Security News

Google Chromecast Auth Bypass/RCE

Full Disclosure - 25 August, 2020 - 12:11

Posted by Benjamin Floyd on Aug 25

Problem: Most modern Google-based smart devices run some form of
Chromecast (and a version of the Chrome browser to play content). All of
their Chromecast devices, Google Home, Nest, and basically any Google smart
device, as well as Android TVs with Chromecast built in run Chrome. In
Google's Cast Developer Console, you can add arbitrary Chromecast devices
for development purposes via serial number (which is on the outside of
device...

CVE-2020-24548 / Ericom Access Server for (AccessNow & Ericom Blaze) v9.2.0 / Server Side Request Forgery

Full Disclosure - 25 August, 2020 - 12:11

Posted by hyp3rlinx on Aug 25

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ERICOM-ACCESS-SERVER-ACCESS-NOW-BLAZE-9.2.0-SERVER-SIDE-REQUEST-FORGERY.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.ericom.com

[Product]
Ericom Access Server x64 for (AccessNow & Ericom Blaze) v9.2.0

AccessNow is an HTML5 remote desktop gateway that works from any device
with an HTML5...

Open-Xchange Security Advisory 2020-08-20

Full Disclosure - 21 August, 2020 - 12:07

Posted by Open-Xchange GmbH via Fulldisclosure on Aug 21

Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those
vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Product: OX App Suite / OX Documents
Vendor: OX Software GmbH

Internal reference: MWB-70 (Bug ID)
Vulnerability type: Cross-Site Scripting...

Payment bypass in WordPress - WooCommerce - NAB Transact plugin disclosure

Full Disclosure - 21 August, 2020 - 12:07

Posted by Jack Misiura via Fulldisclosure on Aug 21

Title: Payment bypass

Product: WordPress NAB Transact WooCommerce Plugin

Vendor Homepage: https://woocommerce.com/products/nab-transact-direct-post/

Vulnerable Version: 2.1.0

Fixed Version: 2.1.2

CVE Number: CVE-2020-11497

Author: Jack Misiura from The Missing Link

Website: https://www.themissinglink.com.au

Timeline:

2020-03-27 Disclosed to Vendor

2020-03-29 Vendor publishes first fix

2020-04-04 Vendor publishes second fix

2020-08-17...

New Release: UFONet v1.6 - "M4RAuD3R!"...

Full Disclosure - 18 August, 2020 - 01:09

Posted by psy on Aug 17

Hi Community,

I am glad to present a new release of this tool:

- https://ufonet.03c8.net

"UFONet is a free software, P2P and cryptographic -disruptive toolkit-
that allows to perform DoS and DDoS attacks; on the Layer 7 (APP/HTTP)
through the exploitation of Open Redirect vectors on third-party
websites to act as a botnet and on the Layer3 (Network) abusing the
protocol."

See these links for more info:

- UFONet schema (WebAbuse...

Two vulnerabilities found in MikroTik's RouterOS

Full Disclosure - 14 August, 2020 - 13:10

Posted by Q C on Aug 14

Advisory: two vulnerabilities found in MikroTik's RouterOS

Details
=======

Product: MikroTik's RouterOS
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Product Description
==================

RouterOS is the operating system used on the MikroTik's devices, such as
switch, router and access point.

Description of vulnerabilities...

R2 Browser Hacking Class Review

Daily Dave - 13 August, 2020 - 13:58

Posted by Dave Aitel via Dailydave on Aug 13

Sometimes we review books on this list, but I spent last week, for seven
days in a row, taking the R2-RingZer0-Amy-Burnett Browser Hacking
<https://ringzer0.training/advanced-browser-exploitation.html> class. But
before I do, I want to point out that 36 Minutes into this video (
https://vimeo.com/442583799) I ask Marco Ivaldi about what it's like to
switch from management back into the technical field. "It's hard, but...

Avian JVM vm::arrayCopy() silent return on negative length

Full Disclosure - 11 August, 2020 - 14:55

Posted by Pietro Oliva via Fulldisclosure on Aug 11

Vulnerability title: Avian JVM vm::arrayCopy() silent return on negative length
Author: Pietro Oliva
CVE: CVE-2020-17361
Vendor: ReadyTalk
Product: Avian JVM
Affected version: 1.2.0

Description:
The issue is located in the vm::arrayCopy method defined in classpath-common.h,
where multiple boundary checks are performed to prevent out-of-bounds memory
read/write. One of these boundary checks makes the code return silently when a
negative length...

Avian JVM vm::arrayCopy() Multiple Integer Overflows

Full Disclosure - 11 August, 2020 - 14:55

Posted by Pietro Oliva via Fulldisclosure on Aug 11

Vulnerability title: Avian JVM vm::arrayCopy() Multiple Integer Overflows
Author: Pietro Oliva
CVE: CVE-2020-17360
Vendor: ReadyTalk
Product: Avian JVM
Affected version: 1.2.0

Description:
The issue is located in the vm::arrayCopy method defined in classpath-common.h,
where multiple boundary checks are performed to prevent out-of-bounds memory
read/write. Two of those boundary checks contain an integer overflow which leads
to those same checks...

SugarCRM < 10.1.0 (Reports Export) SQL Injection Vulnerability

Full Disclosure - 11 August, 2020 - 14:55

Posted by Egidio Romano on Aug 11

SugarCRM < 10.1.0 (Reports Export) SQL Injection Vulnerability

*• Software Link:*

https://www.sugarcrm.com

*• Affected Versions:*

All versions prior to 10.1.0 (Q3 2020).

*• Vulnerability Description:*

User input passed through the encoded “current_post” parameter to
‘index.php’ (when “entryPoint” is set to “export” and “module” is set to
“Reports”) is not properly sanitized before being used to construct a...

SugarCRM < 10.1.0 Multiple Reflected Cross-Site Scripting Vulnerabilities

Full Disclosure - 11 August, 2020 - 14:55

Posted by Egidio Romano on Aug 11

SugarCRM < 10.1.0 Multiple Reflected Cross-Site Scripting Vulnerabilities

*• Software Link:*

https://www.sugarcrm.com/

*• Affected Versions:*

All versions prior to 10.1.0 (Q3 2020).

*• Vulnerabilities Description:*

1) User input passed through the “do” parameter when action is set to
“metadata” is not properly sanitized before being used to generate HTML
output. This can be exploited by malicious users to carry out...

Re: [FD] ManageEngine ADSelfService Plus – Unauthenticated Remote Code Execution Vulnerability

Full Disclosure - 11 August, 2020 - 14:55

Posted by Bhdresh on Aug 11

Hello,

Please find the below updated vulnerability details,

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# Exploit Title: ManageEngine ADSelfService Plus – Unauthenticated Remote
Code Execution Vulnerability
# Date: 08/08/2020
# Exploit Author: Bhadresh Patel
# Version: < ADSelfService Plus build 6003
# CVE :...

Remote Code Execution 0day in vBulletin 5.x

Full Disclosure - 11 August, 2020 - 14:55

Posted by Zenofex via Fulldisclosure on Aug 11

vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code execution
vulnerability caused by incomplete patching of the previous
"CVE-2019-16759" RCE. This logic bug allows for a single pre-auth request
to execute PHP code on a target vBulletin forum.

More info can be found at:
https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/

Exploits below.

Thank you,
Zenofex

BASH Exploit:

#!/bin/bash
#
# vBulletin...

Dino-VSS

Daily Dave - 10 August, 2020 - 18:41

Posted by Dave Aitel via Dailydave on Aug 10

[image: image.png]

Bistahieversor or MS08-067?

If you had to list out the problems with CVSS it would be like analyzing
the anatomical issues of a children's drawing. No part of it fits together
properly. Here's a problem: Scoring of threats is not one dimensional, and
numbers can't carry the whole story. We need a vulnerability scoring system
that's extensible, and programable.

But I have an alternative: Take each...

ManageEngine ADSelfService Plus – Unauthenticated Remote Code Execution Vulnerability

Full Disclosure - 8 August, 2020 - 00:30

Posted by Bhdresh on Aug 07

Hello,

Please find the below vulnerability details,

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# Exploit Title: ManageEngine ADSelfService Plus – Unauthenticated Remote
Code Execution Vulnerability
# Date: 08/08/2020
# Exploit Author: Bhadresh Patel
# Version: < ADSelfService Plus build 6003
# CVE :...

SEC Consult SA-20200807-0 :: Multiple Vulnerabilities in flatCore CMS

Full Disclosure - 7 August, 2020 - 15:43

Posted by SEC Consult Vulnerability Lab on Aug 07

SEC Consult Vulnerability Lab Security Advisory < 20200807-0 >
=======================================================================
title: Multiple Vulnerabilities
product: flatCore CMS
vulnerable version: <=1.5.5
fixed version: 1.5.7
CVE number: -
impact: High
homepage: https://flatcore.org/
found: 2020-03-28
by: Farhan Rahman (Office...

October CMS <= Build 465 Multiple Vulnerabilities - Arbitrary File Read

Full Disclosure - 4 August, 2020 - 04:41

Posted by Sivanesh Ashok on Aug 04

##########################################################################
# October CMS <= Build 465 Multiple Vulnerabilities #
##########################################################################

Author - Sivanesh Ashok | @sivaneshashok | stazot.com

Date : 2020-03-31
Vendor : https://octobercms.com/
Version : <= Build 465
Tested on : Build 465
CVE : CVE-2020-5295, CVE-2020-5296,...

[SYSS-2020-030]: Jira module "Gantt-Chart for Jira" - Cross-Site Scripting (CWE-79)(CVE-2020-15944)

Full Disclosure - 4 August, 2020 - 04:41

Posted by Sebastian Auwärter on Aug 04

Advisory ID: SYSS-2020-030
Product: Jira module "Gantt-Chart for Jira"
Manufacturer: Frank Polscheit - Solutions & IT-Consulting
Affected Version(s): <=5.5.4
Tested Version(s): 5.5.3, 5.5.4
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2020-07-23
Solution Date: 2020-07-31
Public Disclosure: 2020-08-03
CVE Reference: CVE-2020-15944
Author of Advisory:...

[SYSS-2020-029]: Jira module "Gantt-Chart for Jira" - Improper Privilege Management (CWE-269)(CVE-2020-15943)

Full Disclosure - 4 August, 2020 - 04:41

Posted by Sebastian Auwärter on Aug 04

Advisory ID: SYSS-2020-029
Product: Jira module "Gantt-Chart for Jira"
Manufacturer: Frank Polscheit - Solutions & IT-Consulting
Affected Version(s): <=5.5.3
Tested Version(s): 5.5.3
Vulnerability Type: Improper Privilege Management (CWE-269)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2020-07-23
Solution Date: 2020-07-30
Public Disclosure: 2020-08-03
CVE Reference: CVE-2020-15943
Author of Advisory:...

[SYSS-2020-015]: ABUS Secvest Hybrid module (FUMO50110) - Authentication Bypass Using an Alternate Path or Channel (CWE-288) (CVE-2020-14158)

Full Disclosure - 30 July, 2020 - 12:10

Posted by Matthias Deeg on Jul 30

Advisory ID: SYSS-2020-015
Product: ABUS Secvest Hybrid module (FUMO50110)
Manufacturer: ABUS
Affected Version(s): N/A
Tested Version(s): N/A
Vulnerability Type: Authentication Bypass Using an Alternate Path or
Channel (CWE-288)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2020-04-03
Solution Date: -
Public Disclosure: 2020-07-30
CVE Reference: CVE-2020-14158
Authors of Advisory: Michael Rüttgers, Thomas...
Syndicate content