Full Disclosure
Posted by Mark Cross on Jul 25
On the 7th of July 2015 I discovered a reflected cross-site scripting
(XSS) vulnerability in QNAP TS-x09 Network Attached Storage devices.
Full disclosure was undertaken with the vendor and a CVE-ID has been
requested from Mitre.
CVE-ID: requested via PGP email
7th July 2015
Author: Mark Cross
Twitter: @xerubus
WWW: www.mogozobo.com
Reference: http://www.mogozobo.com/?p=2574
====================
Summary
====================
A reflected…
Posted by Nitin Venkatesh on Jul 25
# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in
Unite Gallery Lite WordPress Plugin v1.4.6
# Submitter: Nitin Venkatesh
# Product: Unite Gallery Lite WordPress Plugin
# Product URL: https://wordpress.org/plugins/unite-gallery-lite/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper
Neutralization of Special Elements used in an SQL Command (‘SQL
Injection’)[CWE-89]
# Affected Versions: v1.4.6…
Posted by Nitin Venkatesh on Jul 25
# Title: Open Redirect Vulnerability in Music Store WordPress Plugin v1.0.14
# Submitter: Nitin Venkatesh
# Product: Music Store WordPress Plugin
# Product URL: https://wordpress.org/plugins/music-store/
# Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’)
[CWE-601]
# Affected Versions: v1.0.14 and possibly below.
# Tested versions: v1.0.14
# Fixed Version: v1.0.15
# Link to code diff:…
Posted by Mark Cross on Jul 25
On the 7th of July 2015 I discovered a reflected cross-site scripting
(XSS) vulnerability in QNAP TS-x09 Network Attached Storage devices.
Full disclosure was undertaken with the vendor and a CVE-ID has been
requested from Mitre.
CVE-ID: requested via PGP email
7th July 2015
Author: Mark Cross
Twitter: @xerubus
WWW: www.mogozobo.com
Reference: http://www.mogozobo.com/?p=2574
====================
Summary
====================
A reflected…
Posted by Securify B.V. on Jul 25
————————————————————————
Integer overflow in .NET Framework
System.DirectoryServices.Protocols.Utility class
————————————————————————
Yorick Koster, May 2015
————————————————————————
Abstract
————————————————————————
An integer overflow exists in the…
Posted by Qualys Security Advisory on Jul 23
Hello, it is July 23, 2015, 17:00 UTC, the Coordinated Release Date for
CVE-2015-3245 and CVE-2015-3246. Please find our advisory below, and
our exploit attached.
Qualys Security Advisory
CVE-2015-3245 userhelper chfn() newline filtering
CVE-2015-3246 libuser passwd file handling
–[ Summary ]—————————————————————–
The libuser library implements a standardized interface for manipulating
and…
Posted by Vulnerability Lab on Jul 23
Document Title:
===============
ThaiWeb CMS 2015Q3 – SQL Injection Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1555
Release Date:
=============
2015-07-23
Vulnerability Laboratory ID (VL-ID):
====================================
1555
Common Vulnerability Scoring System:
====================================
8.6
Product & Service Introduction:…
Posted by Dave Horsfall on Jul 22
Brian Krebs already reported this:
http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
Hilarious…
Posted by Henri Salo on Jul 22
CVE requested already in:
http://www.openwall.com/lists/oss-security/2015/07/18/4
Posted by Pierre Kim on Jul 22
Note: this email has been sent to Full-Disclosure and has been
blogposted to: https://pierrekim.github.io/blog/2015-07-22-why-full-disclosure-is-the-solution-an-examble-with-ripe.html
TL;DR: hashes list from the RIPE database has been posted to MEGA,
containing usable hashes from 2011 to July 2015.
( https://mega.co.nz/#!xMIxHZCT!EgWNb65ERsTf5URgBNq8VW_flzXSNbO3URwE0nqtsXY )
The human is reluctant to change. Full Disclosure is, sometimes, the…