Monthly Archive: November 2013

Cross-site scripting (XSS) vulnerability in the Calendar module in Olat 7.8.0.1 (b20130821 N1) allows remote attackers to inject arbitrary web script or HTML via the Location field. NOTE: the provenance of this information is...

Multiple cross-site scripting (XSS) vulnerabilities in the Calendar module in Olat 7.8.0.1 (b20130821 N1) allow remote attackers to inject arbitrary web script or HTML via the (1) event name or (2) date field. Date...

Directory traversal vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to read or delete arbitrary files via unspecified vectors. Date published : 2013-11-14 http://www.securityfocus.com/bid/63647 http://archives.neohapsis.com/archives/bugtraq/2013-11/0043.html

Cross-site scripting (XSS) vulnerability in Zikula Application Framework before 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the returnpage parameter to index.php. Date published : 2013-11-14 http://www.securityfocus.com/bid/63186 http://archives.neohapsis.com/archives/bugtraq/2013-11/0057.html

SQL injection vulnerability in view/objectDetail.php in Project’Or RIA 3.4.0 allows remote attackers to execute arbitrary SQL commands via the objectId parameter. Date published : 2013-11-14 http://www.securityfocus.com/bid/63538 http://archives.neohapsis.com/archives/bugtraq/2013-11/0020.html

Multiple cross-site scripting (XSS) vulnerabilities in ProjeQtOr (formerly Project’Or RIA) before 4.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to view/parameter.php, (2) p1value parameter to view/main.php,...

SQL injection vulnerability in appRain CMF 3.0.2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to blog-by-cat/. Date published : 2013-11-14 http://www.securityfocus.com/bid/62937 http://archives.neohapsis.com/archives/bugtraq/2013-11/0026.html

Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via the allowedDomain parameter. Date published : 2013-11-13...

The firmware on Cisco Unified IP phones 8961, 9951, and 9971 uses weak permissions for memory block devices, which allows local users to gain privileges by mounting a device with a setuid file in...

The web framework on Cisco Wireless LAN Controller (WLC) devices does not properly validate configuration parameters, which allows remote authenticated users to cause a denial of service via a crafted HTTP request, aka Bug...

The IPv6 implementation in Cisco NX-OS does not properly handle neighbor-table adjacencies, which allows remote attackers to cause a denial of service (NS processing outage) via a series of malformed packets, aka Bug ID...

The phone-proxy implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier does not properly validate X.509 certificates, which allows remote attackers to cause a denial of service (connection-database corruption) via an invalid...

net/socket/ssl_client_socket_nss.cc in the TLS implementation in Google Chrome before 31.0.1650.48 does not ensure that a server’s X.509 certificate is the same during renegotiation as it was before renegotiation, which might allow remote web servers...

net/http/http_stream_parser.cc in Google Chrome before 31.0.1650.48 does not properly process HTTP Informational (aka 1xx) status codes, which allows remote web servers to cause a denial of service (out-of-bounds read) via a crafted response. Date...