Full Disclosure
Posted by Julien Ahrens on Sep 12
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: XenForo ToggleME plugin
Vendor URL: https://xenforo.com/community/resources/toggleme.137/
Type: Cross-Site Scripting [CWE-79]
Date found: 2016-09-06
Date published: 2016-09-11
CVSSv3 Score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N)
CVE: –
2. CREDITS
==========
This vulnerability was discovered…
Posted by Summer of Pwnage on Sep 10
————————————————————————
Persistent Cross-Site Scripting in Woocommerce WordPress plugin
————————————————————————
Sipke Mellema, July 2016
————————————————————————
Abstract
————————————————————————
A vulnerability exists in the Woocommerce API that allows…
Posted by Summer of Pwnage on Sep 10
————————————————————————
Authorization bypass in InfiniteWP Admin Panel
————————————————————————
Sipke Mellema, July 2016
————————————————————————
Abstract
————————————————————————
An authorization bypass was found in the InfiniteWP Admin Panel that
allows…
Posted by Summer of Pwnage on Sep 10
————————————————————————
Command injection in InfiniteWP Admin Panel
————————————————————————
Sipke Mellema, July 2016
————————————————————————
Abstract
————————————————————————
The InfiniteWP Admin Panel can be used to execute arbitrary system
commands….
Posted by Summer of Pwnage on Sep 10
————————————————————————
Reflected Cross-Site Scripting vulnerability in MailPoet Newsletters
plugin
————————————————————————
Sipke Mellema, July 2016
————————————————————————
Abstract
————————————————————————
A Cross-Site Scripting vulnerability was found…
Posted by Asterisk Security Team on Sep 08
Asterisk Project Security Advisory – AST-2016-007
Product Asterisk
Summary RTP Resource Exhaustion
Nature of Advisory Denial of Service
Susceptibility Remote Authenticated Sessions
Severity Moderate…
Posted by Asterisk Security Team on Sep 08
Asterisk Project Security Advisory – AST-2016-006
Product Asterisk
Summary Crash on ACK from unknown endpoint
Nature of Advisory Remote Crash
Susceptibility Remote unauthenticated sessions
Severity Critical…
Posted by Karn Ganeshen on Sep 08
*Powerlogic/Schneider Electric IONXXXX series Smart Meters – Multiple
security issues*
*Impacted devices:*
*ION7300 and potentially all IONXXXX models (based off of Powerlogic) *For
example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274
http://www.schneider-electric.com/download/hk/en/details/2254511-ETH-7330-V274/?reference=ETH7330V274
*About*
Power & Energy Monitoring System
Compact energy and power quality meters for feeders…
Posted by Rio Sherri on Sep 08
# Title : Unrar 0.0.1 Memory Corruption
# Date : 05/09/2016
# Author : R-73eN
# Tested on : Linux VM 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:50
UTC 2011 i686 i686 i386 GNU/Linux
# Software : https://github.com/defiant-labs/unrar-free
root@VM:~/unrar-free/src# unrar –version
unrar 0.0.1
root@VM:~/unrar-free/src# gdb –args ./unrar ~/test.rar
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc….
Posted by 0xr0ot on Sep 08
Hi,
Description of the potential vulnerability:
SVE-2016-6248: SystemUI Security issue
Severity: Medium
Affected versions: L(5.0/5.1), M(6.0) devices with Exynos7420 chipset
Reported on: June 7, 2016
Disclosure status: Privately disclosed.
The vulnerability exists due to a null pointer dereference on fimg2d driver.
The patch verifies if the object is null before dereferencing it.
Fix:…