Monthly Archive: April 2015

Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path...

Open-source ARJ archiver 3.10.22 allows remote attackers to conduct directory traversal attacks via a symlink attack in an ARJ archive. Date published : 2015-04-08 http://www.securityfocus.com/bid/71860 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774434

The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. Date published : 2015-04-08 http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html...

The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related...

The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes....

CA Spectrum 9.2.x and 9.3.x before 9.3 H02 does not properly validate serialized Java objects, which allows remote authenticated users to obtain administrative privileges via crafted object data. Date published : 2015-04-07 http://www.securityfocus.com/bid/73957 http://www.securityfocus.com/archive/1/535205/100/0/threaded

Cross-site scripting (XSS) vulnerability in CA Spectrum 9.2.x and 9.3.x before 9.3 H02 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Date published : 2015-04-07 http://www.securityfocus.com/bid/73963 http://www.securityfocus.com/archive/1/535205/100/0/threaded

Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to JavaScript code generated by the asdoc component....

Cross-site request forgery (CSRF) vulnerability in bBlog allows remote attackers to hijack the authentication of arbitrary users. Date published : 2015-04-07 http://jvn.jp/en/jp/JVN71903938/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000047

Multiple SQL injection vulnerabilities in the Simple Ads Manager plugin before 2.7.97 for WordPress allow remote attackers to execute arbitrary SQL commands via a (1) hits[][] parameter in a sam_hits action to sam-ajax.php; the...

Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via...

Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in...

Multiple cross-site scripting (XSS) vulnerabilities in the Report Viewer in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4.x, 5.x, and 6.x allow remote attackers to inject arbitrary web script or HTML via the (1)...

The Red Hat docker package before 1.5.0-28, when using the –add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain...