ManageEngine Desktop Central mdmLogUploader Directory Traversal (CVE-2014-5006)

A directory traversal vulnerability has been reported in ManageEngine Desktop Central. The vulnerability is due to lack of authentication and insufficient input validation in the mdmLogUploader when processing HTTP requests. A remote unauthenticated attacker can upload arbitrary files to arbitrar...

ManageEngine Desktop Central StatusUpdate Arbitrary File Upload (CVE-2014-5005)

An arbitrary file upload vulnerability exists in ManageEngine Desktop Central. The vulnerability is due to lack of authentication and insufficient input validation of the parameters sent to the StatusUpdate page when processing HTTP requests. A remote unauthenticated attacker can upload arbitrary...

Amazon Linux AMI : tomcat6 (ALAS-2014-344)

It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this fla...

ManageEngine Multiple Products FileCollector doPost Directory Traversal (CVE-2014-6034)

A directory traversal vulnerability exists in ManageEngine OpManager, Social IT Plus and IT360. The vulnerability is due to lack of authentication and insufficient input validation on parameters sent to "/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector" in HTTP requests...

Localize: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.

Go to http://www.localize.im/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 This effectively makes it a security issue since it allows an attacker to scan for a specific vulnerable module and then exploit it...

Information disclosure

The SSL VPN implementation in Cisco Adaptive Security Appliance ASA Software 9.2.2.4 and earlier does not properly manage session information during creation of a SharePoint handler, which allows remote authenticated users to overwrite arbitrary RAMFS cache files or inject Lua programs, and...

Trying to hack Redis via HTTP requests-vulnerability warning-the black bar safety net

0x01 scenario We assume that there is a SSRF vulnerability or a misconfigured proxy server, so that the attacker via HTTP requests to directly access the Redis service. In the above assumptions of the two cases, ask us for the HTTP request to access at least one line is fully controllable, this...

Re: [oss-security] CVE-2014-6271: remote code execution through bash

Florian Weimer: Chet Ramey, the GNU bash upstream maintainer, will soon release official upstream patches. http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017 http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018 http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052...

Bash Environment Variable Command Execution

Date: Wed, 24 Sep 2014 17:03:19 +0200 From: Florian Weimer To: [email protected] Subject: Re: CVE-2014-6271: remote code execution through bash Florian Weimer: Chet Ramey, the GNU bash upstream maintainer, will soon release official upstream patches...

[SECURITY] Fedora 21 Update: haproxy-1.5.4-1.fc21

HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high availability environments. Indeed, it can: - route HTTP requests depending on statically assigned cookies - spread load among several servers while assuring server persistence through the use of HTTP cookies - switch to...

HP Network Virtualization toServerObject Directory Traversal (CVE-2014-2626)

A directory traversal vulnerability exists in HP Network Virtualization software. The vulnerability is due to insufficient input validation of user parameters passed to "toServerObject" method. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted HTTP requests to...

CVE-2014-1830

Requests aka python-requests before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request...

Progea Movicon < 11.2 Build 1086 Multiple Vulnerabilities

Binary data 7142.pasl...

XCat - Tool that aides in the exploitation of blind XPath injection vulnerabilities

XCat is a command line program that aides in the exploitation of blind XPath injection vulnerabilities. It can be used to retrieve the whole XML document being processed by a vulnerable XPath query, read arbitrary files on the hosts filesystem and utilize out of bound HTTP requests to make the...

security issues addressed, most notably the mod_security heap overflow known as CVE-2014-0226 (important)

apache2: - ECC support was added to modssl - fix for a race condition in modstatus known as CVE-2014-0226 can lead to information disclosure; modstatus is not active by default, and is normally only open for connects from localhost. - fix for bug known as CVE-2014-0098 that can crash the apache...

Oxwall 1.7.0 - Multiple CSRF And HTML Injection Vulnerabilities

Oxwall version 1.7.0 suffers from multiple cross-site request forgery and stored xss vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with...

SkaDate Lite 2.0 - Multiple CSRF And Persistent XSS Vulnerabilities

SkaDate Lite version 2.0 suffers from multiple cross-site request forgery and stored xss vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with...

HP Intelligent Management Center BIMS UploadServlet Information Disclosure (CVE-2014-2618)

An information disclosure vulnerability exists in the BIMS add-in module of HP Intelligent Management Center. The vulnerability is due to lack of authentication and insufficient input validation in the UploadServlet servlet when processing HTTP request parameters. By sending crafted HTTP requests...

SkaDate Lite 2.0 CSRF / Cross Site Scripting

SkaDate Lite 2.0 Mu...

SkaDate Lite 2.0 - Multiple Cross-Site Request Forgery Persistent Cross-Site Scripting Vulnerabilities

SkaDate Lite 2.0 - Multiple Cross-Site Request Forgery Persistent Cross-Site Scripting Vulnerabilities !-- SkaDate Lite 2.0 Multiple XSRF And Persistent XSS Vulnerabilities Vendor: Skalfa LLC Product web page: http://lite.skadate.com | http://www.skalfa.com Affected version: 2.0 build 7651 Platfo...