SaaS Marketing platform Hubspot export vulnerability

Hubspot is a widely used SaaS marketing platform to email all your customers, collect data about them and attract new customers. It's is common practice to keep customer lists in Hubspot to send newsletters or other email communication. Hubspot has hardcoded roles that grant users access to vario...

[ MDVSA-2014:170 ] jakarta-commons-httpclient

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mandriva Linux Security Advisory MDVSA-2014:170 http://www.mandriva.com/en/support/security/ Package : jakarta-commons-httpclient Date : September 2, 2014 Affected: Business Server 1.0 Problem Description: Updated jakarta-commons-httpclient and...

Security advisory for Bugzilla 4.5.5, 4.4.5, 4.2.10, and 4.0.14

Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. The following security issue has been discovered in Bugzilla: An attacker can get access to some bug information using the victim's credentials using a specially crafted HTML page. All affecte...

[The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert

Hi, You can read the usernames and MD5 hashed passwords of all the users in the Device Expert application by sending an unauthenticated request. I am releasing this as a 0 day as ManageEngine have responded that they do not consider this a priority and won't fix it in the near future unless a...

Embarcadero Delphi / C++ Builder VCL library buffer overflow

Buffer overflow on BMP parsing...

live buffer overflow

Buffer overflow on RTSP library...

HttpFileServer code execution

Code execution via GET request...

Microsoft Word code execution

Code execution on Word document parsing...

SQL Injection in Е2

Advisory ID: HTB23222 Product: Е2 Vendor: Ilya Birman Vulnerable Versions: v2844 and probably prior Tested Version: v2844 Advisory Publication: July 2, 2014 without technical details Vendor Notification: July 2, 2014 Vendor Patch: July 3, 2014 Public Disclosure: July 23, 2014 Vulnerability Type:...

Reflected Cross-Site Scripting (XSS) in e107

Advisory ID: HTB23220 Product: e107 Vendor: e107 Vulnerable Versions: 2.0 alpha2 and probably prior Tested Version: 2.0 alpha2 Advisory Publication: June 18, 2014 without technical details Vendor Notification: June 18, 2014 Vendor Patch: June 27, 2014 Public Disclosure: July 16, 2014 Vulnerabilit...

Reflected Cross-Site Scripting (XSS) Vulnerability in Storesprite

Advisory ID: HTB23215 Product: Storesprite Vendor: Lamp Design Limited Vulnerable Versions: 7 and probably prior Tested Version: 7 Advisory Publication: May 14, 2014 without technical details Vendor Notification: May 14, 2014 Vendor Patch: June 19, 2014 Public Disclosure: June 25, 2014...

NEW VMSA-2014-0009 VMware NSX and vCNS product updates address a critical information disclosure vulnerability

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0009 Synopsis: VMware NSX and vCNS product updates address a critical information disclosure vulnerability Issue date: 2014-09-1...

Encore Discovery Solution Multiple Vulnerability Disclosure

Product: Encore Discovery Solution Vendor: Innovative Interfaces Inc Vulnerable Version: 4.3 Tested Version: 4.3 Vendor Notification: June 19, 2014 Public Disclosure: August 26, 2014 Vulnerability Type: Open Redirect CWE-601 CVE Reference: CVE-2014-5127 Risk Level: Medium CVSSv2 Base Score: 4.3...

HttpFileServer 2.3.x Remote Command Execution

Affected software: http://sourceforge.net/projects/hfs/ Version : 2.3x Exploit Title: HttpFileServer 2.3.x Remote Command Execution Google Dork: intext:"httpfileserver 2.3" Date: 11-09-2014 Remote: Yes Exploit Author: Daniele Linguaglossa Vendor Homepage: http://rejetto.com/ Software Link:...

Osclass Security Advisory - Multiple XSS Vulnerabilities - CVE-2014-6280

Information ------------ Advisory by Netsparker. Name: XSS Vulnerability in OsClass Affected Software : OsClass Affected Versions: 3.4.1 and possibly below Vendor Homepage : http://osclass.org/ Vulnerability Type : Cross-site Scripting Severity : Critical CVE-ID: CVE-2014-6280 Netsparker Advisory...

[CORE-2014-0005] - Advantech WebAccess Vulnerabilities

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Advantech WebAccess Vulnerabilities 1. Advisory Information Title: Advantech WebAccess Vulnerabilities Advisory ID: CORE-2014-0005 Advisory URL: http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities Date...

[ MDVSA-2014:144 ] live

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mandriva Linux Security Advisory MDVSA-2014:144 http://www.mandriva.com/en/support/security/ Package : live Date : July 30, 2014 Affected: Business Server 1.0 Problem Description: Updated live fix security vulnerability: The live555 RTSP streaming...

CVE-2014-5393 Path Traversal to Sensitive Files in Webroot in "JobScheduler"

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-5393 =================== "Path Traversal to Sensitive Files in Webroot" CWE-219 vulnerability in "JobScheduler" product Vendor =================== Software- & Organisations-Service GmbH Product =================== "JobScheduler is a workload...

[CORE-2014-0006] - Delphi and C++ Builder VCL library Heap Buffer Overflow

Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Delphi and C++ Builder VCL library Heap Buffer Overflow 1. Advisory Information Title: Delphi and C++ Builder VCL library Heap Buffer Overflow Advisory ID: CORE-2014-0006 Advisory URL:...

Multiple SQL Injection Vulnerabilities in web2Project

Advisory ID: HTB23213 Product: web2Project Vendor: http://web2project.net Vulnerable Versions: 3.1 and probably prior Tested Version: 3.1 Advisory Publication: April 30, 2014 without technical details Vendor Notification: April 30, 2014 Vendor Patch: May 1, 2014 Public Disclosure: June 18, 2014...

SQL Injection in Dolphin

Advisory ID: HTB23216 Product: Dolphin Vendor: BoonEx Vulnerable Versions: 7.1.4 and probably prior Tested Version: 7.1.4 Advisory Publication: May 21, 2014 without technical details Vendor Notification: May 21, 2014 Vendor Patch: June 17, 2014 Public Disclosure: June 18, 2014 Vulnerability Type:...

Open-Xchange Security Advisory 2014-09-15

Product: OX App Suite Vendor: Open-Xchange GmbH Vulnerability type: Cross Site Scripting CWE-80 Vulnerable version: 7.6.0 and earlier Vulnerable component: frontend Fixed version: 7.4.2-rev33, 7.6.0-rev16 Report confidence: Confirmed Solution status: Fixed by Vendor Vendor notification: 2014-07-1...

ESA-2014-081 RSA® Identity Management and Governance Authentication Bypass Vulnerability

ESA-2014-081.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ESA-2014-081 RSA® Identity Management and Governance Authentication Bypass Vulnerability EMC Identifier: ESA-2014-081 CVE Identifier: CVE-2014-4619 Severity Rating: CVSS v2 Base Score: 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C Affected products:...

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc...

ClipBucket CMS Xss Vulnerability

Xss Vulnerability In ClipBucket CMS @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@ @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@ @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@ @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@ @@@ @@@ @@@ @@ @@@ @...

catfish code execution

catfish.py in current path is executed...

Osclass Security Advisory - LFI Vulnerability - CVE-2014-6308

Information ----------- Advisory by Netsparker. Name : LFI Vulnerability in OsClass Affected Software : OsClass Affected Versions: 3.4.1 and possibly below Vendor Homepage : http://osclass.org/ Vulnerability Type : Local File Inclusion Severity : Critical CVE-ID: CVE-2014-6308 Netsparker Advisory...

VMware NSX and vCNS information disclosure

No description provided...

Cross-Site Request Forgery (CSRF) in Kanboard

Advisory ID: HTB23217 Product: Kanboard Vendor: http://kanboard.net/ Vulnerable Versions: 1.0.5 and probably prior Tested Version: 1.0.5 Advisory Publication: May 28, 2014 without technical details Vendor Notification: May 28, 2014 Vendor Patch: June 30, 2014 Public Disclosure: July 2, 2014...

ownCloud Unencrypted Private Key Exposure

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Senderek Web Security - Security Advisory ownCloud Unencrypted Private Key Exposure ========================================= https://senderek.ie/archive/2014/owncloudunencryptedprivatekeyexposure.php Revision: 1.00 Last Updated: 3 Aug 2014 Summary: I...

Mozilla Firefox / Thunderbird / Seamonkey multiple security vulnerabilities

Multiple memory corruptions, buffer overflows, restriction bypass...

[SECURITY] [DSA 3013-1] s3ql security update

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3013-1 [email protected] http://www.debian.org/security/ Florian Weiemr August 27, 2014 http://www.debian.org/security/faq -...

[RT-SA-2013-002] Endeca Latitude Cross-Site Request Forgery

Advisory: Endeca Latitude Cross-Site Request Forgery RedTeam Pentesting discovered a Cross-Site Request Forgery CSRF vulnerability in Endeca Latitude. Using this vulnerability, an attacker might be able to change several different settings of the Endeca Latitude instance or disable it entirely...

Open-Xchange multiple security vulnerabilities

XSS, directory traversal, SSRF, restrictions bypass...

Microsoft Windows multiple security vulnerabilities

Restrictions bypass and memory corruptions in Internet Explorer, .Net code execution, TrueType embedded fonts code execution, OLE code execution, message queue service and FAT32 driver privilege escalation...

wpa_supplicant shell characters vulnerability

Insufficient character filtering...

Sierra Library Services Platform Multiple Vulnerability Disclosure

Product: Sierra Library Services Platform Vendor: Innovative Interfaces Inc Vulnerable Version: 1.23 Tested Version: 1.23 Vendor Notification: June 19, 2014 Public Disclosure: August 26, 2014 Vulnerability Type: Cross-Site Scripting CWE-79 CVE Reference: CVE-2014-5136 Risk Level: Medium CVSSv2 Ba...

serf / Apache httpcomponents HttpClient / Jakarta Commons HttpClient SSL validation bypass

Invalid parsing of certificates with NUL character in CN...

[RT-SA-2013-003] Endeca Latitude Cross-Site Scripting

Advisory: Endeca Latitude Cross-Site Scripting RedTeam Pentesting discovered a Cross-Site Scripting XSS vulnerability in Endeca Latitude. By exploiting this vulnerability an attacker is able to execute arbitrary JavaScript code in the context of other Endeca Latitude users. Details ======= Produc...

CVE-2014-5391 DOM-based Cross-Site Scripting (XSS) in "JobScheduler"

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-5391 =================== "DOM-based Cross-Site Scripting XSS" CWE-79 vulnerability in "JobScheduler" product Vendor =================== Software- & Organisations-Service GmbH Product =================== "JobScheduler is a workload automation...

[SECURITY] [DSA 3017-1] php-cas security update

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3017-1 [email protected] http://www.debian.org/security/ Thijs Kinkhorst September 2, 2014 http://www.debian.org/security/faq -...

EMC RSA Identity Management and Governance authentication bypass

Authentication bypass if NovellIM is used...

Avira License Application CSRF

Crossite request forgery in web interface...

[ MDVSA-2014:145 ] php-ZendFramework

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mandriva Linux Security Advisory MDVSA-2014:145 http://www.mandriva.com/en/support/security/ Package : php-ZendFramework Date : July 31, 2014 Affected: Business Server 1.0 Problem Description: A vulnerability has been found and corrected in...

[CVE- Requested][Vembu Storegrid - Multiple Critical Vulnerabilities]

Advisory Overview Multiple vulnerabilities exist in the Vembu Storegrid Backup and Disaster Recovery solution affecting both the client and server software see Additional Information section include but are not limited to reflected XSS, source code/sensitive information disclosure, privilege...

Aerohive Hive Manager and Hive OS Multiple Vulnerabilities

, , . '.' '. ', . , '. , .', , / / / ==/ / / / / / / | Y Y / /| / /||| / / /.-. / /:wq x.0 '=.|w|.=' =''"''=. presents.. Aerohive Hive Manager and Hive OS Multiple Vulnerabilities Affected Versions: Aerohive Hive Manager Stand-alone and Cloud = 6.1R3 and HiveOS 6.1R3 PDF:...

[USN-2382-1] Requests vulnerabilities

========================================================================== Ubuntu Security Notice USN-2382-1 October 14, 2014 requests vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: ...

Requests library security vulnerabilities

Authentication information leaks are possible...

HP System Management Homepage multiple security vulnerabilities

DoS, XSS, CSRF, clickjacking, unauthorized access, information leakage...

[ MDVSA-2014:162 ] catfish

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mandriva Linux Security Advisory MDVSA-2014:162 http://www.mandriva.com/en/support/security/ Package : catfish Date : September 2, 2014 Affected: Business Server 1.0 Problem Description: Updated catfish package fixes security vulnerability: Untrusted...