[SECURITY] Fedora 23 Update: xstream-1.4.9-1.fc23

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...

Drupal Block Class module cross-site scripting vulnerability (CNVD-2016-02374)

Drupal is the Drupal community maintained by a set of free, open source content management system developed in PHP. Block Class is one of the administrator through the Block configuration interface to add CSS to any Block module . Drupal Block Class module 7.x-2.2 before the 7.x-2.x version of a...

CVE-2016-3144

Cross-site scripting XSS vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal allows remote authenticated users with the "Administer block classes" permission to inject arbitrary web script or HTML via a class name...

Fix weblogic JAVA deserialization vulnerability of a variety of methods-vulnerability warning-the black bar safety net

The current oracle is also not in the publicly released weblogic JAVA deserialization vulnerability official patch currently see the repair method is nothing more than two: Use SerialKiller replace the sequence of operation of the ObjectInputStream class; In does not affect the business case, the...

CVE-2015-8390

CVE-2015-8390 is a PCRE vulnerability: PCRE versions before 8.38 mishandle the [: and \ substrings in character classes, allowing a remote attacker to cause a denial of service (uninitialized memory read) via a crafted RegExp (JavaScript RegExp object, Konqueror). The connected IBM bulletins corr...

CVE-2015-8390

PCRE before 8.38 mishandles the : and \ substrings in character classes, which allows remote attackers to cause a denial of service uninitialized memory read or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by...

Scientific Linux Security Update : jakarta-commons-collections on SL6.x (noarch) (20151130)

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections...

Debian DLA-352-1 : libcommons-collections3-java security update

The Apache commons collection suffered from security issues, making applications to accept serialized objects from untrusted sources. Remote attackers might take advantage of these issues to execute arbitrary Java functions and even inject manipulated bytecode. This release of...

Debian Security Advisory DSA 3403-1 (libcommons-collections3-java - security update)

This update backports changes from the commons-collections 3.2.2 release which disable the deserialisation of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to true . This fixes a vulnerability in unsafe applications deserialising...

DSA-3403-1 libcommons-collections3-java - security update

Bulletin has no description...

IBM System Networking Switch Center Local Privilege Escalation Vulnerability

This vulnerability allows local unprivileged attackers to execute arbitrary code on vulnerable installations of IBM System Networking Switch Center. Authentication is not required to exploit this vulnerability. The specific flaw exists within the IBM SNSC Web Service, which listens by default on...

[SECURITY] Fedora 22 Update: struts-1.3.10-14.fc22

Welcome to the Struts Framework! The goal of this project is to provide an open source framework useful in building web applications with Java Servlet and JavaServer Pages JSP technology. Struts encourages application architectures based on the Model-View-Controller MVC design paradigm,...

vBulletin x.x.x rce "0day"

Not really a 0day since it's fixed in some versions, but still an exploit that doesn't seem to be "that" public. Please note, I didn't find this. vBulletin's memcache setting is vulnerable in certain versionsall before 4.2.2 to an RCE. vBulletin seem to have refused to classify it as a...

perfectpointestudio.com XSS vulnerability

Vulnerable URL: http://perfectpointestudio.com/classes-popup.php?title==Tuesday=11 Details: Description| Value ---|--- Patched:| No Latest check for patch:| 25.07.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 21480756 Google Pagerank| 2 VIP website status:| N...

Coinbase: Runtime manipulation iOS app breaking the PIN

I was able to bypass your pin protection by doing runtime manipulation in iOS app 1.Installed the snoop it in device 2.By going snoop it tool settings choose the coinbase app 3.I already set the the pin in coinbase app 4.Open the coinbase app it is asking for PIN 5.Now browsing the snoopit...

EtherNet/IP CIP List of Active Object Classes

Binary data scadacipclasslist.nbin...

Internet Bug Bounty: PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization

https://bugs.php.net/bug.php?id=69617 Description: ------------ The PHP unserialize function is considered unsafe due to its behavior regarding class instantiation; in cases where serialized data is attacker controlled, it can be tampered with, allowing for the instantiation of arbitrary PHP...

ElasticSearch Search Groovy Sandbox Bypass Exploit

This Metasploit module exploits a remote command execution RCE vulnerability in ElasticSearch, exploitable by default on ElasticSearch prior to 1.4.3. The bug is found in the REST API, which does not require authentication, where the search function allows groovy code execution and its sandbox ca...

JDK: privilege escalation via shared class cache

Unspecified vulnerability in IBM Java Runtime Environment JRE 7 R1 before SR2 7.1.2.0, 7 before SR8 7.0.8.0, 6 R1 before SR8 FP2 6.1.8.2, 6 before SR16 FP2 6.0.16.2, and before SR16 FP8 5.0.16.8 allows local users to execute arbitrary code via vectors related to the shared classes cache...

java-1.8.0-openjdk security update

1:1.8.0.31-1.b13 - Update to January CPU patch update. - Resolves: RHBZ1180299 1:1.8.0.25-4.b17 - updated aarch64 sources - epoch synced to 1 - all ppcs excluded from classes dump1156151 - Resolves: rhbz1173706...