Monthly Archive: September 2015

Google Chrome before 45.0.2454.85 does not display a location bar for a hosted app’s window after navigation away from the installation site, which might make it easier for remote attackers to spoof content via...

The decompose function in platform/transforms/TransformationMatrix.cpp in Blink, as used in Google Chrome before 45.0.2454.85, does not verify that a matrix inversion succeeded, which allows remote attackers to cause a denial of service (uninitialized memory...

Double free vulnerability in the opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 45.0.2454.85, allows remote attackers to execute arbitrary code or cause a denial of...

Multiple unspecified vulnerabilities in Google V8 before 4.5.103.29, as used in Google Chrome before 45.0.2454.85, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. Date published :...

Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb before 7.0.4 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a saveWorkerPeek action. Date published :...

Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key. Date published : 2015-09-03 http://blog.bestpractical.com/2015/08/security-vulnerabilities-in-rt.html...

The JavaServer Pages (JSP) component in Cisco Integrated Management Controller (IMC) Supervisor before 1.0.0.1 and UCS Director (formerly Cloupia Unified Infrastructure Controller) before 5.2.0.1 allows remote attackers to write to arbitrary files via crafted...

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, (4) mdare64_52.sys, and (5) Fortishield.sys drivers in Fortinet FortiClient before 5.2.4 do not properly restrict access to the API for management of processes and the Windows registry,...

The Fortishield.sys driver in Fortinet FortiClient before 5.2.4 allows local users to execute arbitrary code with kernel privileges by setting the callback function in a (1) 0x220024 or (2) 0x220028 ioctl call. Date published...

The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to write to arbitrary memory locations via a 0x226108 ioctl call. Date published : 2015-09-03...

The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via "escape characters" in a URL. Date published : 2015-09-03 https://bugzilla.redhat.com/show_bug.cgi?id=1252813 http://rhn.redhat.com/errata/RHSA-2015-1700.html

Race condition in pcsd in PCS 0.9.139 and earlier uses a global variable to validate usernames, which allows remote authenticated users to gain privileges by sending a command that is checked for security after...

Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post. Date...

EMC Documentum Content Server before 7.1P20 and 7.2.x before 7.2P04 does not properly verify authorization for dm_job object access, which allows remote authenticated users to obtain superuser privileges via crafted object operations. NOTE: this...