Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 18 min 37 sec ago

WININET CHttpHeaderParser::ParseStatusLine out-of-bounds read details

10 November, 2016 - 10:44

Posted by Berend-Jan Wever on Nov 10

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
eight entry in that series, although this particular vulnerability does
not just affect web-browsers, but all applications that use WININET to
make HTTP requests.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161110001.html. There you can find a repro
that triggered...

MSIE 9-11 MSHTML PROPERTYDESC::HandleStyleComponentProperty OOB read details

10 November, 2016 - 10:44

Posted by Berend-Jan Wever on Nov 10

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
seventh entry in that series.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161109001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

MSIE 9-11...

Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)

9 November, 2016 - 10:02

Posted by Rio Sherri on Nov 09

# Title : Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)
# Date : 08/11/2016
# Author : R-73eN
# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 - Reported to Vendor through Bugcrowd.
# 2016-06-29 - Vendor Replied.
# 2016-07-05 - Vendor Replicated the vulnerability.
# 2016-09-02 - Vendor released updated version which fix the vulnerability.
# 2016-11-08 -...

VBScript RegExpComp::PnodeParse out-of-bounds read details (MSIE 8-11, IIS, CScript.exe/WScript.exe)

9 November, 2016 - 10:02

Posted by Berend-Jan Wever on Nov 09

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the sixth
entry in that series.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161108001.html. There you can find a repro
that triggered this issue in addition to the information below.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

VBScript...

Adobe Connect & Desktop v9.5.7 - Persistent Vulnerability (APSB16-35) [CVE-2016-7851]

9 November, 2016 - 03:57

Posted by Vulnerability Lab on Nov 09

Document Title:
===============
Adobe Connect & Desktop v9.5.7 - Persistent Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1838

Security ID: PSIRT-5180

Bulletin: https://helpx.adobe.com/security/products/connect/apsb16-35.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7851

Public News Article:...

Stored Cross-Site Scripting vulnerability in 404 to 301 WordPress Plugin

8 November, 2016 - 09:37

Posted by Summer of Pwnage on Nov 08

------------------------------------------------------------------------
Stored Cross-Site Scripting vulnerability in 404 to 301 WordPress Plugin
------------------------------------------------------------------------
Alyssa Milburn <amilburn.at.zall.org>, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site...

Cross-Site Scripting in Calendar WordPress Plugin

8 November, 2016 - 05:19

Posted by Summer of Pwnage on Nov 08

------------------------------------------------------------------------
Cross-Site Scripting in Calendar WordPress Plugin
------------------------------------------------------------------------
Remco Vermeulen, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the Calendar...

Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin

8 November, 2016 - 05:19

Posted by Summer of Pwnage on Nov 08

------------------------------------------------------------------------
Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress
Plugin
------------------------------------------------------------------------
Burak Kelebek, October 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A stored Cross-Site Scripting (XSS)...

Cross-Site Scripting vulnerability in Caldera Forms WordPress Plugin

8 November, 2016 - 05:18

Posted by Summer of Pwnage on Nov 08

------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Caldera Forms WordPress Plugin
------------------------------------------------------------------------
Jurgen Kloosterman, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in...

Cross-Site Scripting vulnerability in Quotes Collection WordPress Plugin

8 November, 2016 - 05:18

Posted by Summer of Pwnage on Nov 08

------------------------------------------------------------------------
Cross-Site Scripting vulnerability in Quotes Collection WordPress Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in...

YITH WooCommerce Compare WordPress Plugin unauthenticated PHP Object injection vulnerability

8 November, 2016 - 05:17

Posted by Summer of Pwnage on Nov 08

------------------------------------------------------------------------
YITH WooCommerce Compare WordPress Plugin unauthenticated PHP Object
injection vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A PHP Object injection...

Cross Site Scripting Vulnerability In Verint Impact 360

8 November, 2016 - 04:02

Posted by Sanehdeep Singh on Nov 08

Overview
========

* Title : Cross Site Scripting Vulnerability In Verint Impact 360
* Author: Sanehdeep Singh
* Plugin Homepage: http://www.verint.com
* Severity: Medium
* Version Affected: 11.1
* Version patched: Patches available. Contact Vendor

Description
===========

About the Product
=================
Verint Impact 360 is a quality monitoring/call recording, workforce
management, performance management, and eLearning help optimize...

Crashing Android devices with large Proxy Auto Config (PAC) Files [CVE-2016-6723]

8 November, 2016 - 04:02

Posted by Nightwatch Cybersecurity Research on Nov 08

[Original at:
https://wwws.nightwatchcybersecurity.com/2016/11/07/crashing-android-devices-with-large-pac-files-cve-2016-6723/]

Summary

Android devices can be crashed forcing a halt and then a soft reboot
by downloading a large proxy auto config (PAC) file when adjusting the
Android networking settings. This can also be exploited by an MITM
attacker that can intercept and replace the PAC file. However, the bug
is mitigated by multiple factors...

[CVE-2016-6563 / VU#677427]: Dlink DIR routers HNAP Login stack buffer overflow

8 November, 2016 - 04:00

Posted by Pedro Ribeiro on Nov 08

tl;dr

A stack bof in several Dlink routers, which can be exploited by an
unauthenticated attacker in the LAN. There is no patch as Dlink did not
respond to CERT's requests. As usual, a Metasploit module is in the
queue (see [9] below) and should hopefully be integrated soon.

The interesting thing about this vulnerability is that it affects both
ARM and MIPS devices, so exploitation is slightly different for each type.

Link to CERT's...

[KIS-2016-13] Piwik <= 2.16.0 (saveLayout) PHP Object Injection Vulnerability

7 November, 2016 - 13:21

Posted by Egidio Romano on Nov 07

---------------------------------------------------------------
Piwik <= 2.16.0 (saveLayout) PHP Object Injection Vulnerability
---------------------------------------------------------------

[-] Software Link:

https://piwik.org/

[-] Affected Versions:

Version 2.16.0 and prior versions.

[-] Vulnerability Description:

The vulnerability can be triggered through the saveLayout() method
defined in /plugins/Dashboard/Controller.php:

210....

VBScript CRegExp..Execute use of uninitialized memory details (MSIE 8-11, IIS, CScript.exe/WScript.exe)

7 November, 2016 - 11:36

Posted by Berend-Jan Wever on Nov 07

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the fifth
entry in that series.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161107001.html. There you can find a repro
that triggered this issue in addition to the information below as well
as a Proof-of-Concept exploit.

Follow me on http://twitter.com/berendjanwever...

[RootedCON 2017] Call for Papers open for RootedCON Madrid 2017!

7 November, 2016 - 11:36

Posted by Román Ramírez on Nov 07

Hello all:

We have opened the Call for Papers for our upcoming event in Madrid, Spain.
RootedCON is the biggest security event in Spain and one of the biggest of
Europe.

Here you can find attached the text for the CFP (EN, for english speakers,
ES, for spanish ones), and you if you prefer to access directly to the
form, here you can find it:

In English:
https://www.rootedcon.com/cfp/cfp2017-en/

In Spanish:...

Several unpatched vulns in OwnCloud

7 November, 2016 - 11:36

Posted by Felix Matei on Nov 07

Dear Community

By comparing the advisory of NextCloud and OwnCloud I figured out that OwnCloud has multiple not patched
vulnerabilities.

You can see list here it seems all patches missing from latest Nextcloud 10.0.1 release in OwnCloud:
https://nextcloud.com/security/advisories. This seems to include XSS vulns and more.

An example exploit for one of the vulns would look like that:
http://demo.owncloud.org/index.php/apps/gallery/#...

[SYSS-2016-085] Aruba OS Improper Authentication - (CWE-287)

7 November, 2016 - 11:36

Posted by Klaus Tichmann on Nov 07

Advisory ID: SYSS-2016-085
Product: AOS
Manufacturer: Aruba Networks
Affected Version(s): 6.3.1.19
Tested Version(s): 6.3.1.19 on an RAP-3 router
Vulnerability Type: Improper Authentication
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2016-09-06
Solution Date: --
Public Disclosure: 2016-11-07
CVE Reference: Not yet assigned
Author of Advisory: Klaus Tichmann, SySS GmbH...

Intel(R) HD Graphics 10 - Unquoted Path Privilege Escalation

7 November, 2016 - 05:10

Posted by Vulnerability Lab on Nov 07

Document Title:
===============
Intel(R) HD Graphics 10 - Unquoted Path Privilege Escalation

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1981

Release Date:
=============
2016-11-02

Vulnerability Laboratory ID (VL-ID):
====================================
1981

Common Vulnerability Scoring System:
====================================
4.3

Product & Service Introduction:...