Full Disclosure
Posted by Larry W. Cashdollar on Jul 13
Title: Remote file download vulnerability in WordPress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images uploaded by an administrator .
Vulnerability:
The code in file download.php…
Posted by Larry W. Cashdollar on Jul 13
Title: Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-27
Download Site: https://wordpress.org/plugins/wp-powerplaygallery
Vendor: WP SlideShow
Vendor Notified: 2015-06-29
Advisory: http://www.vapid.dhs.org/advisory.php?v=132
Vendor Contact: plugins () wordpress org
Description: This is the best gallery for touch screens. It is fully touch enabled with…
Posted by Pedro Ribeiro on Jul 13
tl;dr
Two vulns in Kaseya Virtual System Administrator – an authenticated
arbitrary file download and two lame open redirects.
Full advisory text below and at [1]. Thanks to CERT for helping me to
disclose these vulnerabilities [2].
==========================================================================
Disclosure: 13/07/2015 / Last updated: 13/07/2015
“Kaseya VSA is an integrated IT Systems Management platform that can
be leveraged…
Posted by Juan Martinez on Jul 13
Hi everyone, i found a bug in servers Apache Tomcat who performs access at
all directories.
The bug is exploit by a Dork in Google, the
PoC is: allintitle:”Directory Listing For / (directory like access”/”
For example: allintitle:”Directory Listing For / root/”
This Dork access with dir root whithout passwords and the servers are
Apache Tomcat.
I advice update the Apache Tomcat for fix this bug or control with login.
Best…
Posted by Portcullis Advisories on Jul 13
Vulnerability title: Arbitrary Code Execution [PSKMAD.sys] In Panda Security – Multiple Products
CVE: CVE-2015-1438
Vendor: Panda Security
Product: Multiple Products
Affected version: 1.0.0.13
Fixed version: 15.1.0
Reported by: Kyriakos Economou
Details:
Panda Kernel Memory Access Driver doesn’t validate the size of data to be copied to both an allocated kernel paged pool
buffer and to an allocated non-paged pool buffer. Furthermore, the…
Posted by Portcullis Advisories on Jul 13
Vulnerability title: Weak File Permissions In SAP Afaria XeService.exe
CVE: CVE-2015-3449
Vendor: SAP
Product: Afaria XeService.exe
Affected version: 7.0.6398.0
Fixed version: Latest
Reported by: Russ Spooner
Details:
It was identified that the Afaria Windows client software was installed with weak default permissions that granted read
and write permissions to the Everyone group to the install folder.
Further details at:…
Posted by Portcullis Advisories on Jul 13
Vulnerability title: Privilege Escalation In SAP ECC
CVE: CVE-2015-3621
Vendor: SAP
Product: ECC
Affected version: Unknown
Fixed version: Latest
Reported by: Tim Brown
Details:
It has been identified that binaries that are executed with elevated privileges (SetGID and SetUID programs) have been
compiled in manner that means they searched for libraries in insecure locations.
Further details at:…
Posted by Portcullis Advisories on Jul 13
Vulnerability title: SQL Injection In Pimcore CMS
CVE: CVE-2015-4426
Vendor: Pimcore
Product: Pimcore CMS
Affected version: Build 3450
Fixed version: Build 3473
Reported by: Josh Foote
Details:
It was possible to inject arbitrary SQL into the application provided an administrative account with the ‘assets’
privilege.
Further details at:…
Posted by Portcullis Advisories on Jul 13
Vulnerability title: Directory Traversal/Configuration Update In Pimcore CMS
CVE: CVE-2015-4425
Vendor: Pimcore
Product: Pimcore CMS
Affected version: Build 3450
Fixed version: Build 3473
Reported by: Josh Foote
Details:
It is possible for an administrative user with the ‘assets’ permission to overwrite system configuration files via
exploiting a directory traversal vulnerability.
Further details at:…
Posted by Seamus Caveney on Jul 11
There is another similar issue affecting GXP color phones (GXP2130, 2140, 2160) reported to Grandstream that was fixed
in 1.0.4.22. From the main shell there is a bluetooth test mode you can enter by typing ‘bttest’. From inside this
subshell there is no shell sanitization and you can escape using normal techniques.
Grandstream GXP2130 Command Shell Copyright 2014
GXP2130> bttest
BTTEST> ;id
uid=0(root) gid=0(root)…