Security News

Anviz M3 RFID Access Control security issues

Full Disclosure - 29 May, 2019 - 21:04

Posted by Marco on May 29

Security issues have been found in the Anviz M3 RFID Access Control
device when working in standalone mode connected to a TCP/IP network,
that could lead to access control bypass and private informations
leakage and alteration.

### Advisory information

TITLE: Anviz M3 RFID Access Control security issues
ADVISORY URL: https://github.com/wizlab-it/anviz-m3-rfid-cve-2019-11523-poc/
DATE PUBLISHED: 2019/05/22
AFFECTED VENDORS: Anviz
AFFECTED...

XSS in SSI printenv command – Apache Tomcat – CVE-2019-0221

Full Disclosure - 29 May, 2019 - 21:04

Posted by Nightwatch Cybersecurity Research on May 29

[Original blog post here:
https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/]

SUMMARY

Apache Tomcat had a vulnerability in its SSI implementation which
could be used to achieve cross site scripting (XSS). This is only
exploitable if SSI is enabled and the “printenv” directive is used
which is unlikely in a production system.

The vendor has rated this as a Low severity issue. A fix...

APPLE-SA-2019-5-28-1 iTunes for Windows 12.9.5

Full Disclosure - 29 May, 2019 - 21:03

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2019-5-28-1 iTunes for Windows 12.9.5

iTunes for Windows 12.9.5 is now available and addresses the
following:

SQLite
Available for: Windows 7 and later
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: Windows 7 and later
Impact: A maliciously crafted SQL query may lead...

APPLE-SA-2019-5-28-2 iCloud for Windows 7.12

Full Disclosure - 29 May, 2019 - 21:03

Posted by Apple Product Security via Fulldisclosure on May 29

APPLE-SA-2019-5-28-2 iCloud for Windows 7.12

iCloud for Windows 7.12 is now available and addresses the following:

SQLite
Available for: Windows 7 and later
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: Windows 7 and later
Impact: A maliciously crafted SQL query may lead to...

Local Privilege Escalation via Serv-U FTP Server

Full Disclosure - 29 May, 2019 - 21:03

Posted by Chris on May 29

Issue: Local Privilege Escalation
CVE: CVE-2018-19999
Security researcher: Chris Moberly @ The Missing Link Security
Product name: Serv-U FTP Server
Product version: Tested on 15.1.6.25 (current as of Dec 2018)
Fixed in: 15.1.7

# Overview
The Serv-U FTP Server is vulnerable to authentication bypass leading to
privilege escalation in Windows operating environments due to broken...

[SYSS-2019-014]: Siemens LOGO! 8 - Storing Passwords in a Recoverable Format (CWE-257)

Full Disclosure - 29 May, 2019 - 20:54

Posted by Matthias Deeg on May 29

Advisory ID: SYSS-2019-014
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Storing Passwords in a Recoverable Format (CWE-257)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

[SYSS-2019-013]: Siemens LOGO! 8 - Missing Authentication for Critical Function (CWE-306)

Full Disclosure - 29 May, 2019 - 20:54

Posted by Matthias Deeg on May 29

Advisory ID: SYSS-2020-013
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

[SYSS-2019-012]: Siemens LOGO! 8 - Use of Hard-coded Cryptographic Key (CWE-321)

Full Disclosure - 29 May, 2019 - 20:54

Posted by Matthias Deeg on May 29

Advisory ID: SYSS-2019-012
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

CA20190523-01: Security Notice for CA Risk Authentication and CA Strong Authentication

Full Disclosure - 29 May, 2019 - 20:54

Posted by Kevin Kotas via Fulldisclosure on May 29

CA20190523-01: Security Notice for CA Risk Authentication and CA
Strong Authentication

Issued: May 23, 2019
Last Updated: May 23, 2019

The Support team for CA Technologies, A Broadcom Company, is alerting
customers to multiple potential risks with CA Risk Authentication and
CA Strong Authentication. Multiple vulnerabilities exist that can
allow a remote attacker to gain additional access in certain
configurations or possibly gain sensitive...

Cross-site Scripting Vulnerabilities in VFront 0.99.5

Full Disclosure - 29 May, 2019 - 20:49

Posted by Daniel Bishtawi on May 29

Hello,

We are informing you about the vulnerabilities we reported in VFront 0.99.5.

Here are the details:

Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting in VFront 0.99.5
Affected Software: VFront
Affected Versions: 0.99.5
Homepage: http://www.vfront.org/
Vulnerability: Reflected Cross-site Scripting
Severity: High
Status: Fixed
CVE-ID: CVE-2019-9839
CVSS Score (3.0): 7.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N...

Reflected Cross-site Scripting Vulnerability in Kanboard 1.2.7

Full Disclosure - 29 May, 2019 - 20:48

Posted by Daniel Bishtawi on May 29

Hello,

We are informing you about the vulnerabilities we reported in Kanboard
1.2.7.

Here are the details:

Advisory by Netsparker
Name: Reflected Cross-site Scripting in Kanboard
Affected Software: Kanboard
Affected Versions: 1.2.7
Homepage: https://kanboard.org/
Vulnerability: Reflected Cross-site Scripting
Severity: Medium
Status: Fixed
CVE-ID: CVE-2019-7324
CVSS Score (3.0): VA:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Netsparker Advisory Reference:...

[SYSS-2019-014]: Siemens LOGO! 8 - Storing Passwords in a Recoverable Format (CWE-257)

Bug Traq - 29 May, 2019 - 02:34

Posted by matthias . deeg on May 29

Advisory ID: SYSS-2019-014
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Storing Passwords in a Recoverable Format (CWE-257)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

[SYSS-2019-013]: Siemens LOGO! 8 - Missing Authentication for Critical Function (CWE-306)

Bug Traq - 29 May, 2019 - 02:30

Posted by matthias . deeg on May 29

Advisory ID: SYSS-2019-013
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

[SYSS-2019-012]: Siemens LOGO! 8 - Use of Hard-coded Cryptographic Key (CWE-321)

Bug Traq - 29 May, 2019 - 02:27

Posted by matthias . deeg on May 29

Advisory ID: SYSS-2019-012
Product: LOGO!
Manufacturer: Siemens
Affected Version(s): LOGO! 8 (all versions)
Tested Version(s): LOGO! 8, 6ED1052-2MD00-0BA8 FS:03, 0BA8.Standard V1.08.03
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-04-04
Solution Date: 2019-05-14 (recommended mitigation by manufacturer)
Public Disclosure: 2019-05-29
CVE Reference:...

APPLE-SA-2019-5-28-1 iTunes for Windows 12.9.5

Bug Traq - 28 May, 2019 - 23:41

Posted by Apple Product Security on May 28

APPLE-SA-2019-5-28-1 iTunes for Windows 12.9.5

iTunes for Windows 12.9.5 is now available and addresses the
following:

SQLite
Available for: Windows 7 and later
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: Windows 7 and later
Impact: A maliciously crafted SQL query may lead...

APPLE-SA-2019-5-28-2 iCloud for Windows 7.12

Bug Traq - 28 May, 2019 - 23:38

Posted by Apple Product Security on May 28

APPLE-SA-2019-5-28-2 iCloud for Windows 7.12

iCloud for Windows 7.12 is now available and addresses the following:

SQLite
Available for: Windows 7 and later
Impact: An application may be able to gain elevated privileges
Description: An input validation issue was addressed with improved
memory handling.
CVE-2019-8577: Omer Gull of Checkpoint Research

SQLite
Available for: Windows 7 and later
Impact: A maliciously crafted SQL query may lead to...

Vuln: Oracle VM VirtualBox Mulltiple Local Security Vulnerabilities

Security Focus Vulnerabilities - 28 May, 2019 - 23:00
Oracle VM VirtualBox Mulltiple Local Security Vulnerabilities

Vuln: Emerson Ovation OCR400 Controller Stack Buffer Overflow and Heap Buffer Overflow Vulnerabilities

Security Focus Vulnerabilities - 27 May, 2019 - 23:00
Emerson Ovation OCR400 Controller Stack Buffer Overflow and Heap Buffer Overflow Vulnerabilities

Vuln: WebKit Information Disclosure and Multiple Memory Corruption Vulnerabilities

Security Focus Vulnerabilities - 27 May, 2019 - 23:00
WebKit Information Disclosure and Multiple Memory Corruption Vulnerabilities

Vuln: WAGO Series 750-88x and 750-87x ICSA-19-106-02 Remote Security Vulnerability

Security Focus Vulnerabilities - 27 May, 2019 - 23:00
WAGO Series 750-88x and 750-87x ICSA-19-106-02 Remote Security Vulnerability
Syndicate content