wester 95 on Apr 11

Hi team,

I would like to request one CVE for this vulnerability, thank you!

#################################

Description:

============

product:MyBB

Homepage:https://mybb.com/

vulnerable version:<1.8.11

Severity:Low risk

===============

Proof of Concept:

=============

vulnerability address:http://127.0.0.1/mybb_1810/Upload/admin/index.php?module=config-smilies&action=add_multiple

vulnerability file…

Posted by Wester 95 on Apr 11

Hi team,

I would like to request one CVE id, thank you!

Details

======

Software: s9y Serendipity

Version: <2.0.5

Homepage: https://docs.s9y.org/

=======

Description

================

Get type CSRF in Serendipity allows attacker installs any themes, no token here.

POC:

========

include this in the page ,then attack will occur:

<img
src=”…

Posted by hyp3rlinx on Apr 11

[+] Credits: John Page AKA HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MOXA-MX-AOPC-SERVER-v1.5-XML-EXTERNAL-ENTITY.txt
[+] ISR: ApparitionSec

Vendor:
============
www.moxa.com

Product:
=======================
MX-AOPC UA SERVER – 1.5

Moxa’s MX-AOPC UA Suite is the first OPC UA server for industrial
automation supporting both push and pull communication.

Vulnerability Type:…

Posted by hyp3rlinx on Apr 11

[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec

Vendor:
============
www.moxa.com

Product:
===========
MXView v2.8

Download:
http://www.moxa.com/product/MXstudio.htm

MXview Industrial Network Management Software.

Auto discovery of network devices and physical connections
Event playback for quick…