Security News

[KIS-2018-07] SugarCRM (Web Logic Hooks module) PHP Code Injection Vulnerability

Bug Traq - 1 January, 2019 - 00:13

Posted by Egidio Romano on Dec 31

------------------------------------------------------------------
SugarCRM (Web Logic Hooks module) PHP Code Injection Vulnerability
------------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.5.0, 8.0.2, and 8.2.0.

[-] Vulnerability Description:

User input passed through the "trigger_event" parameter is not properly sanitized...

[KIS-2018-03] SugarCRM (portal_get_related_notes) SQL Injection Vulnerability

Bug Traq - 1 January, 2019 - 00:09

Posted by Egidio Romano on Dec 31

---------------------------------------------------------------
SugarCRM (portal_get_related_notes) SQL Injection Vulnerability
---------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.4.0 and 7.11.0.0.

[-] Vulnerability Description:

The vulnerability is located within the SOAP API, specifically into the
"portal_get_related_notes()"...

[KIS-2018-02] SugarCRM (WorkFlow module) PHP Code Injection Vulnerability

Bug Traq - 1 January, 2019 - 00:04

Posted by Egidio Romano on Dec 31

-----------------------------------------------------------
SugarCRM (WorkFlow module) PHP Code Injection Vulnerability
-----------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.4.0 and 7.11.0.0.

[-] Vulnerability Description:

User input passed through the $_POST['base_module'] parameter to the "Save" action
of the WorkFlow...

[KIS-2018-05] SugarCRM (SaveDropDown) PHP Code Injection Vulnerability

Bug Traq - 1 January, 2019 - 00:03

Posted by Egidio Romano on Dec 31

--------------------------------------------------------
SugarCRM (SaveDropDown) PHP Code Injection Vulnerability
--------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.5.0, 8.0.2, and 8.2.0.

[-] Vulnerability Description:

User input passed through key values of the 'list_value' JSON parameter is not properly
sanitized before being used...

Vuln: F5 BIG-IP APM CVE-2018-15334 Cross Site Request Forgery Vulnerability

Security Focus Vulnerabilities - 1 January, 2019 - 00:00
F5 BIG-IP APM CVE-2018-15334 Cross Site Request Forgery Vulnerability

Vuln: Node.js Multiple Denial of Service Vulnerabilities

Security Focus Vulnerabilities - 1 January, 2019 - 00:00
Node.js Multiple Denial of Service Vulnerabilities

[KIS-2018-01] Oracle Application Express (AnyChart) Flash-based Cross-Site Scripting Vulnerability

Bug Traq - 31 December, 2018 - 23:55

Posted by Egidio Romano on Dec 31

------------------------------------------------------------------------------------
Oracle Application Express (AnyChart) Flash-based Cross-Site Scripting Vulnerability
------------------------------------------------------------------------------------

[-] Software Link:

https://apex.oracle.com/

[-] Affected Versions:

All versions prior to 5.1.4.00.08.

[-] Vulnerability Description:

The vulnerability is located in the OracleAnyChart.swf...

Asserts considered harmful (or GMP spills its sensitive information)

Bug Traq - 31 December, 2018 - 23:53

Posted by Jeffrey Walton on Dec 31

The GMP library uses asserts to crash a program at runtime when
presented with data it did not anticipate. The library also ignores
user requests to remove asserts using Posix's -DNDEBUG. Asserts are a
debugging aide intended for developement, and using them in production
software ranges from questionable to insecure.

Many programs and libraries can safely use assert to crash a program
at runtime. However, the prequisite is, the program...

[security bulletin] MFSBGN03838 rev.1 - UCMDB Configuration Management Service, Multiple Vulnerabilities

Bug Traq - 31 December, 2018 - 23:49

Posted by security-alert on Dec 31

Note: the current version of the following document is available here:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03309650

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03309650
Version: 1

MFSBGN03838 rev.1 - UCMDB Configuration Management Service, Multiple
Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-12-31
Last...

[KIS-2018-08] SugarCRM (Web Logic Hooks module) Path Traversal Vulnerability

Full Disclosure - 31 December, 2018 - 13:48

Posted by Egidio Romano on Dec 31

--------------------------------------------------------------
SugarCRM (Web Logic Hooks module) Path Traversal Vulnerability
--------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.5.0, 8.0.2, and 8.2.0.

[-] Vulnerability Description:

User input passed through the "webhook_target_module" parameter is not properly sanitized
before...

[KIS-2018-07] SugarCRM (Web Logic Hooks module) PHP Code Injection Vulnerability

Full Disclosure - 31 December, 2018 - 13:48

Posted by Egidio Romano on Dec 31

------------------------------------------------------------------
SugarCRM (Web Logic Hooks module) PHP Code Injection Vulnerability
------------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.5.0, 8.0.2, and 8.2.0.

[-] Vulnerability Description:

User input passed through the "trigger_event" parameter is not properly sanitized...

[KIS-2018-06] SugarCRM (addLabels) PHP Code Injection Vulnerability

Full Disclosure - 31 December, 2018 - 13:47

Posted by Egidio Romano on Dec 31

-----------------------------------------------------
SugarCRM (addLabels) PHP Code Injection Vulnerability
-----------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.5.0, 8.0.2, and 8.2.0.

[-] Vulnerability Description:

User input passed through key values of the 'labels_' parameters is not properly sanitized
before being used to save PHP code...

[KIS-2018-05] SugarCRM (SaveDropDown) PHP Code Injection Vulnerability

Full Disclosure - 31 December, 2018 - 13:47

Posted by Egidio Romano on Dec 31

--------------------------------------------------------
SugarCRM (SaveDropDown) PHP Code Injection Vulnerability
--------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.5.0, 8.0.2, and 8.2.0.

[-] Vulnerability Description:

User input passed through key values of the 'list_value' JSON parameter is not properly
sanitized before being used...

[KIS-2018-04] SugarCRM (ConnectorsController) Server-Side Request Forgery Vulnerability

Full Disclosure - 31 December, 2018 - 13:46

Posted by Egidio Romano on Dec 31

-------------------------------------------------------------------------
SugarCRM (ConnectorsController) Server-Side Request Forgery Vulnerability
-------------------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.4.0 and 7.11.0.0.

[-] Vulnerability Description:

The vulnerability is located within the...

[KIS-2018-03] SugarCRM (portal_get_related_notes) SQL Injection Vulnerability

Full Disclosure - 31 December, 2018 - 13:45

Posted by Egidio Romano on Dec 31

---------------------------------------------------------------
SugarCRM (portal_get_related_notes) SQL Injection Vulnerability
---------------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.4.0 and 7.11.0.0.

[-] Vulnerability Description:

The vulnerability is located within the SOAP API, specifically into the
"portal_get_related_notes()"...

[KIS-2018-02] SugarCRM (WorkFlow module) PHP Code Injection Vulnerability

Full Disclosure - 31 December, 2018 - 13:45

Posted by Egidio Romano on Dec 31

-----------------------------------------------------------
SugarCRM (WorkFlow module) PHP Code Injection Vulnerability
-----------------------------------------------------------

[-] Software Link:

http://www.sugarcrm.com

[-] Affected Versions:

All versions prior to 7.9.4.0 and 7.11.0.0.

[-] Vulnerability Description:

User input passed through the $_POST['base_module'] parameter to the "Save" action
of the WorkFlow...

[KIS-2018-01] Oracle Application Express (AnyChart) Flash-based Cross-Site Scripting Vulnerability

Full Disclosure - 31 December, 2018 - 13:44

Posted by Egidio Romano on Dec 31

------------------------------------------------------------------------------------
Oracle Application Express (AnyChart) Flash-based Cross-Site Scripting Vulnerability
------------------------------------------------------------------------------------

[-] Software Link:

https://apex.oracle.com/

[-] Affected Versions:

All versions prior to 5.1.4.00.08.

[-] Vulnerability Description:

The vulnerability is located in the OracleAnyChart.swf...

Vuln: HP UCMDB Configuration Manager CVE-2018-18593 Multiple Security Vulnerabilities

Security Focus Vulnerabilities - 31 December, 2018 - 00:00
HP UCMDB Configuration Manager CVE-2018-18593 Multiple Security Vulnerabilities

Vuln: JasPer 'base/jas_malloc.c' Memory Leak Information Disclosure Vulnerability

Security Focus Vulnerabilities - 31 December, 2018 - 00:00
JasPer 'base/jas_malloc.c' Memory Leak Information Disclosure Vulnerability

Vuln: GNU Binutils CVE-2018-20623 Heap Based Buffer Overflow Vulnerability

Security Focus Vulnerabilities - 31 December, 2018 - 00:00
GNU Binutils CVE-2018-20623 Heap Based Buffer Overflow Vulnerability
Syndicate content