EUVD-2012-3293

Malware in sbrugna...

ABB Cylon Aspect 3.08.01 jsonProxy.php Unauthenticated Project Download Vulnerability

ABB Cylon Aspect version 3.08.01 is vulnerable to an unauthorized project file disclosure in jsonProxy.php. An unauthenticated remote attacker can issue a GET request abusing the DownloadProject servlet to download sensitive project files. The jsonProxy.php script bypasses authentication by...

Security Bulletin: Tivoli Federated Identity Manager - Unprotected Management Console Servlets (CVE-2012-3315)

Abstract SUMMARY The management console used to administer Tivoli Federated Identity Manager contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIM. Content VULNERABILITY DETAILS...

Dell EMC Patches Critical Flaws in VMAX Enterprise Storage Systems

Dell EMC fixed two critical flaws in its management interfaces for its VMAX enterprise storage systems. One of the vulnerabilities could allow a remote attacker to use a hard-coded password to a default account to gain unauthorized access to systems. The company issued updates that address the tw...

Netgear Management System Vulnerable to RCE, Path Traversal Attacks

Netgear’s ProSafe Network Management System suffers from two vulnerabilities, an arbitrary file upload and a path traversal, which could let a remote attacker execute code and download files. The problems affect the NMS300 product, a web-based system the company manufactures to help users monitor...

Novell Groupwise 5.5/6.0 Servlet Gateway Default Authentication Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/3697/info Novell Groupwise Servlet Gateway is a product that allows Java servlets to be run with NetWare, using Novell JVM for NetWare v1.1.7b and NetWare Enterprise Web Server. A remote attacker may gain access to the...

struts 2.3.14.2 命令执行漏洞

Apache Struts框架是一个基于Java Servlets,JavaBeans和JavaServer PagesJSP的Web应用框架的开源项目,Struts基于Model-View-ControllerMVC的设计模式,可以用来构件复杂的Web应用.Apache Struts 2.3.14.3（不含）以前版本中， 利用Action名字的模糊匹配特性可以触发命令执行攻击。 Struts 2.3.14.3...

Apache Struts 'ParameterInterceptor'类OGNL安全绕过漏洞

Bugtraq ID:60082 Apache Struts框架是一个基于Java Servlets,JavaBeans, 和 JavaServer Pages JSP的Web应用框架的开源项目。 Apache Struts "ParameterInterceptor"类存在一个错误，允许远程攻击者利用漏洞修改服务端对象，如通过特制的OGNL表达式来执行任意命令。 0 Apache Struts 2.x 厂商解决方案 Apache Struts 2.3.14.1已经修复此漏洞，建议用户下载更新： http://struts.apache.org/...

Cross site request forgery (csrf)

The Java servlets in the management console in IBM Tivoli Federated Identity Manager TFIM through 6.2.2 and Tivoli Federated Identity Manager Business Gateway TFIMBG before 6.2.2 do not require authentication for all resource downloads, which allows remote attackers to bypass intended J2EE securi...

IBM WebSphere Application Server Cross Site Scripting (CVE-2009-2742)

The IBM WebSphere Application Server is a Java 2 Enterprise Edition J2EE and Web Services-based application server. The software is made available for various vendor operating systems. It comprises of several Java-based tools that allow users to create and manage sophisticated business web sites...

Tomcat: Multiple vulnerabilities

Background Tomcat is the Apache Jakarta Project's official implementation of Java Servlets and Java Server Pages. Description The following vulnerabilities were reported: Delian Krustev discovered that the JULI logging component does not properly enforce access restrictions, allowing web...

IBM WebSphere default servlet handler showcode vulnerability

Foundstone, Inc. http://www.foundstone.com "Securing the Dot Com World" Security Advisory IBM WebSphere default servlet handler showcode vulnerability ---------------------------------------------------------------------- FS Advisory ID: FS-072400-6-IBM Release Date: July 24, 2000 Product: IBM...