Monthly Archive: January 2016

The sandbox implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and...

Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy via unspecified vectors, aka "Internet Explorer Elevation of Privilege Vulnerability." Date published : 2016-01-12 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-001 http://www.securitytracker.com/id/1034648

Microsoft Edge allows remote attackers to execute arbitrary code via unspecified vectors, aka "Microsoft Edge Memory Corruption Vulnerability." Date published : 2016-01-12 http://www.zerodayinitiative.com/advisories/ZDI-16-019 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-002

The Microsoft (1) VBScript 5.7 and 5.8 and (2) JScript 5.7 and 5.8 engines, as used in Internet Explorer 8 through 11 and other products, allow remote attackers to execute arbitrary code via a...

Huawei VCN500 with software before V100R002C00SPC201 logs passwords in cleartext, which allows remote authenticated users to obtain sensitive information by triggering log generation and then reading the log. Date published : 2016-01-11 http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-463084.htm

The Operation and Maintenance Unit (OMU) in Huawei VCN500 with software before V100R002C00SPC200 allows remote authenticated users to change the IP address of the media server via crafted packets. Date published : 2016-01-11 http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-463070.htm

The Operation and Maintenance Unit (OMU) in Huawei VCN500 with software before V100R002C00SPC200 does not properly invalidate the session ID when an "abnormal exit" occurs, which allows remote attackers to conduct replay attacks via...

Huawei eSpace 7910 and 7950 IP phones with software before V200R002C00SPC800 allow remote attackers with established sessions to cause a denial of service (device restart) via unspecified packets. Date published : 2016-01-11 http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-461213.htm

Memory leak in Huawei eSpace 8950 IP phones with software before V200R003C00SPC300 allows remote attackers to cause a denial of service (memory consumption and restart) via a large number of crafted ARP packets. Date...

Multiple cross-site scripting (XSS) vulnerabilities in Secure Data Space SDS-API before 3.5.7 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to api/v3/public/shares/downloads/, the (2) authType parameter to api/v3/auth/login,...

IBM WebSphere Message Broker 7 before 7.0.0.8 and 8 before 8.0.0.6 and IBM Integration Bus 9 before 9.0.0.3 and 10 before 10.0.0.0 allow remote attackers to obtain sensitive information about the HTTP server via...

Untrusted search path vulnerability in Apple OS X before 10.11.1 allows local users to bypass intended Gatekeeper restrictions and gain privileges via a Trojan horse program that is loaded from an unexpected directory by...

Directory Utility in Apple OS X before 10.11.1 mishandles authentication for new sessions, which allows local users to gain privileges via unspecified vectors. Date published : 2016-01-11 http://lists.apple.com/archives/security-announce/2015/Oct/msg00005.html https://support.apple.com/HT205375

zarafa-autorespond in Zarafa Collaboration Platform (ZCP) before 7.2.1 allows local users to gain privileges via a symlink attack on /tmp/zarafa-vacation-*. Date published : 2016-01-11 https://download.zarafa.com/community/final/7.2/final-changelog-7.2.txt https://jira.zarafa.com/browse/ZCP-13533