Mautic has an unspecified vulnerability

Mautic is an open source marketing automation software. The software monitors and manages websites, sends emails and manages customer resources. A security vulnerability exists in Mautic 2.6.1 and earlier versions. No details of the vulnerability are provided at this time...

iwebsns open source SNS system order_by parameter has a SQL injection vulnerability

iWebSNS is a large-scale high concurrency and high load of open source SNS software , based on iwebSuperInteraction iweb SI for short framework development . iwebsns open source SNS system orderby parameter has a SQL injection vulnerability . Attackers can use this vulnerability to obtain databas...

[SECURITY] Fedora 26 Update: globus-gram-job-manager-14.36-1.fc26

The Globus Toolkit is an open source software toolkit used for building Grid systems and applications. It is being developed by the Globus Alliance and many others all over the world. A growing number of projects and companies are using the Globus Toolkit to unlock the potential of grids for thei...

[SECURITY] Fedora 24 Update: globus-xio-5.16-1.fc24

The Globus Toolkit is an open source software toolkit used for building Grid systems and applications. It is being developed by the Globus Alliance and many others all over the world. A growing number of projects and companies are using the Globus Toolkit to unlock the potential of grids for thei...

Open Ticket Request System Reload Vulnerability

OTRS Open Technology Real Service is an open source help desk and IT service management solution. OTRS suffers from a reinstallation vulnerability. Because the program does not validate the installation, an attacker can exploit the vulnerability to reinstall the system and directly manipulate the...

XSS Vulnerability in Ux365 Website Category Navigation System

Uc365 website classification and navigation system is a cross-platform open source software, based on PHP + MYSQL development and construction of open source website classification and catalog management system. Uke365 website category navigation system XSS vulnerability , an attacker can use the...

[SECURITY] Fedora 26 Update: radicale-1.1.2-1.fc26

The Radicale Project is a CalDAV calendar and CardDAV contact server. It aims to be a light solution, easy to use, easy to install, easy to configur e. As a consequence, it requires few software dependencies and is pre-configur ed to work out-of-the-box. The Radicale Project runs on most of the...

SQL injection vulnerability in the page_name parameter of the page.php page of the UX365 navigation system.

Uc365 website classification and navigation system is a cross-platform open source software, based on PHP + MYSQL development and construction of open source website classification and catalog management system. Uke365 website category navigation system page.php page pagename parameter SQL...

Bejtlich Moves On

Exactly six years ago today I announced that I was joining Mandiant to become the company's first CSO. Today is my last day at FireEye, the company that bought Mandiant at the very end of 2013. The highlights of my time at Mandiant involved two sets of responsibilities. First, as CSO, I enjoyed...

WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting

WordPress Plugin NewStatPress 1.2.4 - Cross-Site Scripting Source: https://sumofpwn.nl/advisory/2016/persistentcrosssitescriptinginthewordpressnewstatpressplugin.html Abstract A persistent Cross-Site Scripting XSS vulnerability has been found in the WordPress NewStatPress plugin. By using this...

WordPress Plugin Popup by Supsystic 1.7.6 - Cross-Site Request Forgery

WordPress Plugin Popup by Supsystic 1.7.6 - Cross-Site Request Forgery !-- Source: https://sumofpwn.nl/advisory/2016/popupbysupsysticwordpresspluginvulnerabletocrosssiterequestforgery.html Abstract A Cross-site Request Forgery vulnerablity exists in the Popup by Supsystic WordPress Plugin. This...

SQL Injection Vulnerability in 'id' Parameter of Single Point CRM System

Single point CRM system is a single point of technology development , based on the GPLv3 agreement issued for small and medium-sized management activities , to provide customer relationship management CRM, sales and marketing inventory JXC, human resources HRM, logistics office supplies , fixed...

High Severity BIND Vulnerability Can Lead to A Crash

The Internet Systems Consortium patched the BIND domain name system this week, addressing a remotely exploitable vulnerability it considers high severity and said could lead to a crash. The issue affects servers that use both the DNS64 and RPZ function simultaneously. DNS64 is a mechanism for...

VirtualBox Privilege Escalation

Privilege Escalation in VirtualBox CVE-2017-3316 == Overview === System affected: VirtualBox Software-Version: prior to 5.0.32, prior to 5.1.14 User-Interaction: Required Impact: A Man-In-The-Middle could infiltrate an Extension-Pack-Update to gain a root-shell === Detailed description === In my...

WordPress Google Forms Plugin unauthenticated PHP Object injection vulnerability

Exploit for php platform in category web applications Abstract A PHP Object injection vulnerability was found in the Google Forms WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP...

What we learned from our Advent Calendar

Vulnerability Types In this years Advent of PHP Application Vulnerabilities APAV, we examined 36 critical security issues which were detected in 19 different PHP applications by our code analysis solution RIPS. We presented a multitude of critical security issues found in widely-used open-source...

Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution Exploit

Exploit for linux platform in category local exploits Both of these issues were reported to the Apport maintainers and a fix was released on 2016-12-14. The CrashDB code injection issue can be tracked with CVE-2016-9949 and the path traversal bug with CVE-2016-9950. An additional problem where...

Apport 2.x (Ubuntu Desktop 12.10 16.04) - Local Code Execution

Apport 2.x Ubuntu Desktop 12.10 16.04 - Local Code Execution Both of these issues were reported to the Apport maintainers and a fix was released on 2016-12-14. The CrashDB code injection issue can be tracked with CVE-2016-9949 and the path traversal bug with CVE-2016-9950. An additional problem...

Linux kernel flaw hack obtain Server Control permissions-bug warning-the black bar safety net

Security researchers said that the average user can use three security flaws to get to theLinux serveror workstation. Two defects exist in the Linux kernel memory management module. According to the Polish security vendor iSEC security information company in the local time this Wednesday the...

WordPress WassUp Real Time Analytics 1.9 Plugin - Persistent Cross-Site Scripting Vulnerability

Exploit for php platform in category web applications Source: https://sumofpwn.nl/advisory/2016/persistentcrosssitescriptinginwassuprealtimeanalyticswordpressplugin.html Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin Abstract A stored Cross-Site Scripting XSS...