Ubuntu 14.04 LTS : PHP vulnerabilities (USN-2254-1)

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2254-1 advisory. Christian Hoffmann discovered that the PHP FastCGI Process Manager FPM set incorrect permissions on the UNIX socket. A local attacker could use this issu...

USN-2254-1 php5 vulnerabilities

Christian Hoffmann discovered that the PHP FastCGI Process Manager FPM set incorrect permissions on the UNIX socket. A local attacker could use this issue to possibly elevate their privileges. This issue only affected Ubuntu 12.04 LTS, Ubuntu 13.10, and Ubuntu 14.04 LTS. CVE-2014-0185 Francisco...

PHP 5.4.x < 5.4.27, 5.5.x < 5.5.12 Privilege Escalation Vulnerability

PHP is prone to a privilege escalation vulnerability. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:php:php"; ifdescription...

Code injection

sapi/fpm/fpm/fpmunix.c in the FastCGI Process Manager FPM in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client...

CVE-2014-0185

sapi/fpm/fpm/fpmunix.c in the FastCGI Process Manager FPM in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client...

PHP 5.4.x < 5.4.28 FPM Unix Socket Insecure Permission Escalation

According to its banner, the version of PHP 5.4.x installed on the remote host is a version prior to 5.4.28. It is, therefore, potentially affected by a permission escalation vulnerability. A flaw exists within the FastCGI Process Manager FPM when setting permissions for a Unix socket. This could...

PHP 5.5.x < 5.5.12 FPM Unix Socket Insecure Permission Escalation

According to its banner, the version of PHP 5.5.x installed on the remote host is a version prior to 5.5.12. It is, therefore, potentially affected by a permission escalation vulnerability. A flaw exists within the FastCGI Process Manager FPM when setting permissions for a Unix socket. This could...

CVE-2014-0908

The User Attribute implementation in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information,...

CVE-2014-0908

IBM BPM's User Attribute feature (Standard/Express/Advanced) across 7.5.x, 8.0.x, 8.5.x does not enforce authorization for read/write of attribute values via REST, enabling remote authenticated users to read or modify attributes and affect email notifications or task assignments. Affected version...

CVE-2014-0908

The User Attribute implementation in IBM Business Process Manager BPM 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.2, and 8.5.x through 8.5.0.1 does not verify authorization for read or write access to attribute values, which allows remote authenticated users to obtain sensitive information,...

IBM Business Process Manager授权绕过漏洞

Bugtraq ID:66679 CVE ID:CVE-2014-0908 IBM Business Process Manager是一款不断积累数据的有状态产品。 IBM Business Process Manager中的User属性功能没有授权概念，允许用户每个用户读取和更新自身的属性值及使用REST API来读取其他用户的值，可导致敏感信息泄漏。 0 IBM Business Process Manager Standard V7.5.x, 8.0.x, 8.5.x IBM Business Process Manager Express V7.5.x, 8.0.x, 8.5.x...

IBM Business Process Manager - User Account Reconfiguration

IBM Business Process Manager - User Account Reconfiguration Exploit Title: IBM BMPS BPM User account reconfiguration/Privilege Escalation/Information Disclosure Date: 31.01.14 Exploit Author: 0in Software link: http://www-03.ibm.com/software/products/en/business-process-manager-family/ Version:...

IBM Business Process Manager - User Account Reconfiguration

Exploit Title: IBM BMPS BPM User account reconfiguration/Privilege Escalation/Information Disclosure Date: 31.01.14 Exploit Author: 0in Software link: http://www-03.ibm.com/software/products/en/business-process-manager-family/ Version: 8.0.1.1 newest versions can also be vulnerable Vulnerability...

CVE-2013-6746

Cross-site scripting XSS vulnerability in FileNet P8 Platform Documentation Installable Info Center 4.5.1 through 5.2.0 in IBM FileNet Business Process Manager 4.5.1 through 5.1.0, FileNet Content Manager 4.5.1 through 5.2.0, and Case Foundation 5.2.0 allows remote attackers to inject arbitrary w...

Cross site scripting

Cross-site scripting XSS vulnerability in FileNet P8 Platform Documentation Installable Info Center 4.5.1 through 5.2.0 in IBM FileNet Business Process Manager 4.5.1 through 5.1.0, FileNet Content Manager 4.5.1 through 5.2.0, and Case Foundation 5.2.0 allows remote attackers to inject arbitrary w...

CVE-2013-6746

CVE-2013-6746 is an XSS vulnerability in IBM FileNet P8 Platform Documentation Installable Info Center shipped with IBM FileNet BPM, Content Manager, and Case Foundation. Affected components/versions include FileNet P8 Platform Documentation Installable Info Center 4.5.1–5.2.0, with IBM BPM 4.5.1...

Oracle BPEL Process Manager ScriptServlet Information Disclosure (CVE-2013-3828)

A directory traversal vulnerability has been reported in Oracle BPEL Process Manager. The vulnerability is due to insufficient input validation in ScriptServlet when processing HTTP request parameters. A remote unauthenticated attacker can leverage this vulnerability to obtain sensitive informati...

Oracle BPEL Process Manager ScriptServlet Remote Code Execution Vulnerability

This vulnerability allows remote attackers to obtain sensitive information on vulnerable installations of Oracle BPEL Process Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ScriptServlet. It suffers of a directory traversal vulnerability...

CVE-2013-0581

Multiple cross-site scripting XSS vulnerabilities in IBM Business Process Manager BPM 7.5.1.x, 8.0.0.x, and 8.0.1 before FP1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving 1 ProcessPortal/jsp/socialPortal/dashboard.jsp, 2...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in IBM Business Process Manager BPM 7.5.1.x, 8.0.0.x, and 8.0.1 before FP1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving 1 ProcessPortal/jsp/socialPortal/dashboard.jsp, 2...