Monthly Archive: July 2017

Framadate version 1.0 is vulnerable to Formula Injection in the CSV Export resulting possible Information Disclosure and Code Execution Date published : 2017-07-13 https://framagit.org/framasoft/framadate/issues/220

WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XSS resulting in attacker being able to execute JavaScript on the affected site Date published : 2017-07-13 https://security.dxw.com/advisories/stored-xss-in-relevanssi-could-allow-an-unauthenticated-attacker-to-do-almost-anything-an-admin-can-do/

RVM automatically loads environment variables from files in $PWD resulting in command execution RVM vulnerable to command injection when automatically loading environment variables from files in $PWD RVM automatically executes hooks located in $PWD...

Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attack Date published : 2017-07-13 https://git.tt-rss.org/git/tt-rss/commit/829d478f1b054c8ce1eeb4f15170dc4a1abb3e47

Akka versions

WordPress Plugin Vospari Forms version < 1.4 is vulnerable to a reflected cross site scripting in the form submission resulting in javascript code execution in the context on the current user. Date published :...

Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the parent_id parameter to tree.php and drp_action parameter to data_sources.php. Date published : 2017-07-13 https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/

SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via the graph_template_input_id and graph_template_id parameters. Date published : 2017-07-13 https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/?fid=7789

Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Java Key Store Password Disclosure vulnerability, that makes it possible to provide an unauthenticated attacker plain text password of administrative user and...

Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulnerable to Local File Inclusion vulnerability, that makes it possible to include arbitrary files on the server, this vulnerability can be exploited without any...

Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request. Date published : 2017-07-13 https://www.exploit-db.com/exploits/45196/..&#46;

Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access. Date published : 2017-07-13 Security Advisory –...

Chef Software’s mixlib-archive versions 0.3.0 and older are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using ".." in tar archive entries Date published : 2017-07-13 https://github.com/chef/mixlib-archive/blob/master/CHANGELOG.md

GNOME Web (Epiphany) 3.23 before 3.23.5, 3.22 before 3.22.6, 3.20 before 3.20.7, 3.18 before 3.18.11, and prior versions, is vulnerable to a password manager sweep attack resulting in the remote exfiltration of stored passwords...