CVE-2014-8032

The OutlookAction LI in Cisco WebEx Meetings Server allows remote authenticated users to obtain sensitive encrypted-password information via unspecified vectors, aka Bug IDs CSCuj40453 and CSCuj40449...

Design/Logic Flaw

The OutlookAction LI in Cisco WebEx Meetings Server allows remote authenticated users to obtain sensitive encrypted-password information via unspecified vectors, aka Bug IDs CSCuj40453 and CSCuj40449...

CVE-2014-8032

CVE-2014-8032 concerns Cisco WebEx Meetings Server where the OutlookAction LI may disclose a user’s encrypted password to an authenticated remote attacker. The Cisco advisory states the issue arises from the server returning encrypted password values and that authenticated access (potentially on ...

McAfee ePolicy Orchestrator Authenticated XXE Credential Exposure Exploit

This Metasploit module will exploit an authenticated XXE vulnerability to read the keystore.properties off of the filesystem. This properties file contains an encrypted password that is set during installation. What is interesting about this password is that it is set as the same password as the...

McAfee ePolicy Orchestrator Authenticated XXE Credential Exposure

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'openssl' class Metasploit3 'McAfee ePolicy Orchestrator Authenticated XXE Credentials Exposure', 'Description' = %q This module will exploit a...

UBUNTU-CVE-2014-3556

The STARTTLS implementation in mail/ngxmailsmtphandler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command...

Google Proposes Marking 'HTTP' as Insecure in 2015

The Chromium security team is devising a plan to explicitly and actively inform users that ‘HTTP’ connections provide no data security protections. Google’s grand vision is that some day, HTTPS will become so widespread and commonplace that secure connections can be unmarked in the way that HTTP...

Your backup administrator chose not to enable this functionality.

Challenge In the process of importing encrypted backup files for which you do not have the password, attempting to use the "I have lost the password" feature produces the error: Your backup administrator chose not to enable this functionality. Cause This occurs because the backup file was created...

EC3 Head Paints Bleak Cybercrime Picture

WASHINGTON D.C. – Everyone has the right to privacy, said Troels Oerting, head of the Europol’s European Cybercrime Center EC3, at Georgetown Law’s Cybercrime2020 conference yesterday. However, he went on, if you break your contract with society, that right can be taken away. Oerting noted that i...

Device42 Embedded Credentials

Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0 http://www.device42.com/download/ Device42 ships virtual appliances ready for production use as a trial essentially dictated by the license provided. The Appliance Manager listens on HTTP no SSL on port 4242 with default...

OracleVM 3.3 : nss (OVMSA-2014-0014)

The remote OracleVM system is missing necessary patches to address critical security updates : - Added nss-vendor.patch to change vendor - Update some patches on account of the rebase - Resolves: Bug 1099619 - Backport nss-3.12.6 upstream fix required by Firefox 31 - Resolves: Bug 1099619 - Remov...

OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846)

It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class...

OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846)

It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class...

OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846)

It was discovered that the CipherInputStream class implementation in OpenJDK did not properly handle certain exceptions. This could possibly allow an attacker to affect the integrity of an encrypted stream handled by this class...

WhatsApp Messenger Adds End-to-End Encryption by Default

Good news for all Privacy Lovers!! Finally the wildly popular messaging app WhatsApp has made end-to-end encryption a default feature, stepping a way forward for the online privacy of its users around the world. WhatsApp, most popular messaging app with 600 Million users as of October 2014, has...

openSUSE Security Update : pidgin (openSUSE-SU-2014:1376-1)

The following issues were fixed in this update : + General : - Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and...

Popular secure chat APP TextSecure presence of“unknown key sharing attack”vulnerability-vulnerability warning-the black bar safety net

! TextSecure is Android platform a encrypted chat APP, this free APP is designed in order to guarantee communication privacy. This APP by Open WhisperSystems developed, the code completelyopen sourcesupport end-to-end SMS encryption. Looks very safe is not? Recently, however, from Germany's Ruhr...

Facebook Creates .Onion Site; Now Accessible Via Tor Network

UPDATE – This story has been updated with commentary from the Tor Project. Facebook announced today that the social network will now be directly available to users as a Tor hidden service. The Tor Project is an Internet-traffic anonymization service that relays user traffic through a number of...

USN-2390-1: Pidgin vulnerabilities

Jacob Appelbaum and an anonymous person discovered that Pidgin incorrectly handled certificate validation. A remote attacker could exploit this to perform a machine-in-the-middle attack to view sensitive information or alter encrypted communications. CVE-2014-3694 Yves Younan and Richard Johnson...

NSA-Approved Samsung Knox Stores PIN in Cleartext

A security researcher has tossed a giant bucket of ice water on Samsung’s thumbs up from the NSA approving use of certain Galaxy devices within in the agency. The NSA’s blessing, given under the agency’s Commercial Solutions for Classified Program, meant that the Samsung Galaxy 4, 5 and Galaxy No...