Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 13 min 40 sec ago

Virtual Freer v1.58 - Client Side Cross Site Scripting Vulnerability

7 April, 2016 - 03:19

Posted by Vulnerability Lab on Apr 07

Document Title:
===============
Virtual Freer v1.58 - Client Side Cross Site Scripting Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1812

Release Date:
=============
2016-04-06

Vulnerability Laboratory ID (VL-ID):
====================================
1812

Common Vulnerability Scoring System:
====================================
3.2

Product & Service Introduction:...

Techsoft WS CMS (2016 Q2) - SQL Injection Web Vulnerability

7 April, 2016 - 03:17

Posted by Vulnerability Lab on Apr 07

Document Title:
===============
Techsoft WS CMS (2016 Q2) - SQL Injection Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1810

Release Date:
=============
2016-04-04

Vulnerability Laboratory ID (VL-ID):
====================================
1810

Common Vulnerability Scoring System:
====================================
7.2

Product & Service Introduction:...

Check out faraday v1.0.18! New CLI mode, Jira support & bug fixes!

6 April, 2016 - 10:30

Posted by Francisco Amato on Apr 06

Today we are happy to announce that Faraday v1.0.18 is ready!

A short iteration, filled with small powerups - brand new CLI mode
allows you to process reports in batch, new helpers and plugin fixes.

We know that our users rely on a lot of different systems and
solutions and we want to integrate Faraday in that workflow. In that
order we added the ability to easily export data into a JIRA
installation, allowing users to share the findings...

CVE-2016-3672 - Unlimiting the stack not longer disables ASLR

6 April, 2016 - 10:29

Posted by Hector Marco-Gisbert on Apr 06

Hi everyone,

We have fixed an old and very known weakness in the Linux ASLR implementation.

The weakness allowed any user able to running 32-bit applications in a x86
machine disable the ASLR by setting the RLIMIT_STACK resource to unlimited.

This is a very old trick to disable ASLR, but unfortunately it was still present
in current Linux systems.

Details at:...

Panda Security 2016 Home User Products - Privilege Escalation

6 April, 2016 - 10:29

Posted by Kyriakos Economou on Apr 06

* CVE: CVE-2015-7378
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Security URL Filtering < v4.3.1.9
* Fixed Version: Panda Security URL Filtering v4.3.1.9

Description:
All Panda Security 2016 Home User products for Windows are vulnerable to privilege escalation, which allows a local
attacker to execute code as SYSTEM from any account (Guest...

Panda Security Multiple Business Products - Privilege Escalation

6 April, 2016 - 10:29

Posted by Kyriakos Economou on Apr 06

* CVE: CVE-2016-3943
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Endpoint Administration Agent < v7.50.00
* Fixed Version: Panda Endpoint Administration Agent v7.50.00

Description:
Panda Endpoint Administration Agent v7.30.2 allows a local attacker to elevate his privileges from any account type
(Guest included) and execute code as SYSTEM,...

hardwear.io CFP 2016 - Hardware Security Conference Call for Papers

6 April, 2016 - 10:29

Posted by Hardwear Team on Apr 06

Dear Hackers and Security Gurus,

hardwear.io is seeking innovative research on hardware security. If you
have done interesting research on attacks or mitigation on any
Hardware and want to showcase it to the security community, just
submit your research paper. Please find all the relevant details for
the submission below.

About hardwear.io
----------------------------
hardwear.io Security Conference is a platform for hardware and
security...

Fireware XTM Web UI - Open Redirect

6 April, 2016 - 10:29

Posted by Manuel Mancera on Apr 06

================================================================
Fireware XTM Web UI - Open Redirect
================================================================

Information
--------------------
Name: Fireware XTM Web UI - Open Redirect
Affected Software : Fireware XTM Web UI
Affected Versions: < 11.10.7
Vendor Homepage : http://www.watchguard.com/
Vulnerability Type : Open Redirect
Severity : Low
CVE: n/a

Product
--------------------...

MeshCMS 3.6 – Multiple vulnerabilities

6 April, 2016 - 10:29

Posted by xiong piaox on Apr 06

Exploit Title: MeshCMS 3.6 – Multiple vulnerabilities

Date: 2016-04-03

Exploit Author: piaox xiong(xiongyaofu351 () pingan com cn)

Vendor Homepage: http://www.cromoteca.com/en/meshcms/

Software Link: http://www.cromoteca.com/en/meshcms/download/

Version: 3.6

Tested on: Windows OS

#############

Application Description:

MeshCMS is an online editing system written in Java. It provides a set of
features usually included in a CMS, but it...

Re: [SE-2012-01] Broken security fix in IBM Java 7/8

5 April, 2016 - 15:25

Posted by Security Explorations on Apr 05

Hello All,

I should have included the following information in my original post:
1) Issue 67 was assigned CVE-2013-3009 [1],
2) it originally affected IBM Java from versions 1.4 to 7 [2],
3) CVE-ID corresponding to a broken patch will likely not reflect the
original issue. This was the case for IBM's Issue 49 (CVE-2012-4823)
and two of its broken fixes (CVE-2013-3012 and CVE-2013-5458).
4) Incomplete patch for Issue 67 may affect...