BugTraq Latest Security Advisories

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 15 min 51 sec ago

Two XSS Vulnerabilities in SupportCenter Plus

January 28, 2015 - 11:54am

Posted by High-Tech Bridge Security Research on Jan 28

Advisory ID: HTB23247
Product: SupportCenter Plus
Vendor: Zoho Corp.
Vulnerable Version(s): 7.9 and probably prior
Tested Version: 7.9
Advisory Publication: January 7, 2015 [without technical details]
Vendor Notification: January 7, 2015
Vendor Patch: January 23, 2015
Public Disclosure: January 28, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-0866
Risk Level: Medium
CVSSv2 Base Score: 4.3...
Categories:

[CVE-2015-1393] Photo Gallery (Wordpress Plugin) - SQL Injection in Version 1.2.8

January 28, 2015 - 11:48am

Posted by sven on Jan 28

[CVE-2015-1393] Photo Gallery (Wordpress Plugin) - SQL Injection in Version 1.2.8

----------------------------------------------------------------

Product Information:

Software: Photo Gallery (Wordpress Plugin)
Tested Version: 1.2.8, released on 15.01.2015 and has over half a million downloads.
Vulnerability Type: SQL Injection (CWE-89)
Download link to tested version: https://downloads.wordpress.org/plugin/photo-gallery.1.2.8.zip...
Categories:

[CVE-2015-1394] Photo Gallery (Wordpress Plugin) - Multiple XSS Vulnerabilities Version 1.2.8

January 28, 2015 - 11:40am

Posted by sven on Jan 28

[CVE-2015-1394] Photo Gallery (Wordpress Plugin) - Multiple XSS Vulnerabilities Version 1.2.8

----------------------------------------------------------------

Product Information:

Software: Photo Gallery (Wordpress Plugin)
Tested Version: 1.2.8, released on 15.01.2015 and has over half a million downloads.
Vulnerability Type: Cross-site Scripting (CWE-79)
Download link to tested version:...
Categories:

[AMPLIA-ARA100614] OS X Gatekeeper Bypass Vulnerability

January 28, 2015 - 11:33am

Posted by Amplia Security Advisories on Jan 28

OS X Gatekeeper Bypass Vulnerability
Amplia Security - Amplia Security Research Advisory (AMPLIA-ARA100614)

Advisory ID: AMPLIA-ARA100614
Advisory URL:
http://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html,
http://www.ampliasecurity.com/advisories/AMPLIA-ARA100614.txt
Date Published: 01-07-2015
Vendors Contacted: Apple (www.apple.com) (notified 10-06-2014)
Release Mode: Coordinated Release
Last Updated: 01-27-2105...
Categories:

NEW VMSA-2015-0001 - VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address resolve security issues

January 28, 2015 - 11:24am

Posted by VMware Security Response Center on Jan 28

------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2015-0001
Synopsis: VMware vCenter Server, ESXi, Workstation, Player, and Fusion
updates address security issues
Issue date: 2015-01-27
Updated on: 2015-01-27 (Initial Advisory)
CVE number: CVE-2014-8370, CVE-2015-1043, CVE-2015-1044

--- OPENSSL---
CVE-2014-3513,...
Categories:

[CORE-2015-0003] - FreeBSD Kernel Multiple Vulnerabilities

January 28, 2015 - 11:14am

Posted by CORE Advisories Team on Jan 28

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

FreeBSD Kernel Multiple Vulnerabilities

1. *Advisory Information*

Title: FreeBSD Kernel Multiple Vulnerabilities
Advisory ID: CORE-2015-0003
Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities
Date published: 2015-01-27
Date of last update: 2015-01-27
Vendors contacted: FreeBSD
Release mode: Coordinated release

2. *Vulnerability...
Categories:

FreeBSD Security Advisory FreeBSD-SA-15:03.sctp

January 28, 2015 - 11:05am

Posted by FreeBSD Security Advisories on Jan 28

=============================================================================
FreeBSD-SA-15:03.sctp Security Advisory
The FreeBSD Project

Topic: SCTP stream reset vulnerability

Category: core
Module: sctp
Announced: 2015-01-27
Credits: Gerasimos Dimitriadis
Affects: All supported versions of FreeBSD....
Categories:

FreeBSD Security Advisory FreeBSD-SA-15:02.kmem

January 28, 2015 - 10:55am

Posted by FreeBSD Security Advisories on Jan 28

=============================================================================
FreeBSD-SA-15:02.kmem Security Advisory
The FreeBSD Project

Topic: SCTP SCTP_SS_VALUE kernel memory corruption and disclosure

Category: core
Module: sctp
Announced: 2015-01-27
Credits: Clement LECIGNE from Google Security Team and...
Categories:

APPLE-SA-2015-01-27-4 OS X 10.10.2 and Security Update 2015-001

January 27, 2015 - 5:41pm

Posted by Apple Product Security on Jan 27

APPLE-SA-2015-01-27-4 OS X 10.10.2 and Security Update 2015-001

OS X 10.10.2 and Security Update 2015-001 are now available and
address the following:

AFP Server
Available for: OS X Mavericks v10.9.5
Impact: A remote attacker may be able to determine all the network
addresses of the system
Description: The AFP file server supported a command which returned
all the network addresses of the system. This issue was addressed by
removing the...
Categories:

APPLE-SA-2015-01-27-3 Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3

January 27, 2015 - 5:34pm

Posted by Apple Product Security on Jan 27

APPLE-SA-2015-01-27-3 Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3

Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 are now available and
address the following:

WebKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10.1
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit....
Categories:

APPLE-SA-2015-01-27-2 iOS 8.1.3

January 27, 2015 - 5:26pm

Posted by Apple Product Security on Jan 27

APPLE-SA-2015-01-27-2 iOS 8.1.3

iOS 8.1.3 is now available and addresses the following:

AppleFileConduit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A maliciously crafted afc command may allow access to
protected parts of the filesystem
Description: A vulnerability existed in the symbolic linking
mechanism of afc. This issue was addressed by adding additional path
checks.
CVE-ID...
Categories:

APPLE-SA-2015-01-27-1 Apple TV 7.0.3

January 27, 2015 - 5:18pm

Posted by Apple Product Security on Jan 27

APPLE-SA-2015-01-27-1 Apple TV 7.0.3

Apple TV 7.0.3 is now available and addresses the following:

Apple TV
Available for: Apple TV 3rd generation and later
Impact: A maliciously crafted afc command may allow access to
protected parts of the filesystem
Description: A vulnerability existed in the symbolic linking
mechanism of afc. This issue was addressed by adding additional path
checks.
CVE-ID
CVE-2014-4480 : TaiG Jailbreak Team

Apple TV...
Categories:

Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow

January 27, 2015 - 12:11pm

Posted by Qualys Security Advisory on Jan 27

Qualys Security Advisory CVE-2015-0235

GHOST: glibc gethostbyname buffer overflow

--[ Contents ]----------------------------------------------------------------

1 - Summary
2 - Analysis
3 - Mitigating factors
4 - Case studies
5 - Exploitation
6 - Acknowledgments

--[ 1 - Summary ]-------------------------------------------------------------

During a code audit performed internally at Qualys, we discovered a
buffer overflow in the...
Categories:

[SECURITY] [DSA 3142-1] eglibc security update

January 27, 2015 - 10:52am

Posted by Florian Weimer on Jan 27

-------------------------------------------------------------------------
Debian Security Advisory DSA-3142-1 security () debian org
http://www.debian.org/security/ Florian Weimer
January 27, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : eglibc
CVE ID : CVE-2012-6656 CVE-2014-6040...
Categories:

[SECURITY] [DSA 3141-1] wireshark security update

January 27, 2015 - 10:45am

Posted by Moritz Muehlenhoff on Jan 27

-------------------------------------------------------------------------
Debian Security Advisory DSA-3141-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : wireshark
CVE ID : CVE-2015-0562 CVE-2015-0564...
Categories:

[SYSS-2014-010] FancyFon FAMOC - SQL Injection

January 27, 2015 - 10:35am

Posted by matthias . deeg on Jan 27

Advisory ID: SYSS-2014-010
Product(s): FAMOC
Vendor: FancyFon
Affected Version(s): 3.16.5
Tested Version(s): 3.16.5
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: High
Solution Status: Fixed
Vendor Notification: 2014-12-19
Solution Date: 2015-01-23
Public Disclosure: 2015-01-23
CVE Reference: Not yet assigned
Authors of Advisory: Matthias Deeg (SySS GmbH)
Sebastian Nerz (SySS GmbH)...
Categories:

[SECURITY] [DSA 3140-1] xen security update

January 27, 2015 - 10:28am

Posted by Moritz Muehlenhoff on Jan 27

-------------------------------------------------------------------------
Debian Security Advisory DSA-3140-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
January 27, 2015 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : xen
CVE ID : CVE-2014-8594 CVE-2014-8595...
Categories:

[SYSS-2014-013] FancyFon FAMOC - Use of a One-Way Hash without a Salt

January 27, 2015 - 10:21am

Posted by matthias . deeg on Jan 27

Advisory ID: SYSS-2014-013
Product(s): FAMOC
Vendor: FancyFon
Affected Version(s): 3.16.5
Tested Version(s): 3.16.5
Vulnerability Type: Use of a One-Way Hash without a Salt (CWE-759)
Risk Level: Low
Solution Status: Fixed
Vendor Notification: 2014-12-19
Solution Date: 2015-01-23
Public Disclosure: 2015-01-23
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)...
Categories:

[SYSS-2014-011] FancyFon FAMOC - Cross-Site Scripting

January 27, 2015 - 10:12am

Posted by matthias . deeg on Jan 27

Advisory ID: SYSS-2014-011
Product(s): FAMOC
Vendor: FancyFon
Affected Version(s): 3.16.5
Tested Version(s): 3.16.5
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2014-12-19
Solution Date: 2015-01-23
Public Disclosure: 2015-01-23
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~...
Categories:

[SYSS-2014-012] FancyFon FAMOC - Session Fixation

January 27, 2015 - 10:03am

Posted by matthias . deeg on Jan 27

Advisory ID: SYSS-2014-012
Product(s): FAMOC
Vendor: FancyFon
Affected Version(s): 3.16.5
Tested Version(s): 3.16.5
Vulnerability Type: Session Fixation (CWE-384)
Risk Level: Low
Solution Status: Fixed
Vendor Notification: 2014-12-19
Solution Date: 2015-01-23
Public Disclosure: 2015-01-23
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~...
Categories: