Security Alerts

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 44 weeks 1 day ago

Horizontal Privilege Escalation/Code Injection in ownCloud’s Windows Client

Fri, 08/19/2016 - 07:22

Posted by Florian Bogner on Aug 19

Horizontal Privilege Escalation/Code Injection in ownCloud’s Windows Client

Metadata
===================================================
Release Date: 17-08-2016
Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected versions: up to ownCloud's Desktop client version 2.2.2
Tested on: Windows 7 64 bit
CVE : pending
URL: https://bogner.sh/2016/08/horizontal-privilege-escalation-in-ownclouds-windows-client/...
Categories: Security

[CVE-2016-6582] Doorkeeper gem does not revoke tokens & uses wrong auth/auth method

Fri, 08/19/2016 - 07:13

Posted by Justin Bull on Aug 19

Good evening everyone,

A security bulletin for all of you.

Software:
--------
Doorkeeper (https://github.com/doorkeeper-gem/doorkeeper)

Description:
----------
Doorkeeper is an OAuth 2 provider for Rails written in Ruby.

Affected Versions:
---------------
1.2.0 - 4.1.0 (all versions but latest patch supporting token revocation)

Fixed Versions:
-------------
4.2.0 or apply this commit[0]

Problem:
--------
Doorkeeper failed to implement OAuth...
Categories: Security

[SYSS-2016-049] QNAP QTS - Persistent Cross-Site Scripting

Thu, 08/18/2016 - 16:02

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-049
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS...
Categories: Security

[SYSS-2016-054] QNAP QTS - OS Command Injection

Thu, 08/18/2016 - 15:56

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-054
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-07
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

[SYSS-2016-049] QNAP QTS - Persistent Cross-Site Scripting

Thu, 08/18/2016 - 15:48

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-049
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS...
Categories: Security

[SYSS-2016-050] QNAP QTS - Persistent Cross-Site Scripting

Thu, 08/18/2016 - 15:42

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-050
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS...
Categories: Security

[SYSS-2016-055] QNAP QTS - OS Command Injection

Thu, 08/18/2016 - 15:36

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-055
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: Unfixed
Manufacturer Notification: 2016-06-08
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

[SYSS-2016-048] QNAP QTS - OS Command Injection

Thu, 08/18/2016 - 15:29

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-048
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

[SYSS-2016-051] QNAP QTS - Reflected Cross-Site Scripting

Thu, 08/18/2016 - 15:23

Posted by bugtraq on Aug 18

dvisory ID: SYSS-2016-051
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: Reflected Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-06
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

[SYSS-2016-054] QNAP QTS - OS Command Injection

Thu, 08/18/2016 - 15:13

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-054
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-07
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

[SYSS-2016-048] QNAP QTS - OS Command Injection

Thu, 08/18/2016 - 15:05

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-048
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

[SYSS-2016-050] QNAP QTS - Persistent Cross-Site Scripting

Thu, 08/18/2016 - 11:38

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-050
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: Persistent Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS...
Categories: Security

[SYSS-2016-048] QNAP QTS - OS Command Injection

Thu, 08/18/2016 - 11:30

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-048
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.0 Build 20160311 and Build 20160601
Tested Version(s): 4.2.0 Build 20160311 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-03
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

[SYSS-2016-053] QNAP QTS - Arbitrary File Overwrite

Thu, 08/18/2016 - 11:21

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-053
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: Arbitrary file overwrite (CWE-23)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-06
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

[SYSS-2016-052] QNAP QTS - OS Command Injection

Thu, 08/18/2016 - 11:13

Posted by bugtraq on Aug 18

Advisory ID: SYSS-2016-052
Product: QNAP QTS
Manufacturer: QNAP
Affected Version(s): 4.2.1 Build 20160601
Tested Version(s): 4.2.1 Build 20160601 - 4.2.2 Build 20160812
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: unfixed
Manufacturer Notification: 2016-06-06
Solution Date: tbd.
Public Disclosure: 2016-08-18
CVE Reference: Not assigned
Author of Advisory: Sebastian Nerz (SySS GmbH)...
Categories: Security

XSS and SQLi in huge IT gallery v1.1.5 for Joomla

Mon, 07/25/2016 - 09:38

Posted by Larry W. Cashdollar on Jul 25

Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Fixed: v1.1.7
Author: Larry W. Cashdollar, @_larry0 and Elitza Neytcheva, @ElitzaNeytcheva
Date: 2016-07-14
Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro
Vendor: huge-it.com
Vendor Notified: 2016-07-15, fixed 2016-07-23
Vendor Contact: info () huge-it com
Description: The plugin allows you to add multiple images to the gallery, create...
Categories: Security

SEC Consult SA-20160725-0 :: Multiple vulnerabilities in Micro Focus (Novell) Filr

Mon, 07/25/2016 - 05:25

Posted by SEC Consult Vulnerability Lab on Jul 25

SEC Consult Vulnerability Lab Security Advisory < 20160725-0 >
=======================================================================
title: Multiple vulnerabilities
product: Micro Focus (former Novell) Filr Appliance
vulnerable version: Filr 2 <=2.0.0.421, Filr 1.2 <= 1.2.0.846
fixed version: Filr 2 v2.0.0.465, Filr 1.2 v1.2.0.871
CVE number: CVE-2016-1607, CVE-2016-1608, CVE-2016-1609...
Categories: Security

[SECURITY] [DSA 3627-1] phpmyadmin security update

Mon, 07/25/2016 - 05:18

Posted by Thijs Kinkhorst on Jul 25

-------------------------------------------------------------------------
Debian Security Advisory DSA-3627-1 security () debian org
https://www.debian.org/security/ Thijs Kinkhorst
July 24, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : phpmyadmin
CVE ID : CVE-2016-1927 CVE-2016-2039...
Categories: Security

Cross-Site Scripting in Code Snippets WordPress Plugin

Mon, 07/25/2016 - 05:09

Posted by Summer of Pwnage on Jul 25

------------------------------------------------------------------------
Cross-Site Scripting in Code Snippets WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting (XSS) vulnerability has been found...
Categories: Security

Cross-Site Scripting in Contact Form to Email WordPress Plugin

Mon, 07/25/2016 - 05:02

Posted by Summer of Pwnage on Jul 25

------------------------------------------------------------------------
Cross-Site Scripting in Contact Form to Email WordPress Plugin
------------------------------------------------------------------------
Burak Kelebek, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site Scripting (XSS) vulnerability has...
Categories: Security