======================= = End-of-Shift report = =======================
Timeframe: Freitag 14-06-2013 18:00 − Montag 17-06-2013 18:00 Handler: Robert Waldner Co-Handler: n/a
*** [webapps] - LibrettoCMS 2.2.2 - Arbitrary File Upload *** --------------------------------------------- LibrettoCMS is provided a file upload function to unauthenticated users. Allows for write/read/edit/delete download arbitrary file uploaded , which results attacker might arbitrary write/read/edit/delete files and folders. --------------------------------------------- http://www.exploit-db.com/exploits/26213
*** Adobe Flash exploit grabs video and audio, long after “fix” *** --------------------------------------------- Demonstration code shows a new trick defeats Flash privacy fix. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/72PWd3AAReE/
*** Microsoft Sharepoint (Cloud) Persistent Script Insertion *** --------------------------------------------- Topic: Microsoft Sharepoint (Cloud) Persistent Script Insertion Risk: Low Text:Title: Microsoft SharePoint (Cloud) - Persistent Exception-Handling Web Vulnerability Date: == 2013-06-14 Re... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013060124
*** Avira AntiVir Engine Denial Of Service / Filter Evasion *** --------------------------------------------- Topic: Avira AntiVir Engine Denial Of Service / Filter Evasion Risk: Medium Text: LSE Leading Security Experts GmbH - Security Advisory 2013-06-13 Avira AntiVir Engine -- Denial of Service / Filtering E... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013060123
*** Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection *** --------------------------------------------- Topic: Siemens OpenScape Branch / Session Border Controller XSS / Disclosure / Injection Risk: Medium Text:SEC Consult Vulnerability Lab Security Advisory == title: Multiple vulner... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013060121
*** Firefox und Twitter schützen vor eingeschleusten Skripten *** --------------------------------------------- "Du kommst hier nicht rein" heißt es für Schadcode, wenn man als Webseiten-Betreiber den HTTP-Header "Content Security Policy" benutzt. Google, Mozilla und Twitter gehen mit gutem Beispiel voran. --------------------------------------------- http://www.heise.de/newsticker/meldung/Firefox-und-Twitter-schuetzen-vor-ein...
*** Security Bulletin: WebSphere Commerce vulnerability could allow disclosure of user personal data (CVE-2013-0523) *** --------------------------------------------- Some WebSphere Commerce data may be encrypted using an encryption algorithm that is susceptible to a padding oracle attack which may allow for the disclosure of user personal data. CVE(s): ... --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_webs...
*** Joomla com_extplorer Components shell upload Vulnerability *** --------------------------------------------- Topic: Joomla com_extplorer Components shell upload Vulnerability Risk: Medium Text: # ISlamic Republic Of Iran Security Team # Www.IrIsT.Ir ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013060127
*** Microsoft Outlook Vulnerability S/MIME Loss of Integrity *** --------------------------------------------- Topic: Microsoft Outlook Vulnerability S/MIME Loss of Integrity Risk: Medium Text:** Attention script bunnies: This is not an RCE, XSS, etc. Please move along :) ** Microsoft Outlook (all versions) suffers ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013060129
*** Mozilla Firefox and Microsoft Internet Explorer DoS vulnerability *** --------------------------------------------- Topic: Mozilla Firefox and Microsoft Internet Explorer DoS vulnerability Risk: Medium Text:I want to warn you about Denial of Service vulnerability in Mozilla Firefox and Microsoft Internet Explorer. Earlier Jean ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2013060128
*** Vulnerability Disclosure – Open or Private? *** --------------------------------------------- At the end of May, two Google security engineers announced Mountain View’s new policy regarding zero-day bugs and disclosure. They strongly suggested that information about zero-day exploits currently in the wild should be released no more than seven days after the vendor has been notified. Ideally, the notification or patch should come from the vendor, [...]Post from: Trendlabs Security Intelligence Blog - by Trend MicroVulnerability Disclosure – Open or Private? --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/1qT_zYH1FxU/
*** Oracle Java pre-announcement: Upcoming JRE patch will plug 37 remotely exploitable holes. --------------------------------------------- See http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.htm..., (Mon, Jun 17th) --------------------------------------------- http://isc.sans.edu/diary.html?storyid=16013&rss
*** Fortinet FortiOS (FortiGate) Guest User Permission Security Bypass Security Issue *** --------------------------------------------- Fortinet FortiOS (FortiGate) Guest User Permission Security Bypass Security Issue --------------------------------------------- https://secunia.com/advisories/53875
*** Debian Security Advisory for fail2ban *** --------------------------------------------- When using Fail2ban to monitor Apache logs, improper input validation in log parsing could enable a remote attacker to trigger an IP ban on arbitrary addresses, thus causing a denial of service. --------------------------------------------- http://www.debian.org/security/2013/dsa-2708