[SECURITY] Fedora 21 Update: openssh-6.6.1p1-13.fc21

SSH Secure SHell is a program for logging into and executing commands on a remote machine. SSH is intended to replace rlogin and rsh, and to provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forward...

[SECURITY] Fedora 21 Update: python-jwt-1.3.0-1.fc21

A Python implementation of JSON Web Token draft 01. This library provides a means of representing signed content using JSON data structures, including claims to be transferred between two parties encoded as digitally signed and encrypted JSON objects...

Amazon Patches Certificate Vulnerabilities in Fire Phones

Amazon last week patched three vulnerabilities in its Fire smartphones, including two in its Certinstaller package that put devices at risk. An attacker could take advantage of the vulnerability in the package, which allows mobile apps to install certificates on Amazon Fire devices without user...

IBM Tivoli Security Directory Server Information Disclosure Vulnerability (CNVD-2015-04102)

IBM Tivoli Security Directory Server now known as IBM Security Directory Server, ISDS is a suite of enterprise identity management software from IBM in the United States that uses the Lightweight Directory Access Protocol LDAP. The software provides a trusted identity data infrastructure for...

Deserialization of untrusted data

IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, 6.3 before iFix 37, 6.3.1 before iFix 11, and 6.4 before iFix 2 does not properly restrict encrypted files, which allows local users to obtain sensitive information or possibly have unspecified other...

Lansweeper Credential Collector

Lansweeper stores the credentials it uses to scan the computers in its Microsoft SQL database. The passwords are XTea-encrypted with a 68 character long key, in which the first 8 characters are stored with the password in the database and the other 60 is static. Lansweeper, by default, creates an...

Cisco IM and Presence Service Leaked Encrypted Passwords Privilege Escalation Vulnerability

A vulnerability in the Cisco IM and Presence Service could allow an authenticated, remote attacker to gain elevated privileges. The vulnerability is due to improper web page restrictions imposed by the affected software. An authenticated, remote attacker could exploit this vulnerability to access...

WordPress Encrypted Contact Form plugin cross-site request forgery vulnerability

WordPress is the WordPress Software Foundation's set of blogging platform developed using the PHP language, the platform supports PHP and MySQL servers to set up a personal blog site.Encrypted Contact Form plugin is a WordPress plugin that uses end-to-end encryption to send user information. A...

EUVD-2015-1916

The PKCS7dataDecodefunction in crypto/pkcs7/pk7doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a PKCS7 blob that uses ASN.1 encoding and lack...

UBUNTU-CVE-2015-1790

The PKCS7dataDecodefunction in crypto/pkcs7/pk7doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service NULL pointer dereference and application crash via a PKCS7 blob that uses ASN.1 encoding and lack...

WordPress Plugin Encrypted Contact Form 1.0.4 - Cross-Site Request Forgery

WordPress Plugin Encrypted Contact Form 1.0.4 - Cross-Site Request Forgery Title: CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted Contact Form Wordpress Plugin v1.0.4 Submitter: Nitin Venkatesh Product: Encrypted Contact Form Wordpress Plugin Product URL:...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting XSS attacks via the iframeurl parameter in an Update Page action in the...

CVE-2015-4010

Cross-site request forgery CSRF vulnerability in the Encrypted Contact Form plugin before 1.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting XSS attacks via the iframeurl parameter in an Update Page action in the...

WordPress Encrypted Contact Form 1.0.4 CSRF / XSS

Title: CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted Contact Form Wordpress Plugin v1.0.4 Submitter: Nitin Venkatesh Product: Encrypted Contact Form Wordpress Plugin Product URL: https://wordpress.org/plugins/encrypted-contact-form/ Vulnerability Type: Cross-site...

CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted Contact Form Wordpress Plugin v1.0.4

Title: CVE-2015-4010 - Cross-site Request Forgery & Cross-site Scripting in Encrypted Contact Form Wordpress Plugin v1.0.4 Submitter: Nitin Venkatesh Product: Encrypted Contact Form Wordpress Plugin Product URL: https://wordpress.org/plugins/encrypted-contact-form/ Vulnerability Type: Cross-site...

Dennis Fisher and Mike Mimoso on Facebook's Security Moves, GitHub's Audit and More

Dennis Fisher and Mike Mimoso discuss Facebook’s moves toward encrypted notifications and SHA-2 usage, the audit of GitHub SSH keys and the awesome OpenSesame garage door hack from Samy Kamkar. Download: digitalunderground206.mp3 Music by Chris Gonsalves...

SysAid Help Desk Database Credentials Disclosure

This module exploits a vulnerability in SysAid Help Desk that allows an unauthenticated user to download arbitrary files from the system. This is used to download the server configuration file that contains the database username and password, which is encrypted with a fixed, known key. This modul...

DEBIAN-CVE-2015-3331

The driverrfc4106decrypt function in arch/x86/crypto/aesni-intelglue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service buffer overflow and system crash or possibly...

CVE-2015-3331

CVE-2015-3331 affects the Linux kernel up to 3.19.2, where __driver_rfc4106_decrypt in arch/x86/crypto/aesni-intel_glue.c mishandles memory locations for encrypted data, enabling a context-dependent attacker to trigger a buffer overflow via a crypto API call (e.g., with a libkcapi test program us...

WordPress Encrypted Blog Plugin <= 0.0.6.2 - Arbitrary Site Redirection

This plugin is prone to an arbitrary site redirection via encryptblogform.php redirectto parameter. Solution Upgrade this plugin...