Monthly Archive: July 2017

The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a comparison between signed and...

Missing CSRF token checks and improper input validation in Joomla! CMS 1.7.3 through 3.7.2 lead to an XSS vulnerability. Date published : 2017-07-17 http://www.securityfocus.com/bid/99451 https://developer.joomla.org/security-centre/697-20170602-core-xss-vulnerability

Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads to disclosure of form contents. Date published : 2017-07-17 http://www.securityfocus.com/bid/99450 https://developer.joomla.org/security-centre/696-20170601-core-information-disclosure

In Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312), the scriptName parameter of the licenseKeyInfo action method is vulnerable to cross-site scripting (XSS). Date published : 2017-07-17...

The reportId parameter of the getReportStatus action method can be abused in the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312) to read arbitrary...

The kluser is able to interact with the kav4fs-control binary in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). By abusing the quarantine read and write operations,...

There are no Anti-CSRF tokens in any forms on the web interface in Kaspersky Anti-Virus for Linux File Server before Maintenance Pack 2 Critical Fix 4 (version 8.0.4.312). This would allow an attacker to...

A heap overflow in apk (Alpine Linux’s package manager) allows a remote attacker to cause a denial of service, or achieve code execution, by crafting a malicious APKINDEX.tar.gz file with a bad pax header...

A heap overflow in apk (Alpine Linux’s package manager) allows a remote attacker to cause a denial of service, or achieve code execution by crafting a malicious APKINDEX.tar.gz file. Date published : 2017-07-17 http://www.securityfocus.com/bid/99340...

An issue was discovered in Fuji Electric V-Server Version 3.3.22.0 and prior. A memory corruption vulnerability has been identified (aka improper restriction of operations within the bounds of a memory buffer), which may allow...

Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows remote authenticated users to inject arbitrary web script or HTML via the map_language parameter to backend/pages/lang_settings.php. Date published : 2017-07-17 https://github.com/BlackCatDevelopment/BlackCatCMS/issues/373 http://packetstormsecurity.com/files/143103/Blackcat-CMS-1.2-Cross-Site-Scripting.html

An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2. Date published : 2017-07-17 https://owncloud.org/security/advisory/?id=oc-sa-2017-006 https://hackerone.com/reports/166581

A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. Date published...

Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or...