Monthly Archive: January 2017

Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool. Date published : 2017-01-20...

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course. Date published : 2017-01-20 http://www.securityfocus.com/bid/92042 https://moodle.org/mod/forum/discuss.php?d=336699

In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. Date published : 2017-01-20 http://www.securityfocus.com/bid/92040 https://moodle.org/mod/forum/discuss.php?d=336698

In Moodle 3.x, glossary search displays entries without checking user permissions to view them. Date published : 2017-01-20 http://www.securityfocus.com/bid/92041 https://moodle.org/mod/forum/discuss.php?d=336697

A vulnerability in Tiki Wiki CMS 15.2 could allow a remote attacker to read arbitrary files on a targeted system via a crafted pathname in a banner URL field. Date published : 2017-01-20 http://www.securityfocus.com/bid/96787...

The main function in plistutil.c in libimobiledevice libplist through 1.12 allows attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read) via Apple Property List data that is...

includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request. Date published : 2017-01-20 http://www.securityfocus.com/bid/95688 https://github.com/intelliants/subrion/issues/297

Cross-site scripting (XSS) vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to inject arbitrary web script or HTML via the existing-folder parameter. Date published : 2017-01-20 http://www.securityfocus.com/bid/95686 https://github.com/symphonycms/symphony-2/issues/2639

Directory traversal vulnerability in template/usererror.missing_extension.php in Symphony CMS before 2.6.10 allows remote attackers to rename arbitrary files via a .. (dot dot) in the existing-folder and new-folder parameters. Date published : 2017-01-20 http://www.securityfocus.com/bid/95689 https://github.com/symphonycms/symphony-2/issues/2639

In Moodle 3.x, there is XSS in the assignment submission page. Date published : 2017-01-20 http://www.securityfocus.com/bid/95647 https://moodle.org/mod/forum/discuss.php?d=345915

In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums. Date published : 2017-01-20 http://www.securityfocus.com/bid/95649 https://moodle.org/mod/forum/discuss.php?d=345912

CGI handling flaw in bozohttpd in NetBSD 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows remote attackers to execute arbitrary code via crafted arguments, which are handled by a non-CGI aware program. Date...

Blink in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android incorrectly handled iframes, which allowed a remote attacker to bypass a no-referrer policy via a crafted HTML page....

Firejail 0.9.38.4 allows local users to execute arbitrary commands outside of the sandbox via a crafted TIOCSTI ioctl call. Date published : 2017-01-19 http://www.securityfocus.com/bid/93899 http://www.openwall.com/lists/oss-security/2016/10/25/3