Monthly Archive: March 2014

Luci in Red Hat Conga does not properly enforce the user session timeout, which might allow attackers to gain access to the session by reading the __ac session cookie. NOTE: this issue has been...

Cross-site scripting (XSS) vulnerability in Properties.do in ZOHO ManageEngine OpStor before build 8500 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter, a different vulnerability than CVE-2014-0344. Date...

The saltProfileName function in base/GeckoProfileDirectories.java in Mozilla Firefox through 28.0.1 on Android relies on Android’s weak approach to seeding the Math.random function, which makes it easier for attackers to bypass a profile-randomization protection mechanism...

Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value...

Unspecified vulnerability in HP StoreOnce Virtual Storage Appliance (VSA) before 3.7.2, StoreOnce 26xx and 4210 iSCSI Backup System before 3.9.0, StoreOnce 4210 FC Backup System before 3.9.0, and StoreOnce 4xxx Backup System before 3.9.0...

Cross-site scripting (XSS) vulnerability in invite.php in the WP Symposium plugin before 13.04 for WordPress allows remote attackers to inject arbitrary web script or HTML via the u parameter. Date published : 2014-03-28 http://osvdb.org/92275...

Open redirect vulnerability in invite.php in the WP Symposium plugin 13.04 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the u parameter....

Cross-site scripting (XSS) vulnerability in the NewSectionPrompt function in include/tool/editing_page.php in gpEasy CMS 3.5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the section parameter in a new_section action...

Multiple cross-site scripting (XSS) vulnerabilities in the Mingle Forum plugin before 1.0.34 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) search_words parameter in a search action to...

Multiple stack-based buffer overflows in ModbusDrv.exe in Schneider Electric Modbus Serial Driver 1.10 through 3.2 allow remote attackers to execute arbitrary code via a large buffer-size value in a Modbus Application Header. Date published...

Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1)...

Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via the count parameter to /_uuids. Date published : 2014-03-28 http://www.securityfocus.com/bid/66474 http://www.exploit-db.com/exploits/32519

The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.x through 4.4.x for 64-bit allow local guest administrators to cause a denial of service (CPU consumption) by leveraging access to certain service...

The web management interface in Siemens RuggedCom ROS before 3.11, ROS 3.11 before 3.11.5 for RS950G, ROS 3.12, and ROS 4.0 for RSG2488 allows remote attackers to cause a denial of service (interface outage)...