WordPress Image Metadata Cruncher CSRF / XSS

Title: CSRF / Stored XSS Vulnerability in IMAGE-MEtadata-Cruncher Wordpress Plugin Author: Kaustubh G. Padwad CVE-ID : CVE-2015-1614 Plugin Homepage: https://wordpress.org/plugins/image-metadata-cruncher/ Severity: Medium Description: Vulnerable Parameter: Alternate text,Caption,Custom image meta...

Creaking Patch Tuesday's Viability Rests with Quality, Speed

Today is Patch Tuesday, the 11-year-old procession of security bulletins from Microsoft streamed out automatically to consumers of Windows Update, and pulled en masse by enterprise admins worldwide needing to test each for compatibility. This is how it’s been done since shortly after Bill Gates’...

A Token’s Tale

Posted by James Forshaw currently impersonating NT AUTHORITY\SYSTEM. Much as I enjoy the process of vulnerability research sometimes there’s a significant disparity between the difficulty of finding a vulnerability and exploiting it. The Project Zero blog contains numerous examples of complex...

DLA-151-1 libxml2 - security update

Bulletin has no description...

Ghost glibc Vulnerability Affects Enterprise Applications

What drove IT admins crazy about the Bash vulnerability was that it was difficult to determine—and patch—everything that was making a Bash call. It was everywhere. Apparently, some of that angst applies to the Ghost vulnerability in the GNU C library, known as glibc. At first, experts believed th...

Zero Day in WordPress Plugin FancyBox Patched

Developers have patched a zero day vulnerability in FancyBox, a plug-in for WordPress, which allowed malware to be added via an iFrame to infected sites. Despite not having been updated in over two years, Jose Pardilla, the author of FancyBox, insisted early Thursday that he had fixed the flaw wi...

Adobe Begins Patching Third Flash Player Zero Day

Adobe announced today that it will begin distributing a patch for the third and most recent zero-day vulnerability in Flash Player. Version 16.0.0.305 will be distributed to users who have enabled auto-update. Adobe said it expects to have a manual update available tomorrow. “We are working with...

CVE-2 0 1 5-0 2 3 5: Linux Glibc Ghost vulnerability allows hackers remote access to system permissions-bug warning-the black bar safety net

! t01a998ea950583688b. png Ghost vulnerability in Linux glibc library appeared on the a serious security issue, he can keep the attacker in ignorance of the system in any case remote accessoperating systemthe control authority. He is currently the CVE number for CVE-2 0 1 5-0 2 3 5 to. What is...

FreeBSD-SA-15:03.sctp

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:03.sctp Security Advisory The FreeBSD Project Topic: SCTP stream reset vulnerability Category: core Module: sctp Announced: 2015-01-27 Credits: Gerasimos...

Google Apps Flaw Allowed Hacker to Hijack Account and Disable Two-factor Authentication

A critical cross-site scripting XSS vulnerability in the Google Apps administrator console allowed cyber criminals to force a Google Apps admins to execute just about any request on the domain. The Google Apps admin console allows administrators to manage their organization’s account...

Report Companies Still Not Patching Security Vulnerabilities

The Cisco 2015 Annual Security Report is out and the findings are troubling as always: for every positive finding in the report, it seems, there is a negative finding, neutralizing any gains in the network security struggle. Chief information security officers say their security postures are stro...

Fedora 21 : php-5.6.4-2.fc21 (2014-17241)

18 Dec 2014, PHP 5.6.4\r\n\r\nCore:\r\n Fixed bug 68091 Some Zend headers lack appropriate extern 'C' blocks. Adam\r\n Fixed bug 68104 Segfault while pre-evaluating a disabled function. Laruence\r\n Fixed bug 68185 'Inconsistent insteadof definition.'- incorrectly triggered. Julien\r\n Fixed bug...

IBM Security AppScan Enterprise Arbitrary Code Execution Vulnerability

IBM Security AppScan Enterprise is a set of U.S. IBM Web application security testing solutions. Formerly known as IBM Rational AppScan Enterprise, the program supports simultaneous scanning of multiple Web applications , generate vulnerability reports and intelligent patching . IBM Security...

ThinkPHP补丁修复不当导致SQL注入

简要描述： 放学回寝室，发现大家都在吐槽这个补丁。 这补丁我也是看醉了。逻辑有问题啊。。 详细说明： 这是ThinkPHP对这次注入的补丁：https://github.com/liu21st/thinkphp/commit/23c6e130ce75f2132e5b48699363a75ed28e15b2 elseifisarray$val && isset$REQUEST$key && isarray$REQUEST$key $options'where'$key = string$val; 这逻辑…… 简单说一下他的逻辑：$key是数据库字段名字，$val是我传入的参数。...

Yahoo Plans to Disclose All New Bugs It Finds Within 90 Days

Yahoo officials say that the company will disclose any new vulnerabilities that the company’s security team finds within 90 days of discovery. The new policy is the same one used by Google’s Project Zero, a team of researchers that looks for vulnerabilities in a variety of commonly used software...

FreeBSD Security Advisory FreeBSD-SA-14:28.file

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:28.file Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in file1 and libmagic3 Category: contrib Module: file Announced: 2014-12-10...

CCH Wolters Kluwer PFX Engagement 7.1 Privilege Escalation

Exploit Title: CCH Wolters Kluwer PFX Engagement Windows 8, 2003, 2008, 2012 CVE : 2014-9113 Product Affected: CCH Wolters Kluwer PFX Engagement = v7.1 This vulnerability has been reference checked this against multiple installs. This configuration was identical across all systems and each versio...

The Bash Vulnerability: How to Protect your Environment

A recently discovered hole in the security of the Bourne-Again Shell bash has the majority of Unix/Linux including OS X admins sweating bullets. You should be, too--attackers have already developed exploits to unleash on unpatched web servers, network services and daemons that use shell scripts...

Fixes for IE, Flash Player in October Patch Tuesday Release

Microsoft and Adobe issued their monthly patch Tuesday releases today, and Microsoft posted eight bulletins, three of which are considered critical including the now-monthly cumulative Internet Explorer update, addressing 24 vulnerabilities in various products. Adobe has fixes for three...

CA20141001-01: Security Notice for Bash Shellshock Vulnerability

CA20141001-01: Security Notice for Bash Shellshock Vulnerability Issued: October 01, 2014 Updated: October 03, 2014 CA Technologies is investigating multiple GNU Bash vulnerabilities, referred to as the "Shellshock" vulnerabilities, which were publicly disclosed on September 24-27, 2014. CVE...