Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 1 day 3 hours ago

Stored XSS in Advanced Custom Fields: Table Field allows authenticated users to do almost anything an admin user can (WordPress plugin)

12 August, 2016 - 15:46

Posted by dxw Security on Aug 12

Details
================
Software: Advanced Custom Fields: Table Field
Version: 1.1.12
Homepage: https://wordpress.org/plugins/advanced-custom-fields-table-field/
Advisory report:
https://security.dxw.com/advisories/xss-in-advanced-custom-fields-table-field-could-allow-authenticated-users-to-do-almost-anything-an-admin-user-can/
CVE: Awaiting assignment
CVSS: 4.9 (Medium; AV:N/AC:M/Au:S/C:P/I:P/A:N)

Description
================
Stored XSS in...

DDanchev's Blog Going Private - Request Access

12 August, 2016 - 15:46

Posted by Ddanchev on Aug 12

Hi, everyone,

As, of, today, my, blog - http://ddanchev.blogspot.com is going, private, and, I, decided, to, let, everyone, know, on,
how, to, request, access, to, continue, to, maintain, access, to, the, blog.

[http://ddanchev.blogspot.com/2016/08/ddanchevs-blog-going-private-request.html](http://ddanchev.blogspot.de/2016/08/ddanchevs-blog-going-private-request.html)

Looking forward to receiving your response.

Let me know.

Thanks,
Dancho

Defense in depth -- the Microsoft way (part 42): Sysinternals utilities load and execute rogue DLLs from %TEMP%

12 August, 2016 - 15:41

Posted by Stefan Kanthak on Aug 12

Hi @ll,

several of Microsoft's Sysinternals utilities extract executables
to %TEMP% and run them from there; the extracted executables are
vulnerable to DLL hijacking, allowing arbitrary code execution in
every user account and escalation of privilege in "protected
administrator" accounts [*].

* CoreInfo.exe:
extracts on x64 an embedded CoreInfo64.exe to %TEMP% which loads
%TEMP%\VERSION.DLL (on Windows Vista and newer)...

NEW VMSA-2016-0011 - vRealize Log Insight update addresses directory traversal vulnerability.

12 August, 2016 - 09:54

Posted by VMware Security Response Center on Aug 12

-----------------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0011
Severity: Moderate
Synopsis: vRealize Log Insight update addresses directory traversal
vulnerability.
Issue date: 2016-08-11
Updated on: 2016-08-11 (Initial Advisory)
CVE number: CVE-2016-5332

1. Summary

vRealize Log Insight update addresses directory...

QuickerBB 0.7.0 - Register Cross Site Scripting Vulnerability

11 August, 2016 - 05:06

Posted by Vulnerability Lab on Aug 11

Document Title:
===============
QuickerBB 0.7.0 - Register Cross Site Scripting Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1895

Release Date:
=============
2016-08-11

Vulnerability Laboratory ID (VL-ID):
====================================
1895

Common Vulnerability Scoring System:
====================================
3.2

Product & Service Introduction:...

Microsoft Education - Stored Cross Site Web Vulnerability

11 August, 2016 - 05:04

Posted by Vulnerability Lab on Aug 11

Document Title:
===============
Microsoft Education - Stored Cross Site Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1897

Release Date:
=============
2016-08-10

Vulnerability Laboratory ID (VL-ID):
====================================
1897

Common Vulnerability Scoring System:
====================================
3.6

Product & Service Introduction:...

[CORE-2016-0006] - SAP CAR Multiple Vulnerabilities

10 August, 2016 - 15:45

Posted by CORE Advisories Team on Aug 10

1. Advisory Information

Title: SAP CAR Multiple Vulnerabilities
Advisory ID: CORE-2016-0006
Advisory URL: http://www.coresecurity.com/advisories/sap-car-multiple-vulnerabilities
Date published: 2016-08-09
Date of last update: 2016-08-09
Vendors contacted: SAP
Release mode: Coordinated release

2. Vulnerability Information

Class: Unchecked Return Value [CWE-252], TOCTOU Race Condition [CWE-367]
Impact: Denial of service, Security bypass
Remotely...

SEC Consult SA-20160810-0 :: Multiple vulnerabilities in LINE instant messenger platform

10 August, 2016 - 03:58

Posted by SEC Consult Vulnerability Lab on Aug 10

SEC Consult Vulnerability Lab Security Advisory < 20160810-0 >
=======================================================================
title: Multiple vulnerabilities
product: LINE instant messenger platform
vulnerable version: before June 2016
fixed version: after June/July 2016
impact: removed (as per bounty program policy)
homepage: http://line.me/en/
found:...

Internet Explorer iframe sandbox local file name disclosure vulnerability

9 August, 2016 - 12:47

Posted by Securify B.V. on Aug 09

------------------------------------------------------------------------
Internet Explorer iframe sandbox local file name disclosure
vulnerability
------------------------------------------------------------------------
Yorick Koster, March 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that Internet Explorer allows the...

Nuke Evolution 2.0.9d - Multiple Client Side Cross Site Scripting Vulnerabilities

9 August, 2016 - 02:30

Posted by Vulnerability Lab on Aug 09

Document Title:
===============
Nuke Evolution 2.0.9d - Multiple Client Side Cross Site Scripting Vulnerabilities

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1894

Release Date:
=============
2016-08-09

Vulnerability Laboratory ID (VL-ID):
====================================
1894

Common Vulnerability Scoring System:
====================================
3.4

Product & Service Introduction:...

FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability

9 August, 2016 - 02:23

Posted by Vulnerability Lab on Aug 09

Document Title:
===============
FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1842

Fortinet PSIRT ID: 1737213

Release Notes: http://docs.fortinet.com/uploaded/files/3081/fortiVoiceenterprise-5.0.5-release%20notes.pdf

Release Date:
=============
2016-08-09

Vulnerability Laboratory ID (VL-ID):...

Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability

9 August, 2016 - 02:19

Posted by Vulnerability Lab on Aug 09

Document Title:
===============
Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1896

Release Date:
=============
2016-08-08

Vulnerability Laboratory ID (VL-ID):
====================================
1896

Common Vulnerability Scoring System:
====================================
3.5

Product & Service Introduction:...

Cross-Site Request Forgery vulnerability in Add From Server WordPress Plugin

8 August, 2016 - 10:53

Posted by Summer of Pwnage on Aug 08

------------------------------------------------------------------------
Cross-Site Request Forgery vulnerability in Add From Server WordPress
Plugin
------------------------------------------------------------------------
Edwin Molenaar, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that Add From Server is...

phpCollab v2.5 CMS - SQL Injection Vulnerability

8 August, 2016 - 04:19

Posted by Vulnerability Lab on Aug 08

Document Title:
===============
phpCollab v2.5 CMS - SQL Injection Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1898

Release Date:
=============
2016-08-08

Vulnerability Laboratory ID (VL-ID):
====================================
1898

Common Vulnerability Scoring System:
====================================
6.6

Product & Service Introduction:
===============================...

[SYSS-2016-063] VMware ESXi 6 - Improper Input Validation (CWE-20)

5 August, 2016 - 18:50

Posted by Matthias Deeg on Aug 05

Advisory ID: SYSS-2016-063
Product: VMware vSphere Hypervisor (ESXi)
Manufacturer: VMware, Inc.
Affected Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1)
VMware vCenter Server 6.0 U2
Tested Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1)
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-07-01
Solution Date: 2016-08-04
Public...

Re: Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance

5 August, 2016 - 18:50

Posted by Pedro Ribeiro on Aug 05

Forgot to mention - these are actually "0 days" since the vendors didn't
bother to respond or issue fixes - see timeline above.

Regards,
Pedro

Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance

5 August, 2016 - 18:50

Posted by Pedro Ribeiro on Aug 05

tl;dr

Lots of RCE, hardcoded credentials, stack buffer overflow and
information disclosure in the Nuuo NVRmini and other network video
recorders of the same vendor.
These vulnerabilities also affect the NETGEAR Surveillance app (which
can be installed on the NETGEAR ReadyNAS).

See the full advisory including PoC and exploits below, or at my github
(https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.txt).

Metasploit...

K2 (Joomla! Extension) < 2.7.1 - Reflected Cross Site Scripting

5 August, 2016 - 18:50

Posted by Manuel Mancera on Aug 05

================================================================
K2 Joomla! Extension < 2.7.1 - Reflected Cross Site Scripting
================================================================

Information
--------------------
Name: K2 Joomla! Extension - Reflected Cross Site Scripting
Affected Software : K2
Affected Versions: < 2.7.1
Vendor Homepage : https://getk2.org/
http://extensions.joomla.org/extension/k2
Vulnerability Type :...

CVE-2016-6527 Possible Privilege Escalation in telecom of Samsung Mobile Phone

5 August, 2016 - 18:50

Posted by 0xr0ot on Aug 05

Hi,

Description of the potential vulnerability:
Severity: Medium
Affected versions: L(5.0/5.1), M(6.0)
Reported on: May 11, 2016
Disclosure status: Privately disclosed.
The vulnerability in SmartCall Activity components of Telecom application
can make crash and reboot a device when the malformed serializable object
is passed.

Fix:
http://security.samsungmobile.com/smrupdate.html#SMR-AUG-2016
SVE-2016-6244: Possible Privilege Escalation in...