Security Alerts

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 5 days 23 hours ago

CVE-2019-11517: CSRF in Wampserver 3.1.4-3.1.8

Mon, 06/10/2019 - 04:27

Posted by Imre Rad on Jun 10

Affected product:
WampServer 3.1.4-3.1.8

Offiical description:
"WampServer is a Windows web development environment. It allows you to
create web applications with Apache2, PHP and a MySQL database.
Alongside, PhpMyAdmin allows you to manage easily your databases."

Official website:
http://www.wampserver.com/en/

Vulnerability description:
The add_vhost.php script in the administration panel of Wampserver was
vulnerable to Cross Site...
Categories: Security

[SECURITY] [DSA 4458-1] cyrus-imapd security update

Mon, 06/10/2019 - 01:09

Posted by Salvatore Bonaccorso on Jun 09

-------------------------------------------------------------------------
Debian Security Advisory DSA-4458-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
June 08, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : cyrus-imapd
CVE ID : CVE-2019-11356

A flaw was...
Categories: Security

Newly releases IoT security issues

Mon, 06/10/2019 - 01:05

Posted by stevesim84 on Jun 09

Two repositories containing security issues against various kinds of IoT devices ranging from consumer electronics such
as smart routers, smart home controllers, smart IP cameras to IIoT used tools as well as routers seem to have been
released.

One of them is identified by Samuel Huntley and it is in Moxa IIoT router --
https://github.com/samuelhuntley/Moxa_AWK_1121

The other one is identified by Mandar Satam who works in the security field...
Categories: Security

[SECURITY] [DSA 4457-1] evolution security update

Mon, 06/10/2019 - 00:55

Posted by Sebastien Delafond on Jun 09

-------------------------------------------------------------------------
Debian Security Advisory DSA-4457-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
June 07, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : evolution
CVE ID : CVE-2018-15587
Debian Bug :...
Categories: Security

[SECURITY] [DSA 4454-2] qemu regression update

Fri, 06/07/2019 - 00:44

Posted by Salvatore Bonaccorso on Jun 06

-------------------------------------------------------------------------
Debian Security Advisory DSA-4454-2 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
June 06, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : qemu
Debian Bug : 929067

Vincent Tondellier reported...
Categories: Security

[SECURITY] [DSA 4456-1] exim4 security update

Wed, 06/05/2019 - 22:24

Posted by Salvatore Bonaccorso on Jun 05

-------------------------------------------------------------------------
Debian Security Advisory DSA-4456-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
June 05, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : exim4
CVE ID : CVE-2019-10149

The Qualys Research...
Categories: Security

[SYSS-2019-015]: Logitech R700 Laser Presentation Remote - Keystroke Injection Vulnerability

Tue, 06/04/2019 - 07:18

Posted by matthias . deeg on Jun 04

Advisory ID: SYSS-2019-015
Product: R700 Laser Presentation Remote
Manufacturer: Logitech
Affected Version(s): Model R-R0010 (PID WD904XM and PID WD802XM)
Tested Version(s): Model R-R0010 (PID WD904XM and PID WD802XM)
Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-12
Solution Date: -
Public...
Categories: Security

[SYSS-2019-008]: Inateck 2.4 GHz Wearable Wireless Presenter WP2002 - Keystroke Injection Vulnerability

Tue, 06/04/2019 - 07:15

Posted by matthias . deeg on Jun 04

Advisory ID: SYSS-2019-008
Product: 2.4 GHz Wearable Wireless Presenter WP2002
Manufacturer: Inateck
Affected Version(s): n/a
Tested Version(s): n/a
Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-03-22
Solution Date: -
Public Disclosure: 2019-06-04
CVE Reference: CVE-2019-12504
Author of...
Categories: Security

[SYSS-2019-007]: Inateck 2.4 GHz Wireless Presenter WP1001 - Keystroke Injection Vulnerability

Tue, 06/04/2019 - 07:11

Posted by matthias . deeg on Jun 04

Advisory ID: SYSS-2019-007
Product: 2.4 GHz Wireless Presenter WP1001
Manufacturer: Inateck
Affected Version(s): Rev. v1.3C
Tested Version(s): Rev. v1.3C
Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-03-22
Solution Date: -
Public Disclosure: 2019-06-04
CVE Reference: CVE-2019-12505
Author of...
Categories: Security

[SECURITY] [DSA 4455-1] heimdal security update

Tue, 06/04/2019 - 00:27

Posted by Salvatore Bonaccorso on Jun 03

-------------------------------------------------------------------------
Debian Security Advisory DSA-4455-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
June 03, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : heimdal
CVE ID : CVE-2018-16860 CVE-2019-12098...
Categories: Security

Rapid7’s Windows InsightIDR Agent: Local Privilege Escalation

Mon, 06/03/2019 - 06:49

Posted by Florian Bogner on Jun 03

Local Privilege Escalation in Rapid7’s Windows Insight IDR Agent

Metadata
===================================================
Release Date: 03-Jun-2019
Author: Florian Bogner @ https://bee-itsecurity.at
Affected product: Rapid7’s Insight Agent v2.6.3.14 and earlier for Windows
Fixed in: version 2.6.5
Tested on: Windows 10 x64 fully patched
CVE: CVE-2019-5629
URL:...
Categories: Security

Unauthorized Access Vulnerability in ZyXEL P-660HN-T1 V2 (2.00(AAKK.3))

Fri, 05/31/2019 - 08:34

Posted by Onur Onur on May 31

Description:
The rpWLANRedirect.asp ASP page is accessible without authentication
on ZyXEL P-660HN-T1 V2 (2.00(AAKK.3)) devices. After accessing the
page, the admin user's password can be obtained by viewing the HTML
source code, and the interface of the modem can be accessed as admin.

Solution:
The manufacturer has released the hotfix via dropbox for the current
vulnerability....
Categories: Security

Unauthorized Access Vulnerability in ZyXEL P-660HN-T1 V2 (2.00(AAKK.3))

Fri, 05/31/2019 - 07:54

Posted by Onur Onur on May 31

Description:
The rpWLANRedirect.asp ASP page is accessible without authentication
on ZyXEL P-660HN-T1 V2 (2.00(AAKK.3)) devices. After accessing the
page, the admin user's password can be obtained by viewing the HTML
source code, and the interface of the modem can be accessed as admin.

Solution:
The manufacturer has released the hotfix via dropbox for the current
vulnerability....
Categories: Security

APPLE-SA-2019-5-30-1 AirPort Base Station Firmware Update 7.9.1

Fri, 05/31/2019 - 07:51

Posted by Apple Product Security on May 31

APPLE-SA-2019-5-30-1 AirPort Base Station Firmware Update 7.9.1

AirPort Base Station Firmware Update 7.9.1 is now available and
addresses the following:

AirPort Base Station Firmware
Available for: AirPort Extreme and AirPort Time Capsule base stations
with 802.11ac
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8581: Lucio Albornoz

AirPort Base...
Categories: Security

[SECURITY] [DSA 4454-1] qemu security update

Fri, 05/31/2019 - 07:48

Posted by Moritz Muehlenhoff on May 31

-------------------------------------------------------------------------
Debian Security Advisory DSA-4454-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 30, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : qemu
CVE ID : CVE-2018-11806 CVE-2018-12617...
Categories: Security

[SECURITY] [DSA 4453-1] openjdk-8 security update

Thu, 05/30/2019 - 12:51

Posted by Moritz Muehlenhoff on May 30

-------------------------------------------------------------------------
Debian Security Advisory DSA-4453-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
May 29, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openjdk-8
CVE ID : CVE-2019-2602 CVE-2019-2684...
Categories: Security

[SYSS-2019-014]: Siemens LOGO! 8 - Storing Passwords in a Recoverable Format (CWE-257)

Wed, 05/29/2019 - 03:34

Posted by matthias . deeg on May 29

Advisory ID: SYSS-2019-014
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Storing Passwords in a Recoverable Format (CWE-257)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...
Categories: Security

[SYSS-2019-013]: Siemens LOGO! 8 - Missing Authentication for Critical Function (CWE-306)

Wed, 05/29/2019 - 03:30

Posted by matthias . deeg on May 29

Advisory ID: SYSS-2019-013
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...
Categories: Security

[SYSS-2019-012]: Siemens LOGO! 8 - Use of Hard-coded Cryptographic Key (CWE-321)

Wed, 05/29/2019 - 03:27

Posted by matthias . deeg on May 29

Advisory ID: SYSS-2019-012
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...
Categories: Security

APPLE-SA-2019-5-28-1 iTunes for Windows 12.9.5

Wed, 05/29/2019 - 00:41

Posted by Apple Product Security on May 28

APPLE-SA-2019-5-28-1 iTunes for Windows 12.9.5

iTunes for Windows 12.9.5 is now available and addresses the
following:

SQLite
Available for: Windows 7 and later
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: Windows 7 and later
Impact: A maliciously crafted SQL query may lead...
Categories: Security