Monthly Archive: February 2015

Multiple cross-site scripting (XSS) vulnerabilities in my little forum 2.3.3, 2.2, and 1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) page or (2) category parameter to forum.php or...

Multiple cross-site scripting (XSS) vulnerabilities in Asus RT-N10+ D1 router with firmware 2.1.1.1.70 allow remote attackers to inject arbitrary web script or HTML via the flag parameter to (1) result_of_get_changed_status.asp or (2) error_page.htm. Date...

The bdisk.sys driver in COMODO Backup before 4.4.1.23 allows remote attackers to gain privileges via a crafted device handle, which triggers a NULL pointer dereference. Date published : 2015-02-03 http://forums.comodo.com/news-announcements-feedback-cb/comodo-backup-44123-released-t107293.0.html http://www.exploit-db.com/exploits/35905

Directory traversal vulnerability in install.php in FluxBB before 1.5.8 allows remote attackers to include and execute arbitrary local install.php files via a .. (dot dot) in the install_lang parameter. Date published : 2015-02-03 https://fluxbb.org/forums/viewtopic.php?id=8203...

puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in the facts of a node, which allows local users to obtain sensitive information as demonstrated by using Facter. Date published : 2015-02-03 http://puppetlabs.com/security/cve/cve-2014-9568

Cross-site scripting (XSS) vulnerability in SnipSnap 0.5.2a, 1.0b1, and 1.0b2 allows remote attackers to inject arbitrary web script or HTML via the query parameter to /snipsnap-search. Date published : 2015-02-03 http://seclists.org/fulldisclosure/2015/Feb/1 http://tetraph.com/security/cves/cve-2014-9559-snipsnap-xss-cross-site-scripting-security-vulnerabilities/

Integer overflow in the qtmd_decompress function in libmspack 0.4 allows remote attackers to cause a denial of service (hang) via a crafted CAB file, which triggers an infinite loop. Date published : 2015-02-03 http://advisories.mageia.org/MGASA-2015-0052.html...

ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a "heap out of bounds condition." Date published : 2015-02-03 http://www.securityfocus.com/bid/72372 http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html

Pexip Infinity before 8 uses the same SSH host keys across different customers’ installations, which allows man-in-the-middle attackers to spoof Management and Conferencing Nodes by leveraging these keys. Date published : 2015-02-03 http://www.securityfocus.com/bid/72359 http://www.securityfocus.com/archive/1/534576/100/0/threaded

Cross-site scripting (XSS) vulnerability in Cisco AnyConnect Secure Mobility Client 3.1(.02043) and earlier and Cisco HostScan Engine 3.1(.05183) and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving an...

The TACACS+ command-authorization implementation in Cisco NX-OS allows local users to cause a denial of service (device reload) via a long CLI command, aka Bug ID CSCur54182. Date published : 2015-02-03 http://www.securityfocus.com/bid/72393 http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8013

Cross-site scripting (XSS) vulnerability in the admin interface in LANDESK Management Suite before 9.6 SP1 allows remote attackers to inject arbitrary web script or HTML via the AMTVersion parameter to remote/serverlist_grouptree.aspx. Date published :...

time.htm in the web interface on SerVision HVG Video Gateway devices with firmware through 2.2.26a100 allows remote authenticated users to gain privileges by leveraging a cookie received in an HTTP response, a different vulnerability...

ClamAV before 0.98.6 allows remote attackers to cause a denial of service (crash) via a crafted petite packer file, related to an "incorrect compiler optimization." Date published : 2015-02-03 http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148950.html