SOLDIERX.COM Nobody Can Stop Information Insemination

Posted by Rafael Pedrero on Mar 01

In 2009...

<!--
# Exploit Title: Cross Site Scripting in PRTG Network Monitor v7.1.3.3378
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.paessler.com/prtg
# Software Link: http://www.paessler.com/prtg
# Version: PRTG Network Monitor v7.1.3.3378
# Tested on: All
# CVE : CVE-2019-9206
# Category: webapps

1. Description

PRTG Network Monitor v7.1.3.3378 allows XSS via the /public/login.htm,
errormsg or...

Posted by Axel Boesenach on Mar 01

Dear reader,

I am not sure if I am contacting through the right email address but someone said I should e-mail you guys.

I found an RCE functionality in the Apache UNO API which could give an attacker control over a machine, or use a
machine already compromised in the network to exfiltrate data, etc.

The company that posted this issue on their blog is the company I did my internship. Copy-paste from the advisory on
there:

[START OF...

Posted by RedForce Advisory on Mar 01

RedForce Advisory
https://redforce.io

## ِAdvisory Information
Title: SHAREit For Android <= 4.0.38 Multiple Vulnerabilities
Advisory URL:
https://blog.redforce.io/shareit-vulnerabilities-enable-unrestricted-access-to-adjacent-devices-files/
Date published: 2019-02-25
Date of last update: 2019-02-25
Vendors contacted: Beijing Shareit Information Technology Co., Ltd.

## Introduction

SHAREit for Android is a popular application used for file...

Posted by advisories on Mar 01

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2

1. *Advisory Information*

Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2
Advisory ID: CORE-2018-0012
Advisory URL:
http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability-version-2
Date published: 2019-02-27
Date of last update: 2019-02-27...

Posted by Asterisk Security Team on Feb 28

Asterisk Project Security Advisory - AST-2019-001

Product Asterisk
Summary Remote crash vulnerability with SDP protocol
violation
Nature of Advisory Denial Of Service
Susceptibility Remote Authenticated Sessions...

Posted by Stefan Kanthak on Feb 26

Hi @ll,

Microsoft just announced the general availability of their
"Windows Defender Advanced Threat Protection/Endpoint Protection & Response"
for their "downlevel" operating systems Windows 7 and Windows 8.1:
https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Windows-Defender-ATP-s-EDR-capability-for-Windows-7-and-Windows/ba-p/355535

This announcement ends in

| For more information on how you can onboard...

Posted by Rafael Pedrero on Feb 26

<!--
# Exploit Title: Blind SQL injection in SQLiteManager 1.2.0 (and 1.2.4)
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.sqlitemanager.org/
# Software Link: http://www.sqlitemanager.org/
# Version: SQLiteManager 1.2.0 (and 1.2.4)
# Tested on: All
# CVE : CVE-2019-9083
# Category: webapps

1. Description

SQLiteManager 1.2.0 (and 1.2.4) allows SQL injection via the
/sqlitemanager/main.php dbsel parameter....

Posted by Sebastian Neef on Feb 26

The SVG library nanosvg [0] suffers from a memory corruption bug that can lead to at least DoS.

The bug exists in the `nsvg__parseColorRGB` function, which can be reached by parsing a malicious SVG file through
`nsvgParseFromFile` or `nsvgParse`. This should also affect libraries/packages that provide bindings to nanosvg, for
example:

- Lua: https://github.com/iongion/lunavg
- Python: https://github.com/ethanhs/pynanosvg
- Java:...

Posted by Geeknik Labs via Fulldisclosure on Feb 22

Tautulli (https://tautulli.com/) is a Python based monitoring and tracking tool for Plex Media Server.

We discovered that an authenticated Plex Media Server user could change their Plex username to include JavaScript and
Tautulli would fail to sanitize the username so that when the Plex Media Server administrator viewed certain pages
generated by Tautulli, the JavaScript would be executed in the context of the server administrator.

This was...

Posted by Will Boucher via Fulldisclosure on Feb 21

Kanboard 1.2.7 Multiple Vulnerabilities

Kanboard 1.2.7 contains multiple vulnerabilities. The vulnerabilities include CSV account import cross site request
forgery which allows an unauthenticated attacker to create a new administrative user. Cross site request forgery 2FA
deactivation, allowing an unauthenticated attacker to disable an account's 2FA configuration. A lack of integrity
checking or transport layer encryption enforced on...

Posted by Stephen Shkardoon on Feb 21

Introduction
============

Multiple vulnerabilities were identified within the Teracue ENC-400,
including pre-authenticated remote code authentication. While the vendor
has released updated firmware after these issues were identified, they are
not all resolved with the latest version of the firmware.

Product
=======

The Teracue ENC-400 is accessible over an HTTP interface, which allows
device configuration (including setting passwords or video...

Posted by Rafael Pedrero on Feb 21

<!--
# Exploit Title: Cross Site Scripting in VertrigoServ 2.17
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://vertrigo.sf.net
# Software Link: http://vertrigo.sf.net
# Version: VertrigoServ 2.17
# Tested on: All
# CVE : CVE-2019-8938
# Category: webapps

1. Description

VertrigoServ 2.17 allows XSS via the /inc/extensions.php ext parameter.
NOTE: This product is discontinued.

2. Proof of Concept...

Posted by Rafael Pedrero on Feb 21

I thought I had reported it but not, better late than never.

<!--
# Exploit Title: Cross Site Scripting in Advanced comment system v1.0
# Date: 29-10-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://www.plohni.com
# Software Link:
http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip,
https://web.archive.org/web/20120214173003/http://www.plohni.com/wb/content/php/download/Advanced_comment_system_1-0.zip...

Posted by Rafael Pedrero on Feb 21

<!--
# Exploit Title: Path traversal vulnerability in Netflow Analyzer
Professional v7.0.0.2 Administration zone
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8925
# Category: webapps

1. Description...

Posted by Rafael Pedrero on Feb 21

<!--
# Exploit Title: SQL injection in XAMPP 5.6.8 (and previous)
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage:
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Software Link:
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Version: XAMPP 5.6.8
# Tested on: All
# CVE : CVE-2019-8923
# Category: webapps

1. Description

XAMPP through 5.6.8 allows SQL injection via the...

Posted by Kevin Kotas via Fulldisclosure on Feb 21

CA20190212-01: Security Notice for CA Privileged Access Manager

Issued: February 12, 2019
Last Updated: February 12, 2019

CA Technologies Support is alerting customers to a potential risk
with CA Privileged Access Manager. A vulnerability exists that can
allow a remote attacker to access sensitive information or modify
configuration. CA published solutions to address the vulnerabilities.

CVE-2019-7392 describes a vulnerability resulting from...

Posted by Henri Salo on Feb 21

CVE-2019-8935 has been assigned for this vulnerability.

Posted by Daniel Bishtawi on Feb 21

Hello,

We are glad to inform you about the vulnerabilities we reported in HTMLy
2.7.4.

Here are the details:

Advisory by Netsparker
Name: Cross-Site Scripting Vulnerabilities in HTMLy 2.7.4
Affected Software: HTMLy
Affected Versions: 2.7.4
Homepage: https://github.com/danpros/htmly
Vulnerability: Cross-Site Scripting
Severity: High
Status: Not Fixed
CVE-ID: CVE-2019-8349
CVSS Score (3.0): CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Netsparker...

Posted by Daniel Bishtawi on Feb 21

Hello,

We are glad to inform you about the vulnerabilities we reported in
GetSimpleCMS 3.3.13.

Here are the details:

Advisory by Netsparker
Name: Open Redirection Vulnerability in GetSimpleCMS
Affected Software: GetSimpleCMS
Affected Versions: 3.3.13
Homepage: http://get-simple.info/
Vulnerability: Open Redirection
Severity: Medium
Status: Not Fixed
CVSS Score (3.0): AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Netsparker Advisory Reference: NS-18-056...

Posted by advisories on Feb 21

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

Micro Focus Filr Multiple Vulnerabilities

1. *Advisory Information*

Title: Micro Focus Filr Multiple Vulnerabilities
Advisory ID: SAUTH-2019-0001
Advisory URL:
https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities
Date published: 2019-02-20
Date of last update: 2019-02-20
Vendors contacted: Micro Focus
Release mode: Coordinated release

2....