02/02/2015 06:57 AM EST
The US-CERT Cyber Security Bulletin
provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and
Technology (NIST) National
Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security
(DHS) National
Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency
Readiness Team (US-CERT). For modified or updated entries, please visit the
NVD, which contains
historical vulnerability information.
The vulnerabilities are based on the
CVE vulnerability naming
standard and are organized according to severity, determined by the Common Vulnerability
Scoring System (CVSS) standard. The division of high, medium, and low
severities correspond to the following scores:
- High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
- Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
- Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional
information provided by organizations and efforts sponsored by US-CERT. This
information may include identifying information, values, definitions, and
related links. Patch information is provided when available. Please note that
some of the information in the bulletins is compiled from external, open source
reports and is not a direct result of US-CERT analysis.
|
Primary
Vendor -- Product |
Description
|
Published
|
CVSS
Score
|
Source
& Patch Info
|
|
adobe -- flash_player
|
Adobe Flash Player before
13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and
before 11.2.202.438 on Linux does not properly restrict discovery of memory
addresses, which allows attackers to bypass the ASLR protection mechanism on
Windows, and have an unspecified impact on other platforms, via unknown
vectors, as exploited in the wild in January 2015.
|
2015-01-23
|
||
|
adobe -- flash_player
|
Unspecified vulnerability in Adobe
Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287
on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers
to execute arbitrary code via unknown vectors, as exploited in the wild in
January 2015.
|
2015-01-23
|
||
|
adobe -- flash_player
|
Double free vulnerability in Adobe
Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on
Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute
arbitrary code via unspecified vectors.
|
2015-01-28
|
||
|
catbot_project -- catbot
|
SQL injection vulnerability in
index.php in CatBot 0.4.2 allows remote attackers to execute arbitrary SQL
commands via the lastcatbot parameter.
|
2015-01-27
|
||
|
cisco -- prime_service_catalog
|
The XML parser in Cisco Prime
Service Catalog before 10.1 allows remote authenticated users to read
arbitrary files or cause a denial of service (CPU and memory consumption) via
an external entity declaration in conjunction with an entity reference, as
demonstrated by reading private keys, related to an XML External Entity (XXE)
issue, aka Bug ID CSCup92880.
|
2015-01-28
|
||
|
cisco -- ios
|
The Network-Based Application
Recognition (NBAR) protocol implementation in Cisco IOS 15.3(100)M and
earlier on Cisco 2900 Integrated Services Router (aka Cisco Internet Router)
devices allows remote attackers to cause a denial of service (NBAR process
hang) via IPv4 packets, aka Bug ID CSCuo73682.
|
2015-01-28
|
||
|
ferretcms_project -- ferretcms
|
Unrestricted file upload
vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to
execute arbitrary code by uploading a file with an executable extension, then
accessing it via a direct request to the file in custom/uploads/.
|
2015-01-27
|
||
|
ferretcms_project -- ferretcms
|
SQL injection vulnerability in
ferretCMS 1.0.4-alpha allows remote attackers to execute arbitrary SQL
commands via the p parameter in an update action to admin.php.
|
2015-01-27
|
||
|
freereprintables -- articlefr
|
SQL injection vulnerability in the
getProfile function in system/profile.functions.php in Free Reprintables
ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via
the username parameter to register/.
|
2015-01-27
|
||
|
gnome -- vala
|
The Gst.MapInfo function in Vala
0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the
Gstreamer bindings, which allows context-dependent attackers to cause a
denial of service (crash) or possibly execute arbitrary code via unspecified
vectors, which trigger a heap-based buffer overflow.
|
2015-01-27
|
||
|
gnu -- glibc
|
Heap-based buffer overflow in the
__nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions
before 2.18, allows context-dependent attackers to execute arbitrary code via
vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka
"GHOST."
|
2015-01-28
|
||
|
google -- chrome
|
Skia, as used in Google Chrome
before 40.0.2214.91, allows remote attackers to cause a denial of service
(buffer over-read) or possibly have unspecified other impact via crafted data
that is improperly handled during text drawing, related to
gpu/GrBitmapTextContext.cpp and gpu/GrDistanceFieldTextContext.cpp, a
different vulnerability than CVE-2015-1205.
|
2015-01-27
|
||
|
ibm -- i_access
|
Buffer overflow in the Data
Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows
local users to gain privileges via unspecified vectors.
|
2015-01-28
|
||
|
jasper_project -- jasper
|
Off-by-one error in the
jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote
attackers to cause a denial of service (crash) or possibly execute arbitrary
code via a crafted JPEG 2000 image, which triggers a heap-based buffer
overflow.
|
2015-01-26
|
||
|
mantisbt -- mantisbt
|
MantisBT before 1.2.19 and 1.3.x
before 1.3.0-beta.2 does not properly restrict access to /*/install.php,
which allows remote attackers to obtain database credentials via the install
parameter with the value 4.
|
2015-01-26
|
||
|
midgard-project -- midgard2
|
The default D-Bus access control
rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls
or signals to any process on the system bus and possibly execute arbitrary
code with root privileges.
|
2015-01-26
|
||
|
php -- php
|
Use-after-free vulnerability in
the process_nested_data function in ext/standard/var_unserializer.re in PHP
before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote
attackers to execute arbitrary code via a crafted unserialize call that leverages
improper handling of duplicate numerical keys within the serialized
properties of an object. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2014-8142.
|
2015-01-27
|
||
|
pixabay_images_project --
pixabay_images
|
pixabay-images.php in the Pixabay
Images plugin before 2.4 for WordPress does not properly restrict access to
the upload functionality, which allows remote attackers to write to arbitrary
files.
|
2015-01-28
|
||
|
polarssl -- polarssl
|
The asn1_get_sequence_of function
in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9
does not properly initialize a pointer in the asn1_sequence linked list,
which allows remote attackers to cause a denial of service (crash) or
possibly execute arbitrary code via a crafted ASN.1 sequence in a
certificate.
|
2015-01-27
|
||
|
schneider-electric -- tsxetg3000
|
The Schneider Electric ETG3000
FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under
the web root with insufficient access control, which allows remote attackers
to obtain sensitive setup and configuration information via a direct request.
|
2015-01-27
|
||
|
schneider-electric -- tsxetg3000
|
The FTP server on the Schneider
Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has
hardcoded credentials, which makes it easier for remote attackers to obtain
access via an FTP session.
|
2015-01-27
|
||
|
sequelize_project -- sequelize
|
SQL injection vulnerability in
Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute
arbitrary SQL commands via the order parameter.
|
2015-01-27
|
||
|
two_pilots -- exif_pilot
|
Buffer overflow in the Customize
35mm tab in Two Pilots Exif Pilot 4.7.2 allows remote attackers to execute
arbitrary code via a long string in the maker element in an XML file.
|
2015-01-27
|
|
Primary
Vendor -- Product |
Description
|
Published
|
CVSS
Score
|
Source
& Patch Info
|
|
ansible -- tower
|
Multiple cross-site scripting
(XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow
remote attackers to inject arbitrary web script or HTML via the (1) order_by
parameter to credentials/, (2) inventories/, (3) projects/, or (4) users/3/permissions/
in api/v1/ or the (5) next_run parameter to api/v1/schedules/.
|
2015-01-27
|
||
|
apple -- apple_tv
|
The mach_port_kobject interface in
the kernel in Apple iOS before 8.1.3 and Apple TV before 7.0.3 does not
properly restrict kernel-address and heap-permutation information, which
makes it easier for attackers to bypass the ASLR protection mechanism via a
crafted app.
|
2015-01-30
|
||
|
apple -- mac_os_x
|
The Security component in Apple OS
X before 10.10.2 does not properly process cached information about app
certificates, which allows attackers to bypass the Gatekeeper protection
mechanism by leveraging access to a revoked Developer ID certificate for
signing a crafted app.
|
2015-01-30
|
||
|
apple -- mac_os_x
|
Spotlight in Apple OS X before
10.10.2 does not enforce the Mail "Load remote content in messages"
configuration, which allows remote attackers to discover recipient IP
addresses by including an inline image in an HTML e-mail message and logging
HTTP requests for this image's URL.
|
2015-01-30
|
||
|
apple -- iphone_os
|
The iTunes Store component in
Apple iOS before 8.1.3 allows remote attackers to bypass a Safari sandbox
protection mechanism by leveraging redirection of an SSL URL to the iTunes
Store.
|
2015-01-30
|
||
|
attachmate --
reflection_ftp_client
|
Stack-based buffer overflow in the
Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to
execute arbitrary code via a large PWD response.
|
2015-01-27
|
||
|
beasts -- vsftpd
|
Unspecified vulnerability in vsftp
3.0.2 and earlier allows remote attackers to bypass access restrictions via
unknown vectors, related to deny_file parsing.
|
2015-01-28
|
||
|
eventsentry -- eventsentry
|
Cross-site scripting (XSS)
vulnerability in the Web Reports in EventSentry 3.1.0 allows remote attackers
to inject arbitrary web script or HTML via the pageId parameter to
networktile/bullet.
|
2015-01-23
|
||
|
ferretcms_project -- ferretcms
|
Multiple cross-site scripting
(XSS) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote
attackers to inject arbitrary web script or HTML via the (1) action parameter
in a search request, (2) username in a login request, which is not properly
handled when logging the event, or (3) page title in an insert action.
|
2015-01-27
|
||
|
ferretcms_project -- ferretcms
|
Multiple cross-site request
forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow
remote attackers to hijack the authentication of administrators for requests
that conduct (1) cross-site scripting (XSS), (2) SQL injection, or (3)
unrestricted file upload attacks.
|
2015-01-27
|
||
|
freereprintables -- articlefr
|
Cross-site scripting (XSS)
vulnerability in Free Reprintables ArticleFR 3.0.5 allows remote attackers to
inject arbitrary web script or HTML via the q parameter to search/v/.
|
2015-01-27
|
||
|
genetechsolutions -- pie_register
|
The Pie Register plugin before
2.0.14 for WordPress does not properly restrict access to certain functions
in pie-register.php, which allows remote attackers to (1) add a user by
uploading a crafted CSV file or (2) activate a user account via a verifyit
action.
|
2015-01-23
|
||
|
google -- chrome
|
Unquoted Windows search path
vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations
function in installer/util/google_chrome_distribution.cc in the
uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local
users to gain privileges via a Trojan horse program in the %SYSTEMDRIVE%
directory, as demonstrated by program.exe, a different vulnerability than
CVE-2015-1205.
|
2015-01-27
|
||
|
google -- chrome
|
Use-after-free vulnerability in
PDFium, as used in Google Chrome before 40.0.2214.91, allows remote attackers
to cause a denial of service or possibly have unspecified other impact via a
crafted PDF document, related to fpdfsdk/src/fpdfview.cpp and fpdfsdk/src/fsdk_mgr.cpp,
a different vulnerability than CVE-2015-1205.
|
2015-01-27
|
||
|
google -- chrome
|
components/navigation_interception/intercept_navigation_resource_throttle.cc
in Google Chrome before 40.0.2214.91 on Android does not properly restrict
use of intent: URLs to open an application after navigation to a web site,
which allows remote attackers to cause a denial of service (loss of browser
access to that site) via crafted JavaScript code, as demonstrated by
pandora.com and the Pandora application, a different vulnerability than
CVE-2015-1205.
|
2015-01-27
|
||
|
google -- chrome
|
Multiple off-by-one errors in
fpdfapi/fpdf_font/font_int.h in PDFium, as used in Google Chrome before
40.0.2214.91, allow remote attackers to cause a denial of service (buffer
overflow) or possibly have unspecified other impact via a crafted PDF
document, related to an "intra-object-overflow" issue, a different
vulnerability than CVE-2015-1205.
|
2015-01-27
|
||
|
google -- chrome
|
platform/image-decoders/ImageFrame.h
in Blink, as used in Google Chrome before 40.0.2214.91, does not initialize a
variable that is used in calls to the Skia SkBitmap::setAlphaType function,
which might allow remote attackers to cause a denial of service or possibly
have unspecified other impact via a crafted HTML document, a different
vulnerability than CVE-2015-1205.
|
2015-01-27
|
||
|
ibm --
tririga_application_platform
|
Open redirect vulnerability in IBM
TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before
3.4.1.1 allows remote authenticated users to redirect users to arbitrary web
sites and conduct phishing attacks via the out parameter.
|
2015-01-28
|
||
|
ibm --
tririga_application_platform
|
IBM TRIRIGA Application Platform
3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote
attackers to bypass intended access restrictions and read the image files of
arbitrary users via a crafted URL.
|
2015-01-28
|
||
|
ibm -- social_media_analytics
|
Multiple cross-site scripting
(XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka
upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf),
(3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the
IBM Dojo Toolkit, as used in IBM Social Media Analytics 1.3 before IF11 and
other products, allow remote attackers to inject arbitrary web script or HTML
via unspecified vectors.
|
2015-01-28
|
||
|
infinite_automation_systems
-- mango_automation
|
Multiple cross-site scripting
(XSS) vulnerabilities in data_point_details.shtm in Mango Automation 2.4.0
and earlier allow remote attackers to inject arbitrary web script or HTML via
the (1) dpid, (2) dpxid, or (3) pid parameter.
|
2015-01-26
|
||
|
jakweb -- gecko_cms
|
Multiple SQL injection
vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote administrators to
execute arbitrary SQL commands via the (1) jak_delete_log[] or (2) ssp
parameter to admin/index.php.
|
2015-01-29
|
||
|
jakweb -- gecko_cms
|
Cross-site request forgery (CSRF)
vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the
authentication of administrators for requests that add an administrator user
via a newuser request to admin/index.php.
|
2015-01-29
|
||
|
jasper_project -- jasper
|
Multiple stack-based buffer
overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers
to cause a denial of service (crash) or possibly execute arbitrary code via a
crafted JPEG 2000 image.
|
2015-01-26
|
||
|
kde -- plasma-workspace
|
plasma-workspace before 5.1.95
allows remote attackers to obtain passwords via a Trojan horse Look and Feel
package.
|
2015-01-26
|
||
|
kde -- kde-workspace
|
kde-workspace 4.2.0 and
plasma-workspace before 5.1.95 allows remote attackers to obtain input
events, and consequently obtain passwords, by leveraging access to the X
server when the screen is locked.
|
2015-01-26
|
||
|
mantisbt -- mantisbt
|
Cross-site scripting (XSS)
vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before
1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML
via the (1) admin_username or (2) admin_password parameter.
|
2015-01-26
|
||
|
mantisbt -- mantisbt
|
SQL injection vulnerability in
manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2
allows remote administrators with FILE privileges to execute arbitrary SQL
commands via the MANTIS_MANAGE_USERS_COOKIE cookie.
|
2015-01-26
|
||
|
marked_project -- marked
|
Incomplete blacklist vulnerability
in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct
cross-site scripting (XSS) attacks via a vbscript tag in a link.
|
2015-01-27
|
||
|
openstack --
image_registry_and_delivery_service_(glance)
|
OpenStack Glance 2014.2.x through
2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass
the storage quote and cause a denial of service (disk consumption) by
deleting an image in the saving state.
|
2015-01-23
|
||
|
osticket -- osticket
|
Cross-site scripting (XSS)
vulnerability in upload/scp/tickets.php in osTicket before 1.9.5 allows
remote attackers to inject arbitrary web script or HTML via the status
parameter in a search action.
|
2015-01-23
|
||
|
osticket -- osticket
|
Cross-site scripting (XSS)
vulnerability in client.inc.php in osTicket before 1.9.5.1 allows remote
attackers to inject arbitrary web script or HTML via the lang parameter.
|
2015-01-23
|
||
|
php -- php
|
The exif_process_unicode function
in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x
before 5.6.5 allows remote attackers to execute arbitrary code or cause a
denial of service (uninitialized pointer free and application crash) via
crafted EXIF data in a JPEG image.
|
2015-01-27
|
||
|
pivotal_software -- rabbitmq
|
Cross-site scripting (XSS)
vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before
3.4.1 allows remote attackers to inject arbitrary web script or HTML via the
path info to api/, which is not properly handled in an error message.
|
2015-01-27
|
||
|
pivotal_software -- rabbitmq
|
CRLF injection vulnerability in
the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP response
splitting attacks via the download parameter to api/definitions.
|
2015-01-27
|
||
|
pixabay_images_project --
pixabay_images
|
Directory traversal vulnerability
in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress
allows remote attackers to write to arbitrary files via a .. (dot dot) in the
q parameter.
|
2015-01-27
|
||
|
pixabay_images_project --
pixabay_images
|
Cross-site scripting (XSS) vulnerability
in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress
allows remote attackers to inject arbitrary web script or HTML via the
image_user parameter.
|
2015-01-27
|
||
|
pixabay_images_project --
pixabay_images
|
pixabay-images.php in the Pixabay
Images plugin before 2.4 for WordPress does not validate hostnames, which
allows remote authenticated users to write to arbitrary files via an upload
URL with a host other than pixabay.com.
|
2015-01-28
|
||
|
qualiteam -- x-cart
|
Multiple cross-site scripting
(XSS) vulnerabilities in cart.php in X-Cart 5.1.8 and earlier allow remote
attackers to inject arbitrary web script or HTML via the (1) product_id or
(2) category_id parameter.
|
2015-01-26
|
||
|
xiph -- vorbis-tools
|
oggenc in vorbis-tools 1.4.0
allows remote attackers to cause a denial of service (divide-by-zero error
and crash) via a WAV file with the number of channels set to zero.
|
2015-01-23
|
||
|
xiph -- vorbis-tools
|
Integer overflow in oggenc in
vorbis-tools 1.4.0 allows remote attackers to cause a denial of service
(crash) via a crafted number of channels in a WAV file, which triggers an
out-of-bounds memory access.
|
2015-01-23
|
||
|
xiph -- vorbis-tools
|
oggenc/oggenc.c in vorbis-tools
1.4.0 allows remote attackers to cause a denial of service (out-of-bounds
read) via a crafted raw file.
|
2015-01-23
|
|
Primary
Vendor -- Product |
Description
|
Published
|
CVSS
Score
|
Source
& Patch Info
|
|
ibm --
tririga_application_platform
|
Multiple cross-site scripting
(XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM
TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before
3.4.1.1 allow remote authenticated users to inject arbitrary web script or
HTML via a crafted URL.
|
2015-01-28
|
||
|
pxz_project -- pxz
|
Race condition in pxz 4.999.99
Beta 3 uses weak file permissions for the output file when compressing a file
before changing the permission to match the original file, which allows local
users to bypass the intended access restrictions.
|
2015-01-23
|
Aucun commentaire:
Enregistrer un commentaire