Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 19 min 32 sec ago

SEC Consult SA-20160624-0 :: ASUS DSL-N55U router XSS and information disclosure

24 June, 2016 - 03:58

Posted by SEC Consult Vulnerability Lab on Jun 24

SEC Consult Vulnerability Lab Security Advisory < 20160624-0 >
=======================================================================
title: XSS and information disclosure vulnerability
product: ASUS DSL-N55U router
vulnerable version: 3.0.0.4.376_2736
fixed version: 3.0.0.4_380_3679
CVE number: requested
impact: Medium
homepage: https://www.asus.com/
found:...

[KIS-2016-07] SugarCRM <= 6.5.23 (SugarRestSerialize.php) PHP Object Injection Vulnerability

23 June, 2016 - 17:05

Posted by Egidio Romano on Jun 23

------------------------------------------------------------------------------
SugarCRM <= 6.5.23 (SugarRestSerialize.php) PHP Object Injection Vulnerability
------------------------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com/

[-] Affected Versions:

Version 6.5.23 CE and prior versions.

[-] Vulnerability Description:

The vulnerable code is located in the...

[KIS-2016-06] SugarCRM <= 6.5.18 (MySugar::addDashlet) Insecure fopen() Usage Vulnerability

23 June, 2016 - 17:04

Posted by Egidio Romano on Jun 23

-----------------------------------------------------------------------------
SugarCRM <= 6.5.18 (MySugar::addDashlet) Insecure fopen() Usage Vulnerability
-----------------------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com/

[-] Affected Versions:

Version 6.5.18 CE and other versions.

[-] Vulnerability Description:

The vulnerable code is located within the MySugar::addDashlet() method:...

[KIS-2016-05] SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities

23 June, 2016 - 17:04

Posted by Egidio Romano on Jun 23

---------------------------------------------------------
SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities
---------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com/

[-] Affected Versions:

Version 6.5.18 CE and prior versions.

[-] Vulnerabilities Description:

1) The vulnerable code is located in the /include/utils/array_utils.php script:

99. function...

[KIS-2016-04] SugarCRM <= 6.5.18 Missing Authorization Check Vulnerabilities

23 June, 2016 - 17:03

Posted by Egidio Romano on Jun 23

--------------------------------------------------------------
SugarCRM <= 6.5.18 Missing Authorization Check Vulnerabilities
--------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com/

[-] Affected Versions:

Version 6.5.18 CE and prior versions.

[-] Vulnerabilities Description:

The application fails to properly check whether the user has administrator privileges within the following...

[KIS-2016-03] SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability

23 June, 2016 - 17:01

Posted by Egidio Romano on Jun 23

--------------------------------------------------------------------------
SugarCRM <= 6.5.18 (SAML Authentication) XML External Entity Vulnerability
--------------------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com/

[-] Affected Versions:

Version 6.5.18 CE and prior versions.

[-] Vulnerability Description:

The vulnerable code is located in the constructor method of the...

CVE ID Request : Horsys v8 multiple vulnerabilities

21 June, 2016 - 08:10

Posted by Sysdream Labs on Jun 21

# Several Vulnerabilities founded in Horsys V8

Horsys is a human resource appliation, allowing the user to manage his profile, vacation, position title and other
personnal data like address, phone number and so on.

The application runs on Windows and launches a web server. This product has been developped by Asys company.

We found that it is vulnerable to several vulnerabilities, which can lead to personal information leakage or account...

[ERPSCAN-16-015] SAP NetWeaver Java AS - multiple XSS vulnerabilities

21 June, 2016 - 08:10

Posted by ERPScan inc on Jun 21

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5

Vendor URL: http://SAP.com

Bugs: XSS

Sent: 29.09.2015

Reported: 30.09.2015

Vendor response: 30.09.2015

Date of Public Advisory: 08.03.2016

Reference: SAP Security Note 2238765

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-015] SAP NetWeaver Java AS – multiple XSS vulnerabilities

Advisory ID:...

[ERPSCAN-16-016] SAP NetWeaver Java AS WD_CHAT - Information disclosure vulnerability

21 June, 2016 - 08:10

Posted by ERPScan inc on Jun 21

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5

Vendor URL: http://SAP.com

Bug: information disclosure

Sent: 04.12.2015

Reported: 05.12.2015

Vendor response: 05.12.2015

Date of Public Advisory: 08.03.2016

Reference: SAP Security Note 2255990

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: SAP NetWeaver AS Java WD_CHAT – Information disclosure vulnerability...

APPLE-SA-2016-06-20-1 AirPort Base Station Firmware Update 7.6.7 and 7.7.7

21 June, 2016 - 08:10

Posted by Apple Product Security on Jun 21

APPLE-SA-2016-06-20-1 AirPort Base Station Firmware Update 7.6.7 and
7.7.7

AirPort Base Station Firmware Update 7.6.7 and 7.7.7 is now available
and addresses the following:

AirPort Base Station Firmware
Available for: AirPort Express, AirPort Extreme and AirPort
Time Capsule base stations with 802.11n; AirPort Extreme and
AirPort Time Capsule base stations with 802.11ac
Impact: A remote attacker may be able to cause arbitrary code
execution...

CVE-2016-0199 / MS16-063: MSIE 11 garbage collector attribute type confusion

18 June, 2016 - 12:36

Posted by Berend-Jan Wever on Jun 18

CVE-2016-0199 / MS16-063: MSIE 11 garbage collector attribute type confusion
============================================================================
This information is available in an easier to read format on my blog at
http://blog.skylined.nl/

With [MS16-063] Microsoft has patched [CVE-2016-0199]: a memory
corruption bug
in the garbage collector of the JavaScript engine used in Internet
Explorer 11.
By exploiting this vulnerability, a...

Multiple vulnerabilities in squid 0.4.16_2 running on pfSense

18 June, 2016 - 12:36

Posted by Remco Sprooten on Jun 18

I. VULNERABILITY
-------------------------
Multiple vulnerabilities in squid 0.4.16_2 running on pfSense
Version 2.3.1-RELEASE-p1

II. BACKGROUND
-------------------------
The pfSense project is a free network firewall distribution, based on the
FreeBSD operating system, with a custom kernel and an array of third-party
free software packages that can be installed for additional functionality.
Through this package system pfSense software is able...

[ERPSCAN-16-014] SAP NetWeaver AS Java NavigationURLTester - XSS vulnerability

18 June, 2016 - 12:36

Posted by ERPScan inc on Jun 18

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5

Vendor URL: http://SAP.com

Bug: XSS

Sent: 20.10.2015

Reported: 21.10.2015

Vendor response: 21.10.2015

Date of Public Advisory: 08.03.2016

Reference: SAP Security Note 2238375

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-014] SAP NetWeaver AS Java NavigationURLTester –
XSS vulnerability

Advisory...

[ERPSCAN-16-013] SAP NetWeaver AS Java ctcprotocol servlet - XXE vulnerability

18 June, 2016 - 12:35

Posted by ERPScan inc on Jun 18

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5

Vendor URL: http://SAP.com

Bug: XXE

Sent: 20.10.2015

Reported: 21.10.2015

Vendor response: 21.10.2015

Date of Public Advisory: 08.03.2016

Reference: SAP Security Note 2235994

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-013] SAP NetWeaver AS Java ctcprotocol servlet –
XXE vulnerability

Advisory...

[ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability

18 June, 2016 - 12:35

Posted by ERPScan inc on Jun 18

Application: SAP NetWeaver AS JAVA

Versions Affected: SAP NetWeaver AS JAVA 7.1 - 7.5

Vendor URL: http://SAP.com

Bug: Directory traversal

Sent: 29.09.2015

Reported: 29.09.2015

Vendor response: 30.09.2015

Date of Public Advisory: 08.03.2016

Reference: SAP Security Note 2234971

Author: Vahagn Vardanyan (ERPScan)

Description

1. ADVISORY INFORMATION

Title: [ERPSCAN-16-012] SAP NetWeaver AS Java directory traversal vulnerability...

[CVE-2016-1014] Escalation of privilege via executable (un)installers of Flash Player

18 June, 2016 - 12:35

Posted by Stefan Kanthak on Jun 18

Hi @ll,

the executable (un)installers for Flash Player before version
22.0.0.192 and 18.0.0.360 (both released on 2016-06-15) are
vulnerable to DLL hijacking: they load and execute multiple
Windows system DLLs from their "application directory" instead
of Windows' "system directory" %SystemRoot%\System32\.

On Windows 7 and before they also (try to) load PCACli.dll and
API-MS-Win-Downlevel-Shell32-l1-1-0.dll from the...

CVE-2016-5709 - Use of Weak Encryption Algorithm in Solarwinds Virtualization Manager

16 June, 2016 - 16:23

Posted by Nate Kettlewell on Jun 16

Product: Solarwinds Virtualization Manager

Vendor: Solarwinds
Vulnerable Version(s): < 6.3.1
Tested Version: 6.3.1

Vendor Notification: April 25th, 2016
Vendor Patch Availability to Customers: June 1st, 2016
Public Disclosure: June 14th, 2016

Vulnerability Type: Security Misconfiguration
CVE Reference: CVE-2016-5709
Risk Level: High
CVSSv3 Base Score: 6.0 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)
Solution Status: Solution Available...

Stack Overflow in BLAT

16 June, 2016 - 10:36

Posted by vishnu raju on Jun 16

Hi Hackers,

Greetings from Vishnu (@dh4wk)

1. Vulnerable Product Version:

*Blat v3.2.14*
Link: blat.net

2. Vulnerability Information

Impact: Attacker may gain administrative access / can perform a DOS

Remotely Exploitable: No

Locally Exploitable: May be possible

3. Product Details

An open source Windows (32 & 64 bit) command line SMTP mailer. We can use
it to automatically email logs, the contents of a html FORM, or...

Papouch TME Temperature & Humidity Thermometers - Multiple Vulnerabilities

16 June, 2016 - 10:35

Posted by Karn Ganeshen on Jun 16

+++++
*Vulnerable Products*
1. Papouch TME Ethernet thermometer
2. Papouch TME multi: Temperature and humidity via Ethernet

*All versions affected*

*TME - Ethernet Thermometer*
http://www.papouch.com/en/shop/product/tme-ip-ethernet-thermometer/

*TME multi: Temperature and humidity via Ethernet*
http://www.papouch.com/en/shop/product/tme-multi-temperature-humidity-via-ethernet/

*Vulnerability Details*

*1. Weak Credentials Management*

Device...

HP StoreEver MSL6480 Tape Library v4.10 - Multiple Vulnerabilities

16 June, 2016 - 10:35

Posted by Karn Ganeshen on Jun 16

*HP StoreEver MSL6480 Tape Library v4.10 - Multiple Vulnerabilities*

*Confirmed on firmware version 4.10*

*HPE PSRT response*: Upgrade to MSL6480 is 4.90 (current version)

*Weak Credentials Management*

The device comes with weak, default login credentials - security/security -
and the application does not enforce a mandatory, password change from
default to strong password values.

*Access Control Issues*

An unauthenticated user can download...