Monthly Archive: February 2016

The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory...

The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory...

Cross-site scripting (XSS) vulnerability in Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. Date published : 2016-02-05 http://seclists.org/fulldisclosure/2016/Feb/25 https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01

Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 sends cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. Date published : 2016-02-05 http://seclists.org/fulldisclosure/2016/Feb/25 https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01

Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attackers to bypass authentication by leveraging knowledge of a password hash without knowledge of the associated password. Date published : 2016-02-05 http://seclists.org/fulldisclosure/2016/Feb/25 https://ics-cert.us-cert.gov/advisories/ICSA-16-033-01

Cross-site scripting (XSS) vulnerability in the management interface in Cisco Jabber Guest Server 10.6(8) allows remote attackers to inject arbitrary web script or HTML via the host tag parameter, aka Bug ID CSCuy08224. Date...

Cross-site scripting (XSS) vulnerability in Cisco Unity Connection 11.5(0.199) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuy09033. Date published : 2016-02-05 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-uc http://www.securitytracker.com/id/1034937

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Fog Director 1.0(0) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCux80466. Date published : 2016-02-05 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160201-fd

General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to obtain sensitive cleartext account information via unspecified vectors. Date published : 2016-02-05 http://apps.geindustrial.com/publibrary/checkout/Application%20and%20Technical%7CGEIS_SNMP%7CPDF&filename=GEIS_SNMP.pdf https://www.exploit-db.com/exploits/39408/

General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to execute arbitrary commands via unspecified vectors. Date published : 2016-02-05 http://apps.geindustrial.com/publibrary/checkout/Application%20and%20Technical%7CGEIS_SNMP%7CPDF&filename=GEIS_SNMP.pdf https://www.exploit-db.com/exploits/39408/

The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network’s coverage area and entering an account number. Date published...

rdataset.c in ISC BIND 9 Supported Preview Edition 9.9.8-S before 9.9.8-S5, when nxdomain-redirect is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via crafted flag values...

Radicale before 1.1 allows remote authenticated users to bypass owner_write and owner_only limitations via regex metacharacters in the user name, as demonstrated by ".*". Date published : 2016-02-03 http://www.securityfocus.com/bid/80255 https://github.com/Kozea/Radicale/pull/341

The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name. Date published : 2016-02-03 http://www.securityfocus.com/bid/80255 https://github.com/Kozea/Radicale/pull/343