Monthly Archive: September 2015

Multiple stack-based buffer overflows in Yahoo! Messenger 11.5.0.228 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the (1) shortcut or (2) title keys in...

Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab module 7.x-1.x before 7.x-1.1 for Drupal allows remote administrators with the "Configure Zendesk Feedback Tab" permission to inject arbitrary web script or HTML via unspecified...

Cross-site scripting (XSS) vulnerability in js/window.php in the sourceAFRICA plugin 0.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the wpbase parameter. Date published : 2015-09-11 http://packetstormsecurity.com/files/133371/WordPress-sourceAFRICA-0.1.3-Cross-Site-Scripting.html https://wpvulndb.com/vulnerabilities/8169

Cross-site scripting (XSS) vulnerability in the googleSearch (CSE) (com_googlesearch_cse) component 3.0.2 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the q parameter to index.php. Date published : 2015-09-11 http://packetstormsecurity.com/files/133375/Joomla-GoogleSearch-CSE-3.0.2-Cross-Site-Scripting.html

SQL injection vulnerability in Montala Limited ResourceSpace 7.3.7009 and earlier allows remote attackers to execute arbitrary SQL commands via the "user" cookie to plugins/feedback/pages/feedback.php. Date published : 2015-09-11 http://packetstormsecurity.com/files/133297/ResourceSpace-CMS-7.3.7009-SQL-Injection.html

Absolute path traversal vulnerability in SiteFactory CMS 5.5.9 allows remote attackers to read arbitrary files via a full pathname in the file parameter to assets/download.aspx. Date published : 2015-09-11 http://packetstormsecurity.com/files/133251/SiteFactory-CMS-5.5.9-Directory-Traversal.html

Cross-site scripting (XSS) vulnerability in the "Create download task via URL" feature in Synology Download Station before 3.5-2967 allows remote attackers to inject arbitrary web script or HTML via the urls parameter in an...

Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharacters in the subtitle_codepage parameter to subtitle.cgi. Date published : 2015-09-11 http://www.securityfocus.com/archive/1/536427/100/0/threaded https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715

SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL commands via the id parameter to watchstatus.cgi. Date published : 2015-09-11 http://www.securityfocus.com/archive/1/536427/100/0/threaded https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715

SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL commands via the id parameter to audiotrack.cgi. Date published : 2015-09-11 http://www.securityfocus.com/archive/1/536427/100/0/threaded https://www.synology.com/en-global/releaseNote/VideoStation?model=DS715

Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name element in...

The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against...

Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger 5.1.0 allows remote attackers to hijack the authentication of users for requests that change a password via a request to signup.php. Date published : 2015-09-11 https://www.exploit-db.com/exploits/38119/ http://packetstormsecurity.com/files/133498/Autoexchanger-5.1.0-Cross-Site-Request-Forgery.html

Siemens RUGGEDCOM ROS 3.8.0 through 4.1.x permanently enables the IP forwarding feature, which allows remote attackers to bypass a VLAN isolation protection mechanism via IP traffic. Date published : 2015-09-11 http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-720081.pdf https://ics-cert.us-cert.gov/advisories/ICSA-15-244-01