IBSng all version Cross-Site Scripting Vulnerability
2011-11-06T00:00:00
ID SECURITYVULNS:DOC:27272 Type securityvulns Reporter Securityvulns Modified 2011-11-06T00:00:00
Description
================= APA-IUTcert =================
Title: IBSng all version Cross-Site Scripting Vulnerability
Vendor: www.parspooyesh.com
Type: Cross-Site Scripting Vulnerability
Fix: N/A
================== nsec.ir =================
Description:
Input passed via the "str" parameter to IBSng/util/show_multistr.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
This bug can be exploited by malicious people with out any privilege access to conduct cross-site scripting attacks.
Credit: Isfahan University of Technology - Computer Emergency Response Team
{"id": "SECURITYVULNS:DOC:27272", "bulletinFamily": "software", "title": "IBSng all version Cross-Site Scripting Vulnerability", "description": "================= APA-IUTcert =================\r\nTitle: IBSng all version Cross-Site Scripting Vulnerability\r\nVendor: www.parspooyesh.com\r\nType: Cross-Site Scripting Vulnerability\r\nFix: N/A\r\n\r\n================== nsec.ir =================\r\nDescription:\r\nInput passed via the "str" parameter to IBSng/util/show_multistr.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.\r\nThis bug can be exploited by malicious people with out any privilege access to conduct cross-site scripting attacks.\r\n\r\nPoC : http://[target]/IBSng/util/show_multistr.php?str=[xss]\r\n\r\nOriginal Advisory : http://nsec.ir/\r\n\r\nCredit: Isfahan University of Technology - Computer Emergency Response Team\r\n", "published": "2011-11-06T00:00:00", "modified": "2011-11-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27272", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:42", "edition": 1, "viewCount": 86, "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2018-08-31T11:10:42", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "nessus", "idList": ["FEDORA_2018-732F45D43E.NASL", "FEDORA_2018-7F43CBDB69.NASL"]}, {"type": "openbugbounty", "idList": ["OBB:236562"]}, {"type": "zdt", "idList": ["1337DAY-ID-27272"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32653", "SECURITYVULNS:DOC:32656", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:42", "rev": 2}, "vulnersScore": 6.0}, "affectedSoftware": []}
{"cve": [{"lastseen": "2021-02-02T07:37:04", "description": "SOOIL Developments CoLtd DiabecareRS, AnyDana-i, AnyDana-A, The communication protocol of the insulin pump and AnyDana-i,AnyDana-A mobile apps doesn't use adequate measures to authenticate the pump before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the keys and spoof the pump via BLE.", "edition": 3, "cvss3": {"exploitabilityScore": 2.1, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.7, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-01-19T17:15:00", "title": "CVE-2020-27272", "type": "cve", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 5.5, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.9, "vectorString": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27272"], "modified": "2021-01-23T00:40:00", "cpe": [], "id": "CVE-2020-27272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27272", "cvss": {"score": 2.9, "vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:14:28", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:21", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T05:35:21", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:21:32", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "ics": [{"lastseen": "2021-02-27T19:48:24", "bulletinFamily": "info", "cvelist": ["CVE-2020-27256", "CVE-2020-27258", "CVE-2020-27264", "CVE-2020-27266", "CVE-2020-27268", "CVE-2020-27269", "CVE-2020-27270", "CVE-2020-27272", "CVE-2020-27276"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 7.6**\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor:** SOOIL Developments Co., Ltd.\n * **Equipment:** Diabecare RS, AnyDana-i and AnyDana-A\n * **Vulnerabilities:** Use of Hard Coded Credentials, Insufficiently Protected Credentials, Use of Insufficiently Random Values, Use of Client-side Authentication, Client-side Enforcement of Server-side Security, Authentication Bypass by Capture-Replay, Unprotected Transport of Credentials, Key Exchange Without Entity Authentication, Authentication Bypass by Spoofing\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to access sensitive information, modify therapy settings, bypass authentication, or crash the device being accessed. These vulnerabilities could affect patient safety.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of Dana Diabecare Insulin Pumps and mobile applications are affected:\n\n * Dana Diabecare RS: All versions prior to 3.0\n * AnyDana-i: All versions prior to 3.0\n * AnyDana-A: All versions prior to 3.0\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [USE OF HARD CODED CREDENTIALS CWE-798](<https://cwe.mitre.org/data/definitions/798.html>)\n\nA hard-coded physician PIN in the physician menu of the insulin pump allows attackers with physical access to change insulin therapy settings.\n\n[CVE-2020-27256](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27256>) has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is ([AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)). \n\n#### 3.2.2 [INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522](<https://cwe.mitre.org/data/definitions/522.html>)\n\nAn information disclosure vulnerability in the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows unauthenticated attackers to extract the pump\u2019s keypad lock PIN via Bluetooth Low Energy.\n\n[CVE-2020-27258](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27258>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n#### 3.2.3 [USE OF INSUFFICIENTLY RANDOM VALUES CWE-330](<https://cwe.mitre.org/data/definitions/330.html>)\n\nThe communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications use deterministic keys, which allows unauthenticated, physically proximate attackers to brute-force the keys via Bluetooth Low Energy.\n\n[CVE-2020-27264](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27264>) has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L>)).\n\n#### 3.2.4 [USE OF CLIENT-SIDE AUTHENTICATION CWE-603](<https://cwe.mitre.org/data/definitions/603.html>)\n\nA client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.\n\n[CVE-2020-27266](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27266>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n#### 3.2.5 [CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602](<https://cwe.mitre.org/data/definitions/602.html>)\n\nA client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.\n\n[CVE-2020-27268](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27268>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>)).\n\n#### 3.2.6 [AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294](<https://cwe.mitre.org/data/definitions/294.html>)\n\nThe communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences via Bluetooth Low Energy.\n\n[CVE-2020-27269](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27269>) has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N>)).\n\n#### 3.2.7 [UNPROTECTED TRANSPORT OF CREDENTIALS CWE-523](<https://cwe.mitre.org/data/definitions/523.html>)\n\nThe communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications does not use adequate measures to protect encryption keys in transit, which allows unauthenticated, physically proximate attackers to sniff the keys via Bluetooth Low Energy.\n\n[CVE-2020-27270](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27270>) has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N>)).\n\n#### 3.2.8 [KEY EXCHANGE WITHOUT ENTITY AUTHENTICATION CWE-322](<https://cwe.mitre.org/data/definitions/322.html>)\n\nThe communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications does not use adequate measures to authenticate the pump before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the keys and spoof the pump via Bluetooth Low Energy.\n\n[CVE-2020-27272](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27272>) has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N>)). \n\n#### 3.2.9 [AUTHENTICATION BYPASS BY SPOOFING CWE-290](<https://cwe.mitre.org/data/definitions/290.html>)\n\nThe communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications does not use adequate measures to authenticate the communicating entities before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the authentication sequence via Bluetooth Low Energy.\n\n[CVE-2020-27276](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27276>) has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Healthcare and Public Health\n * **COUNTRIES/AREAS DEPLOYED:** Europe, Asia\n * **COMPANY HEADQUARTERS LOCATION:** South Korea\n\n### 3.4 RESEARCHER\n\nJulian Suleder, Birk Kauer, Raphael Pavlidis, and Nils Emmerich of ERNW Research GmbH reported these vulnerabilities to the Federal Office for Information Security (BSI, Germany), in the context of the BSI project ManiMed \u2013 Manipulation of Medical Devices. BSI then provided this report to CISA.\n\n## 4\\. MITIGATIONS\n\nDana Diabecare recommends users update the Dana Diabecare insulin pumps to Version 3.0 or higher, or to the latest available release. Additionally, users are encouraged to immediately update AnyDana-A and AnyDana-i to Version 3.0 or higher. Also, SOOIL recommends users to apply these mitigating strategies:\n\n * In the case a user cannot update the Dana RS pump to the latest version, always operate the pump in Airplane Mode.\n * Users of any versions prior to 3.0 should operate Dana RS insulin pumps in Airplane Mode continuously.\n * Users can obtain partial mitigation of the vulnerabilities by updating the AnyDana application to the latest Version 3.0 or later.\n * Users of the latest version of the application, Version 3.0 or later, can continue to operate the Dana RS insulin pumps with versions installed prior to Version 3.0.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Maintain tight physical control of the pump and devices connected to the pump.\n * Be attentive to pump notifications, alarms, and alerts be aware of anything out of the ordinary.\n * Immediately cancel any unintended boluses (a single dose of insulin administered all at once).\n * Do not connect insulin pump to any third-party devices or use any software not authorized.\n * Get medical help immediately if you suspect any insulin pump settings or the insulin delivery has changed unexpectedly.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01>); we'd welcome your feedback.\n", "modified": "2021-01-12T00:00:00", "published": "2021-01-12T00:00:00", "id": "ICSMA-21-012-01", "href": "https://www.us-cert.gov/ics/advisories/icsma-21-012-01", "type": "ics", "title": "SOOIL Dana Diabecare RS Products", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "rst": [{"lastseen": "2020-07-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **98[.]158.80.0** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **37**.\n First seen: 2020-07-09T03:00:00, Last seen: 2020-07-28T03:00:00.\n IOC tags: **generic**.\nASN 27272: (First IP 98.158.80.0, Last IP 98.158.83.255).\nASN Name \"Q9ASCAL3\" and Organisation \"\".\nASN hosts 361 domains.\nGEO IP information: City \"Calgary\", Country \"Canada\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-07-09T00:00:00", "id": "RST:3A6F1FDF-5E74-3563-BE0B-CC9C7360E8B5", "href": "", "published": "2020-10-06T00:00:00", "title": "RST Threat feed. IOC: 98.158.80.0", "type": "rst", "cvss": {}}], "nessus": [{"lastseen": "2021-01-07T10:18:48", "description": "## 4.0.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for\n transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for\n controllers' locators (nicolas-grekas)\n\n## 4.0.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for\n TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory\n footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's\n default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with\n .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument\n (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for\n BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized\n references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators\n in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback\n loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27847 [Security] Fix accepting null as $uidKey in\n LdapUserProvider (louhde)\n\n - bug #27834 [DI] Don't show internal service id on\n binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable\n types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener\n compatible with CookieClearingLogoutHandler\n (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option\n maxIdLength with versioning enabled (Constantine\n Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private\n services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter\n (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session\n proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod\n (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\n## 4.0.12 (2018-06-25)\n\n - bug #27626 [TwigBundle][DX] Only add the Twig\n WebLinkExtension if the WebLink component is enabled\n (thewilkybarkid)\n\n - bug #27701 [SecurityBundle] Dont throw if\n 'security.http_utils' is not found (nicolas-grekas)\n\n - bug #27690 [DI] Resolve env placeholder in logs (ro0NL)\n\n - bug #26534 allow_extra_attributes does not throw an\n exception as documented (deviantintegral)\n\n - bug #27668 [Lock] use 'r+' for fopen (fixes issue on\n Solaris) (fritzmg)\n\n - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)\n\n - bug #27662 [HttpKernel] fix handling of nested Error\n instances (xabbuh)\n\n - bug #26845 [Config] Fixing GlobResource when inside phar\n archive (vworldat)\n\n - bug #27382 [Form] Fix error when rendering a\n DateIntervalType form with exactly 0 weeks (krixon)\n\n - bug #27309 Fix surrogate not using original request\n (Toflar)\n\n - bug #27467 [HttpKernel] fix session tracking in\n surrogate master requests (nicolas-grekas)\n\n - bug #27630 [Validator][Form] Remove BOM in some xlf\n files (gautierderuette)\n\n - bug #27596 [Framework][Workflow] Added support for\n interfaces (vudaltsov)\n\n - bug #27593 [ProxyManagerBridge] Fixed support of private\n services (nicolas-grekas)\n\n - bug #27591 [VarDumper] Fix dumping ArrayObject and\n ArrayIterator instances (nicolas-grekas)\n\n - bug #27581 Fix bad method call with guard authentication\n + session migration (weaverryan)\n\n - bug #27576 [Cache] Fix expiry comparisons in array-based\n pools (nicolas-grekas)\n\n - bug #27556 Avoiding session migration for stateless\n firewall UsernamePasswordJsonAuthenticationListener\n (weaverryan)\n\n - bug #27452 Avoid migration on stateless firewalls\n (weaverryan)\n\n - bug #27568 [DI] Deduplicate generated proxy classes\n (nicolas-grekas)\n\n - bug #27326 [Serializer] deserialize from xml: Fix a\n collection that contains the only one element\n (webnet-fr)\n\n - bug #27567 [PhpUnitBridge] Fix error on some Windows OS\n (Nsbx)\n\n - bug #27357 [Lock] Remove released semaphore (jderusse)\n\n - bug #27416 TagAwareAdapter over non-binary memcached\n connections corrupts memcache (Aleksey Prilipko)\n\n - bug #27514 [Debug] Pass previous exception to\n FatalErrorException (pmontoya)\n\n - bug #27516 Revert 'bug #26138 [HttpKernel] Catch\n HttpExceptions when templating is not installed\n (cilefen)' (nicolas-grekas)\n\n - bug #27318 [Cache] memcache connect should not add\n duplicate entries on sequential calls (Aleksey Prilipko)\n\n - bug #27389 [Serializer] Fix serializer tries to\n denormalize null values on nullable properties\n (ogizanagi)\n\n - bug #27272 [FrameworkBundle] Change priority of\n AddConsoleCommandPass to TYPE_BEFORE_REMOVING (upyx)\n\n - bug #27396 [HttpKernel] fix registering IDE links\n (nicolas-grekas)\n\n - bug #26973 [HttpKernel] Set first trusted proxy as\n REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)\n\n - bug #27303 [Process] Consider 'executable' suffixes\n first on Windows (sanmai)\n\n - bug #27297 Triggering RememberMe's loginFail() when\n token cannot be created (weaverryan)\n\n - bug #27344 [HttpKernel] reset kernel start time on\n reboot (kiler129)\n\n - bug #27365 [Serializer] Check the value of\n enable_max_depth if defined (dunglas)\n\n - bug #27358 [PhpUnitBridge] silence some stderr outputs\n (ostrolucky)\n\n - bug #27366 [DI] never inline lazy services\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 12, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : php-symfony4 (2018-732f45d43e)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony4", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-732F45D43E.NASL", "href": "https://www.tenable.com/plugins/nessus/120528", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-732f45d43e.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120528);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14773\");\n script_xref(name:\"FEDORA\", value:\"2018-732f45d43e\");\n\n script_name(english:\"Fedora 28 : php-symfony4 (2018-732f45d43e)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"## 4.0.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for\n transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for\n controllers' locators (nicolas-grekas)\n\n## 4.0.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for\n TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory\n footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's\n default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with\n .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument\n (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for\n BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized\n references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators\n in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback\n loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27847 [Security] Fix accepting null as $uidKey in\n LdapUserProvider (louhde)\n\n - bug #27834 [DI] Don't show internal service id on\n binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable\n types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener\n compatible with CookieClearingLogoutHandler\n (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option\n maxIdLength with versioning enabled (Constantine\n Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private\n services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter\n (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session\n proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod\n (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\n## 4.0.12 (2018-06-25)\n\n - bug #27626 [TwigBundle][DX] Only add the Twig\n WebLinkExtension if the WebLink component is enabled\n (thewilkybarkid)\n\n - bug #27701 [SecurityBundle] Dont throw if\n 'security.http_utils' is not found (nicolas-grekas)\n\n - bug #27690 [DI] Resolve env placeholder in logs (ro0NL)\n\n - bug #26534 allow_extra_attributes does not throw an\n exception as documented (deviantintegral)\n\n - bug #27668 [Lock] use 'r+' for fopen (fixes issue on\n Solaris) (fritzmg)\n\n - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)\n\n - bug #27662 [HttpKernel] fix handling of nested Error\n instances (xabbuh)\n\n - bug #26845 [Config] Fixing GlobResource when inside phar\n archive (vworldat)\n\n - bug #27382 [Form] Fix error when rendering a\n DateIntervalType form with exactly 0 weeks (krixon)\n\n - bug #27309 Fix surrogate not using original request\n (Toflar)\n\n - bug #27467 [HttpKernel] fix session tracking in\n surrogate master requests (nicolas-grekas)\n\n - bug #27630 [Validator][Form] Remove BOM in some xlf\n files (gautierderuette)\n\n - bug #27596 [Framework][Workflow] Added support for\n interfaces (vudaltsov)\n\n - bug #27593 [ProxyManagerBridge] Fixed support of private\n services (nicolas-grekas)\n\n - bug #27591 [VarDumper] Fix dumping ArrayObject and\n ArrayIterator instances (nicolas-grekas)\n\n - bug #27581 Fix bad method call with guard authentication\n + session migration (weaverryan)\n\n - bug #27576 [Cache] Fix expiry comparisons in array-based\n pools (nicolas-grekas)\n\n - bug #27556 Avoiding session migration for stateless\n firewall UsernamePasswordJsonAuthenticationListener\n (weaverryan)\n\n - bug #27452 Avoid migration on stateless firewalls\n (weaverryan)\n\n - bug #27568 [DI] Deduplicate generated proxy classes\n (nicolas-grekas)\n\n - bug #27326 [Serializer] deserialize from xml: Fix a\n collection that contains the only one element\n (webnet-fr)\n\n - bug #27567 [PhpUnitBridge] Fix error on some Windows OS\n (Nsbx)\n\n - bug #27357 [Lock] Remove released semaphore (jderusse)\n\n - bug #27416 TagAwareAdapter over non-binary memcached\n connections corrupts memcache (Aleksey Prilipko)\n\n - bug #27514 [Debug] Pass previous exception to\n FatalErrorException (pmontoya)\n\n - bug #27516 Revert 'bug #26138 [HttpKernel] Catch\n HttpExceptions when templating is not installed\n (cilefen)' (nicolas-grekas)\n\n - bug #27318 [Cache] memcache connect should not add\n duplicate entries on sequential calls (Aleksey Prilipko)\n\n - bug #27389 [Serializer] Fix serializer tries to\n denormalize null values on nullable properties\n (ogizanagi)\n\n - bug #27272 [FrameworkBundle] Change priority of\n AddConsoleCommandPass to TYPE_BEFORE_REMOVING (upyx)\n\n - bug #27396 [HttpKernel] fix registering IDE links\n (nicolas-grekas)\n\n - bug #26973 [HttpKernel] Set first trusted proxy as\n REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)\n\n - bug #27303 [Process] Consider 'executable' suffixes\n first on Windows (sanmai)\n\n - bug #27297 Triggering RememberMe's loginFail() when\n token cannot be created (weaverryan)\n\n - bug #27344 [HttpKernel] reset kernel start time on\n reboot (kiler129)\n\n - bug #27365 [Serializer] Check the value of\n enable_max_depth if defined (dunglas)\n\n - bug #27358 [PhpUnitBridge] silence some stderr outputs\n (ostrolucky)\n\n - bug #27366 [DI] never inline lazy services\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-732f45d43e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"php-symfony4-4.0.14-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony4\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T10:19:00", "description": "## 4.0.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for\n transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for\n controllers' locators (nicolas-grekas)\n\n## 4.0.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for\n TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory\n footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's\n default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with\n .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument\n (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for\n BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized\n references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators\n in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback\n loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27847 [Security] Fix accepting null as $uidKey in\n LdapUserProvider (louhde)\n\n - bug #27834 [DI] Don't show internal service id on\n binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable\n types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener\n compatible with CookieClearingLogoutHandler\n (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option\n maxIdLength with versioning enabled (Constantine\n Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private\n services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter\n (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session\n proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod\n (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\n## 4.0.12 (2018-06-25)\n\n - bug #27626 [TwigBundle][DX] Only add the Twig\n WebLinkExtension if the WebLink component is enabled\n (thewilkybarkid)\n\n - bug #27701 [SecurityBundle] Dont throw if\n 'security.http_utils' is not found (nicolas-grekas)\n\n - bug #27690 [DI] Resolve env placeholder in logs (ro0NL)\n\n - bug #26534 allow_extra_attributes does not throw an\n exception as documented (deviantintegral)\n\n - bug #27668 [Lock] use 'r+' for fopen (fixes issue on\n Solaris) (fritzmg)\n\n - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)\n\n - bug #27662 [HttpKernel] fix handling of nested Error\n instances (xabbuh)\n\n - bug #26845 [Config] Fixing GlobResource when inside phar\n archive (vworldat)\n\n - bug #27382 [Form] Fix error when rendering a\n DateIntervalType form with exactly 0 weeks (krixon)\n\n - bug #27309 Fix surrogate not using original request\n (Toflar)\n\n - bug #27467 [HttpKernel] fix session tracking in\n surrogate master requests (nicolas-grekas)\n\n - bug #27630 [Validator][Form] Remove BOM in some xlf\n files (gautierderuette)\n\n - bug #27596 [Framework][Workflow] Added support for\n interfaces (vudaltsov)\n\n - bug #27593 [ProxyManagerBridge] Fixed support of private\n services (nicolas-grekas)\n\n - bug #27591 [VarDumper] Fix dumping ArrayObject and\n ArrayIterator instances (nicolas-grekas)\n\n - bug #27581 Fix bad method call with guard authentication\n + session migration (weaverryan)\n\n - bug #27576 [Cache] Fix expiry comparisons in array-based\n pools (nicolas-grekas)\n\n - bug #27556 Avoiding session migration for stateless\n firewall UsernamePasswordJsonAuthenticationListener\n (weaverryan)\n\n - bug #27452 Avoid migration on stateless firewalls\n (weaverryan)\n\n - bug #27568 [DI] Deduplicate generated proxy classes\n (nicolas-grekas)\n\n - bug #27326 [Serializer] deserialize from xml: Fix a\n collection that contains the only one element\n (webnet-fr)\n\n - bug #27567 [PhpUnitBridge] Fix error on some Windows OS\n (Nsbx)\n\n - bug #27357 [Lock] Remove released semaphore (jderusse)\n\n - bug #27416 TagAwareAdapter over non-binary memcached\n connections corrupts memcache (Aleksey Prilipko)\n\n - bug #27514 [Debug] Pass previous exception to\n FatalErrorException (pmontoya)\n\n - bug #27516 Revert 'bug #26138 [HttpKernel] Catch\n HttpExceptions when templating is not installed\n (cilefen)' (nicolas-grekas)\n\n - bug #27318 [Cache] memcache connect should not add\n duplicate entries on sequential calls (Aleksey Prilipko)\n\n - bug #27389 [Serializer] Fix serializer tries to\n denormalize null values on nullable properties\n (ogizanagi)\n\n - bug #27272 [FrameworkBundle] Change priority of\n AddConsoleCommandPass to TYPE_BEFORE_REMOVING (upyx)\n\n - bug #27396 [HttpKernel] fix registering IDE links\n (nicolas-grekas)\n\n - bug #26973 [HttpKernel] Set first trusted proxy as\n REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)\n\n - bug #27303 [Process] Consider 'executable' suffixes\n first on Windows (sanmai)\n\n - bug #27297 Triggering RememberMe's loginFail() when\n token cannot be created (weaverryan)\n\n - bug #27344 [HttpKernel] reset kernel start time on\n reboot (kiler129)\n\n - bug #27365 [Serializer] Check the value of\n enable_max_depth if defined (dunglas)\n\n - bug #27358 [PhpUnitBridge] silence some stderr outputs\n (ostrolucky)\n\n - bug #27366 [DI] never inline lazy services\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2018-08-15T00:00:00", "title": "Fedora 27 : php-symfony4 (2018-7f43cbdb69)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2018-08-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:php-symfony4"], "id": "FEDORA_2018-7F43CBDB69.NASL", "href": "https://www.tenable.com/plugins/nessus/111712", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-7f43cbdb69.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111712);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14773\");\n script_xref(name:\"FEDORA\", value:\"2018-7f43cbdb69\");\n\n script_name(english:\"Fedora 27 : php-symfony4 (2018-7f43cbdb69)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"## 4.0.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for\n transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for\n controllers' locators (nicolas-grekas)\n\n## 4.0.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for\n TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory\n footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's\n default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with\n .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument\n (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for\n BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized\n references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators\n in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback\n loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27847 [Security] Fix accepting null as $uidKey in\n LdapUserProvider (louhde)\n\n - bug #27834 [DI] Don't show internal service id on\n binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable\n types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener\n compatible with CookieClearingLogoutHandler\n (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option\n maxIdLength with versioning enabled (Constantine\n Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private\n services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter\n (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session\n proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod\n (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\n## 4.0.12 (2018-06-25)\n\n - bug #27626 [TwigBundle][DX] Only add the Twig\n WebLinkExtension if the WebLink component is enabled\n (thewilkybarkid)\n\n - bug #27701 [SecurityBundle] Dont throw if\n 'security.http_utils' is not found (nicolas-grekas)\n\n - bug #27690 [DI] Resolve env placeholder in logs (ro0NL)\n\n - bug #26534 allow_extra_attributes does not throw an\n exception as documented (deviantintegral)\n\n - bug #27668 [Lock] use 'r+' for fopen (fixes issue on\n Solaris) (fritzmg)\n\n - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)\n\n - bug #27662 [HttpKernel] fix handling of nested Error\n instances (xabbuh)\n\n - bug #26845 [Config] Fixing GlobResource when inside phar\n archive (vworldat)\n\n - bug #27382 [Form] Fix error when rendering a\n DateIntervalType form with exactly 0 weeks (krixon)\n\n - bug #27309 Fix surrogate not using original request\n (Toflar)\n\n - bug #27467 [HttpKernel] fix session tracking in\n surrogate master requests (nicolas-grekas)\n\n - bug #27630 [Validator][Form] Remove BOM in some xlf\n files (gautierderuette)\n\n - bug #27596 [Framework][Workflow] Added support for\n interfaces (vudaltsov)\n\n - bug #27593 [ProxyManagerBridge] Fixed support of private\n services (nicolas-grekas)\n\n - bug #27591 [VarDumper] Fix dumping ArrayObject and\n ArrayIterator instances (nicolas-grekas)\n\n - bug #27581 Fix bad method call with guard authentication\n + session migration (weaverryan)\n\n - bug #27576 [Cache] Fix expiry comparisons in array-based\n pools (nicolas-grekas)\n\n - bug #27556 Avoiding session migration for stateless\n firewall UsernamePasswordJsonAuthenticationListener\n (weaverryan)\n\n - bug #27452 Avoid migration on stateless firewalls\n (weaverryan)\n\n - bug #27568 [DI] Deduplicate generated proxy classes\n (nicolas-grekas)\n\n - bug #27326 [Serializer] deserialize from xml: Fix a\n collection that contains the only one element\n (webnet-fr)\n\n - bug #27567 [PhpUnitBridge] Fix error on some Windows OS\n (Nsbx)\n\n - bug #27357 [Lock] Remove released semaphore (jderusse)\n\n - bug #27416 TagAwareAdapter over non-binary memcached\n connections corrupts memcache (Aleksey Prilipko)\n\n - bug #27514 [Debug] Pass previous exception to\n FatalErrorException (pmontoya)\n\n - bug #27516 Revert 'bug #26138 [HttpKernel] Catch\n HttpExceptions when templating is not installed\n (cilefen)' (nicolas-grekas)\n\n - bug #27318 [Cache] memcache connect should not add\n duplicate entries on sequential calls (Aleksey Prilipko)\n\n - bug #27389 [Serializer] Fix serializer tries to\n denormalize null values on nullable properties\n (ogizanagi)\n\n - bug #27272 [FrameworkBundle] Change priority of\n AddConsoleCommandPass to TYPE_BEFORE_REMOVING (upyx)\n\n - bug #27396 [HttpKernel] fix registering IDE links\n (nicolas-grekas)\n\n - bug #26973 [HttpKernel] Set first trusted proxy as\n REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)\n\n - bug #27303 [Process] Consider 'executable' suffixes\n first on Windows (sanmai)\n\n - bug #27297 Triggering RememberMe's loginFail() when\n token cannot be created (weaverryan)\n\n - bug #27344 [HttpKernel] reset kernel start time on\n reboot (kiler129)\n\n - bug #27365 [Serializer] Check the value of\n enable_max_depth if defined (dunglas)\n\n - bug #27358 [PhpUnitBridge] silence some stderr outputs\n (ostrolucky)\n\n - bug #27366 [DI] never inline lazy services\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f43cbdb69\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"php-symfony4-4.0.14-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony4\");\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "openbugbounty": [{"lastseen": "2017-10-16T23:42:13", "bulletinFamily": "bugbounty", "cvelist": [], "description": "##### Vulnerable URL:\n \n \n http://nationalparalegal.edu/public_documents/Extracurricular.asp?intCourseId=%27272%27&vchCourseIDName;=%27PLG-102-1004%27%22%27--!%3E%3CScript%20/K/%3Econfirm(`OPENBUGBOUNTY`)%3C/Script%20/K/%3E#\n \n\n##### Details:\n\nDescription| Value \n---|--- \nPatched:| No \nLatest check for patch:| 31.07.2017 \nVulnerability type:| XSS \nVulnerability status:| Publicly disclosed \nAlexa Rank| 131016 \nVIP website status:| No \nCheck nationalparalegal.edu SSL connection:| (Grade: C+) \n \n##### Coordinated Disclosure Timeline:\n\nDescription| Value \n---|--- \nVulnerability submitted via Open Bug Bounty| 13 May, 2017 19:43 GMT \nVulnerability existence verified and confirmed| 15 May, 2017 06:17 GMT \nVulnerability details disclosed by researcher| 22 May, 2017 07:15 GMT\n", "modified": "2017-05-22T07:15:00", "published": "2017-05-13T19:43:00", "href": "https://www.openbugbounty.org/reports/236562/", "id": "OBB:236562", "type": "openbugbounty", "title": "nationalparalegal.edu XSS vulnerability ", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-02-21T15:37:15", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2017-03-09T00:00:00", "type": "zdt", "title": "WordPress Apptha Slider Gallery 1.0 Plugin - Arbitrary File Download Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-03-09T00:00:00", "href": "https://0day.today/exploit/description/27272", "id": "1337DAY-ID-27272", "sourceData": "# # # # # \r\n# Exploit Title: WordPress Plugin Apptha Slider Gallery v1.0 - Arbitrary File Download\r\n# Google Dork: N/A\r\n# Date: 09.03.2017\r\n# Vendor Homepage: https://www.apptha.com/\r\n# Software: https://www.apptha.com/category/extension/Wordpress/apptha-slider-gallery\r\n# Demo: http://www.apptha.com/demo/apptha-slider-gallery\r\n# Version: 1.0\r\n# Tested on: Win7 x64, Kali Linux x64\r\n# # # # # \r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Mail : ihsan[@]ihsan[.]net\r\n# # # # #\r\n# SQL Injection/Exploit :\r\n# http://localhost/[PLUGIN_PATH]/asgallDownload.php?imgname=../../../wp-load.php\r\n# Etc..\r\n# # # # #\n\n# 0day.today [2018-02-21] #", "sourceHref": "https://0day.today/exploit/27272", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4845"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity None (N)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4886"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-028]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4886\r\nCVSS Information\r\nCVSS Base Score: 6.4 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Low (L)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/copxml\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-028-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32653", "title": "[ERPSCAN-15-028] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4854"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite Cross-site Scripting\r\nAdvisory ID: [ERPSCAN-15-027]\r\nAdvisory URL:http://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Cross-site Scripting\r\nImpact: impersonation, information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4854\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality None (N)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nAn anonymous attacker can create a special link that injects malicious JS code\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nCfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due\r\nto lack of sanitizing the "domain" parameter.\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32658", "title": "[ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4851"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-030]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4851\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/oramipp_lpr\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32655", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32655", "title": "[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
