Monthly Archive: January 2015

QPR Portal before 2012.2.1 allows remote attackers to modify or delete notes via a direct request. Date published : 2015-01-31 http://www.kb.cert.org/vuls/id/546340

Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter. Date published : 2015-01-31 http://www.kb.cert.org/vuls/id/546340

Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) body field. Date...

Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action. Date published : 2015-01-31...

The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an...

VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 and the proxy client in EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x do not properly...

Labtech before 100.237 on Linux uses world-writable permissions for root-executed scripts, which allows local users to gain privileges by modifying a script file. Date published : 2015-01-31 http://www.kb.cert.org/vuls/id/637068

Cross-site scripting (XSS) vulnerability in hb.cgi in Nishishi Factory Fumy News Clipper 2.x before 2.5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Date published : 2015-01-31 http://jvn.jp/en/jp/JVN33735535/995592/index.html http://www.nishishi.com/cgi/newsclip/20150130.html

CoolType.dll in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows, and 10.x through 10.1.13 and 11.x through 11.0.10 on OS X, allows remote attackers to cause a denial of...

The iTunes Store component in Apple iOS before 8.1.3 allows remote attackers to bypass a Safari sandbox protection mechanism by leveraging redirection of an SSL URL to the iTunes Store. Date published : 2015-01-30...

Spotlight in Apple OS X before 10.10.2 does not enforce the Mail "Load remote content in messages" configuration, which allows remote attackers to discover recipient IP addresses by including an inline image in an...

The Security component in Apple OS X before 10.10.2 does not properly process cached information about app certificates, which allows attackers to bypass the Gatekeeper protection mechanism by leveraging access to a revoked Developer...

Multiple unspecified vulnerabilities in the Bluetooth driver in Apple OS X before 10.10.2 allow attackers to execute arbitrary code in a privileged context via a crafted app. Date published : 2015-01-30 http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html http://support.apple.com/HT204244

The Bluetooth driver in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (arbitrary-size bzero of kernel memory) via a crafted app....