{"openvas": [{"lastseen": "2017-11-03T10:57:28", "references": ["https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/"], "pluginID": "1361412562310112098", "description": "The web-based authentication of the connected digital video recorder - running on a JAWS/1.0 server - is prone to an authentication bypass vulnerability.\n\n This NVT is already covered by ", "edition": 2, "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-11-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "openvas", "title": "Digital Video Recorder Web Authentication Bypass (JAWS/1.0)", "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": [], "modified": "2017-11-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112098", "id": "OPENVAS:1361412562310112098", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_dvr_jaws_web_auth_bypass.nasl 7627 2017-11-02 09:42:31Z cfischer $\n#\n# Digital Video Recorder Web Authentication Bypass (JAWS/1.0)\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112098\");\n script_version(\"$Revision: 7627 $\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-11-02 10:42:31 +0100 (Thu, 02 Nov 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-11-01 09:20:33 +0200 (Wed, 01 Nov 2017)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_tag(name: \"qod_type\", value: \"remote_vul\");\n\n script_tag(name: \"solution_type\", value: \"Mitigation\");\n\n script_name(\"Digital Video Recorder Web Authentication Bypass (JAWS/1.0)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"JAWSJAWS/banner\");\n\n script_tag(name: \"summary\", value: \"The web-based authentication of the connected digital video recorder - running on a JAWS/1.0 server - is prone to an authentication bypass vulnerability.\n\n This NVT is already covered by 'Multiple DVR Devices Authentication Bypass And Remote Code Execution Vulnerabilities' (OID: 1.3.6.1.4.1.25623.1.0.111088).\");\n\n script_tag(name: \"vuldetect\", value: \"Sends a crafted HTTP GET request and checks the response.\");\n\n script_tag(name: \"solution\", value: \"It is recommended to completely remove the digital video recorder from the host system\n as it might grant an attacker full access to it.\");\n\n script_xref(name: \"URL\", value: \"https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nurl = '/view2.html';\n\nif (http_vuln_check(port:port, url:url, pattern:'<script type=\"text/javascript\" src=\"js/view2.js\"></script>', check_header:TRUE,\n cookie:'dvr_camcnt=4; dvr_clientport='+port+'; lxc_save=admin%2C; dvr_usr=admin; dvr_pwd=null; iSetAble=1; iPlayBack=1',\n extra_check:make_list('<script type=\"text/javascript\" src=\"js/view2.js\"></script>', 'lxc_lang=\"view_main_stream\"'))) {\n\n report = \"It was possible to bypass the net video client's authentication and get full access to the DVR's admin panel located at \" +\n report_vuln_url(port:port, url:url, url_only:TRUE);\n security_message(port:port, data:report);\n exit(0);\n\n}\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-04T14:33:13", "references": ["https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/"], "pluginID": "1361412562310112099", "description": "The JAWS/1.0 web server is prone to a remote command execution vulnerability.\n\n This NVT is already covered by ", "edition": 3, "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-11-01T00:00:00", "title": "JAWS/1.0 Remote Command Execution Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": [], "modified": "2018-10-04T00:00:00", "id": "OPENVAS:1361412562310112099", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112099", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_jaws_rce_vuln.nasl 11747 2018-10-04 09:58:33Z jschulte $\n#\n# JAWS/1.0 Remote Command Execution Vulnerability\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112099\");\n script_version(\"$Revision: 11747 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-04 11:58:33 +0200 (Thu, 04 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-01 14:00:33 +0200 (Wed, 01 Nov 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_name(\"JAWS/1.0 Remote Command Execution Vulnerability\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n\n script_dependencies(\"gb_get_http_banner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"Host/runs_unixoide\");\n script_mandatory_keys(\"JAWSJAWS/banner\");\n\n script_tag(name:\"summary\", value:\"The JAWS/1.0 web server is prone to a remote command execution vulnerability.\n\n This NVT is already covered by 'Multiple DVR Devices Authentication Bypass And Remote Code Execution Vulnerabilities' (OID: 1.3.6.1.4.1.25623.1.0.111088).\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a crafted HTTP GET request and checks the response.\");\n\n script_tag(name:\"solution\", value:\"It is recommended to completely shut down the vulnerable JAWS web server as an attacker might exploit the whole system.\");\n\n script_xref(name:\"URL\", value:\"https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_http_port(default:80);\n\nfiles = traversal_files(\"linux\");\n\nforeach pattern(keys(files)) {\n\n file = files[pattern];\n\n url = '/shell?cat%20/' + file;\n\n if (http_vuln_check(port:port, url:url, pattern:pattern, check_header:TRUE)) {\n report = report_vuln_url(port:port, url:url, url_only:TRUE);\n security_message(port:port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-01T23:41:39", "references": ["https://support.apple.com/en-us/HT207423"], "pluginID": "1361412562310810567", "description": "This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.", "edition": 5, "reporter": "Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-02-22T00:00:00", "title": "Apple Mac OS X Multiple Vulnerabilities-01 February-2017", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mac OS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7628", "CVE-2016-8620", "CVE-2016-8623", "CVE-2016-5420", "CVE-2016-7714", "CVE-2016-7414", "CVE-2016-7647", "CVE-2016-4693", "CVE-2016-7594", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-7606", "CVE-2016-7667", "CVE-2016-8619", "CVE-2016-7620", "CVE-2016-7603", "CVE-2016-7655", "CVE-2016-7761", "CVE-2016-7637", "CVE-2016-7616", "CVE-2016-8625", "CVE-2016-8618", "CVE-2016-7622", "CVE-2016-4691", "CVE-2016-7636", "CVE-2016-7661", "CVE-2016-7141", "CVE-2016-7615", "CVE-2016-7629", "CVE-2016-7644", "CVE-2016-7643", "CVE-2016-8617", "CVE-2016-7624", "CVE-2016-1777", "CVE-2016-7413", "CVE-2016-7662", "CVE-2016-7617", "CVE-2016-7663", "CVE-2016-6304", "CVE-2016-7618", "CVE-2016-7619", "CVE-2016-7609", "CVE-2016-7627", "CVE-2016-8622", "CVE-2016-7416", "CVE-2016-7657", "CVE-2016-7602", "CVE-2016-7633", "CVE-2016-7625", "CVE-2016-7660", "CVE-2016-7411", "CVE-2016-8624", "CVE-2016-7417", "CVE-2016-7742", "CVE-2016-7621", "CVE-2016-6303", "CVE-2016-7600", "CVE-2016-7418", "CVE-2016-5421", "CVE-2016-7607", "CVE-2016-7605", "CVE-2016-7591", "CVE-2016-7595", "CVE-2016-7588", "CVE-2016-5419", "CVE-2016-7167", "CVE-2016-7612", "CVE-2016-8621", "CVE-2016-7608", "CVE-2016-7659", "CVE-2016-7412", "CVE-2016-7658"], "modified": "2018-05-23T00:00:00", "id": "OPENVAS:1361412562310810567", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810567", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apple_macosx_mult_vuln01_feb17.nasl 9940 2018-05-23 15:46:09Z cfischer $\n#\n# Apple Mac OS X Multiple Vulnerabilities-01 February-2017\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810567\");\n script_version(\"$Revision: 9940 $\");\n script_cve_id(\"CVE-2016-7411\", \"CVE-2016-7412\", \"CVE-2016-7413\", \"CVE-2016-7414\",\n \"CVE-2016-7416\", \"CVE-2016-7417\", \"CVE-2016-7418\", \"CVE-2016-7609\",\n \"CVE-2016-7628\", \"CVE-2016-7658\", \"CVE-2016-7659\", \"CVE-2016-7624\",\n \"CVE-2016-7605\", \"CVE-2016-7617\", \"CVE-2016-7647\", \"CVE-2016-7663\",\n \"CVE-2016-7627\", \"CVE-2016-7655\", \"CVE-2016-7588\", \"CVE-2016-7603\",\n \"CVE-2016-7595\", \"CVE-2016-7667\", \"CVE-2016-5419\", \"CVE-2016-5420\",\n \"CVE-2016-5421\", \"CVE-2016-7141\", \"CVE-2016-7167\", \"CVE-2016-8615\",\n \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\",\n \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\",\n \"CVE-2016-8624\", \"CVE-2016-8625\", \"CVE-2016-7633\", \"CVE-2016-7616\",\n \"CVE-2016-4691\", \"CVE-2016-7618\", \"CVE-2016-7622\", \"CVE-2016-7594\",\n \"CVE-2016-7643\", \"CVE-2016-7602\", \"CVE-2016-7608\", \"CVE-2016-7591\",\n \"CVE-2016-7657\", \"CVE-2016-7625\", \"CVE-2016-7714\", \"CVE-2016-7620\",\n \"CVE-2016-7606\", \"CVE-2016-7612\", \"CVE-2016-7607\", \"CVE-2016-7615\",\n \"CVE-2016-7621\", \"CVE-2016-7637\", \"CVE-2016-7644\", \"CVE-2016-7629\",\n \"CVE-2016-7619\", \"CVE-2016-1777\", \"CVE-2016-7600\", \"CVE-2016-7742\",\n \"CVE-2016-6303\", \"CVE-2016-6304\", \"CVE-2016-7661\", \"CVE-2016-4693\",\n \"CVE-2016-7636\", \"CVE-2016-7662\", \"CVE-2016-7660\", \"CVE-2016-7761\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-05-23 17:46:09 +0200 (Wed, 23 May 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-02-22 17:03:09 +0530 (Wed, 22 Feb 2017)\");\n script_name(\"Apple Mac OS X Multiple Vulnerabilities-01 February-2017\");\n\n script_tag(name: \"summary\" , value:\"This host is running Apple Mac OS X and\n is prone to multiple vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name: \"insight\" , value:\"Multiple flaws exists. For details\n refer the reference links.\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow attacker\n to execute arbitrary code or cause a denial of service (memory corruption),\n gain access to potentially sensitive information, bypass certain protection\n mechanism and have other impacts.\n\n Impact Level: System\");\n\n script_tag(name: \"affected\" , value:\"Apple Mac OS X version 10.12.x through\n 10.12.1\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Apple Mac OS X version\n 10.12.2 or later. For updates refer to Reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name : \"URL\" , value : \"https://support.apple.com/en-us/HT207423\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName){\n exit (0);\n}\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer){\n exit(0);\n}\n\nif(\"Mac OS X\" >< osName)\n{\n if(osVer =~ \"^(10\\.12)\" && version_is_less(version:osVer, test_version:\"10.12.2\"))\n {\n report = report_fixed_ver(installed_version:osVer, fixed_version:\"10.12.2\");\n security_message(data:report);\n exit(0);\n }\n}\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2017-05-12T07:45:52", "references": [], "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2014. Notes: none.", "edition": 1, "reporter": "NVD", "published": "2017-05-11T10:29:38", "title": "CVE-2014-7627", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2014-7627"], "scanner": [], "cpe": [], "modified": "2017-05-11T10:29:38", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7627", "id": "CVE-2014-7627", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-04-20T21:52:07", "references": ["https://extensions.joomla.org/extension/smart-related-articles/", "https://gist.github.com/anonymous/14576258b0e66bb25ca4b7ca1638e51f"], "edition": 2, "description": "The \"Smart related articles\" extension 1.1 for Joomla! does not prevent direct requests to dialog.php (there is a missing _JEXEC check).", "reporter": "NVD", "published": "2017-04-12T23:59:00", "type": "cve", "title": "CVE-2017-7627", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2017-7627"], "scanner": [], "cpe": ["cpe:/a:smart_related_articles_project:smart_related_articles:1.1::~~~joomla%21~~"], "modified": "2017-04-20T09:42:02", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7627", "id": "CVE-2017-7627", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-27T10:54:16", "references": ["https://support.apple.com/HT207422", "http://www.securityfocus.com/bid/94905", "https://support.apple.com/HT207423", "https://support.apple.com/HT207487", "http://www.securitytracker.com/id/1037469"], "edition": 2, "description": "An issue was discovered in certain Apple products. iOS before 10.2 is affected. macOS before 10.12.2 is affected. watchOS before 3.1.3 is affected. The issue involves the \"CoreGraphics\" component. It allows attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted font.", "reporter": "NVD", "published": "2017-02-20T03:59:03", "type": "cve", "title": "CVE-2016-7627", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-7627"], "scanner": [], "cpe": ["cpe:/o:apple:watch_os:3.1.1", "cpe:/o:apple:iphone_os:10.1.1", "cpe:/o:apple:mac_os_x:10.12.1"], "modified": "2017-07-26T21:29:03", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7627", "id": "CVE-2016-7627", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-01T23:39:54", "references": ["https://support.apple.com/en-us/HT207423", "http://www.nessus.org/u?38dabd46"], "pluginID": "95917", "description": "The remote host is running a version of macOS that is 10.12.x prior to 10.12.2. It is, therefore, affected by multiple vulnerabilities in the following components :\n\n - apache_mod_php\n - AppleGraphicsPowerManagement\n - Assets\n - Audio\n - Bluetooth\n - CoreCapture\n - CoreFoundation\n - CoreGraphics\n - CoreMedia External Displays\n - CoreMedia Playback\n - CoreStorage\n - CoreText\n - curl\n - Directory Services\n - Disk Images\n - FontParser\n - Foundation\n - Grapher\n - ICU\n - ImageIO\n - Intel Graphics Driver\n - IOFireWireFamily\n - IOAcceleratorFamily\n - IOHIDFamily\n - IOKit\n - IOSurface\n - Kernel\n - kext tools\n - libarchive\n - LibreSSL\n - OpenLDAP\n - OpenPAM\n - OpenSSL\n - Power Management\n - Security\n - syslog\n - WiFi\n - xar\n\nNote that successful exploitation of the most serious issues can result in arbitrary code execution.\n\nFurthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also affect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin does not check those versions.", "edition": 10, "reporter": "Tenable", "published": "2016-12-16T00:00:00", "title": "macOS 10.12.x < 10.12.2 Multiple Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "MacOS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7628", "CVE-2016-8620", "CVE-2016-8623", "CVE-2016-5420", "CVE-2016-7714", "CVE-2016-7414", "CVE-2016-4693", "CVE-2016-7594", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-7606", "CVE-2016-8619", "CVE-2016-7620", "CVE-2016-7603", "CVE-2016-7655", "CVE-2016-7761", "CVE-2016-7637", "CVE-2016-7616", "CVE-2016-8625", "CVE-2016-8618", "CVE-2016-7622", "CVE-2016-4691", "CVE-2016-7636", "CVE-2016-7661", "CVE-2016-7141", "CVE-2016-7615", "CVE-2016-7629", "CVE-2016-7644", "CVE-2016-7643", "CVE-2016-8617", "CVE-2016-7624", "CVE-2016-1777", "CVE-2016-7413", "CVE-2016-7662", "CVE-2016-7617", "CVE-2016-7663", "CVE-2016-4688", "CVE-2016-6304", "CVE-2016-7618", "CVE-2016-7619", "CVE-2016-7609", "CVE-2016-7627", "CVE-2016-8622", "CVE-2016-7416", "CVE-2016-7657", "CVE-2016-1823", "CVE-2016-7602", "CVE-2016-7633", "CVE-2016-7625", "CVE-2016-7604", "CVE-2016-7660", "CVE-2016-7411", "CVE-2016-8624", "CVE-2016-7417", "CVE-2016-7742", "CVE-2016-7621", "CVE-2016-6303", "CVE-2016-7600", "CVE-2016-7418", "CVE-2016-5421", "CVE-2016-7596", "CVE-2016-7607", "CVE-2016-7605", "CVE-2016-7591", "CVE-2016-7595", "CVE-2016-7588", "CVE-2016-5419", "CVE-2016-7167", "CVE-2016-7612", "CVE-2016-8621", "CVE-2016-7608", "CVE-2016-7659", "CVE-2016-7412", "CVE-2016-7658"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/o:apple:macos"], "id": "MACOS_10_12_2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=95917", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95917);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/14 1:59:37\");\n\n script_cve_id(\n \"CVE-2016-1777\",\n \"CVE-2016-1823\",\n \"CVE-2016-4688\",\n \"CVE-2016-4691\",\n \"CVE-2016-4693\",\n \"CVE-2016-5419\",\n \"CVE-2016-5420\",\n \"CVE-2016-5421\",\n \"CVE-2016-6303\",\n \"CVE-2016-6304\",\n \"CVE-2016-7141\",\n \"CVE-2016-7167\",\n \"CVE-2016-7411\",\n \"CVE-2016-7412\",\n \"CVE-2016-7413\",\n \"CVE-2016-7414\",\n \"CVE-2016-7416\",\n \"CVE-2016-7417\",\n \"CVE-2016-7418\",\n \"CVE-2016-7588\",\n \"CVE-2016-7591\",\n \"CVE-2016-7594\",\n \"CVE-2016-7595\",\n \"CVE-2016-7596\",\n \"CVE-2016-7600\",\n \"CVE-2016-7602\",\n \"CVE-2016-7603\",\n \"CVE-2016-7604\",\n \"CVE-2016-7605\",\n \"CVE-2016-7606\",\n \"CVE-2016-7607\",\n \"CVE-2016-7608\",\n \"CVE-2016-7609\",\n \"CVE-2016-7612\",\n \"CVE-2016-7615\",\n \"CVE-2016-7616\",\n \"CVE-2016-7617\",\n \"CVE-2016-7618\",\n \"CVE-2016-7619\",\n \"CVE-2016-7620\",\n \"CVE-2016-7621\",\n \"CVE-2016-7622\",\n \"CVE-2016-7624\",\n \"CVE-2016-7625\",\n \"CVE-2016-7627\",\n \"CVE-2016-7628\",\n \"CVE-2016-7629\",\n \"CVE-2016-7633\",\n \"CVE-2016-7636\",\n \"CVE-2016-7637\",\n \"CVE-2016-7643\",\n \"CVE-2016-7644\",\n \"CVE-2016-7655\",\n \"CVE-2016-7657\",\n \"CVE-2016-7658\",\n \"CVE-2016-7659\",\n \"CVE-2016-7660\",\n \"CVE-2016-7661\",\n \"CVE-2016-7662\",\n \"CVE-2016-7663\",\n \"CVE-2016-7714\",\n \"CVE-2016-7742\",\n \"CVE-2016-7761\",\n \"CVE-2016-8615\",\n \"CVE-2016-8616\",\n \"CVE-2016-8617\",\n \"CVE-2016-8618\",\n \"CVE-2016-8619\",\n \"CVE-2016-8620\",\n \"CVE-2016-8621\",\n \"CVE-2016-8622\",\n \"CVE-2016-8623\",\n \"CVE-2016-8624\",\n \"CVE-2016-8625\"\n );\n script_bugtraq_id(\n 85054,\n 90698,\n 92292,\n 92306,\n 92309,\n 92754,\n 92975,\n 92984,\n 93004,\n 93005,\n 93006,\n 93007,\n 93008,\n 93009,\n 93011,\n 93150,\n 94094,\n 94096,\n 94097,\n 94098,\n 94100,\n 94101,\n 94102,\n 94103,\n 94105,\n 94106,\n 94107,\n 94572,\n 94903,\n 94904,\n 94905,\n 94906\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2016-12-13-1\");\n\n script_name(english:\"macOS 10.12.x < 10.12.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of macOS that is 10.12.x prior to\n10.12.2. It is, therefore, affected by multiple vulnerabilities in the\nfollowing components :\n\n - apache_mod_php\n - AppleGraphicsPowerManagement\n - Assets\n - Audio\n - Bluetooth\n - CoreCapture\n - CoreFoundation\n - CoreGraphics\n - CoreMedia External Displays\n - CoreMedia Playback\n - CoreStorage\n - CoreText\n - curl\n - Directory Services\n - Disk Images\n - FontParser\n - Foundation\n - Grapher\n - ICU\n - ImageIO\n - Intel Graphics Driver\n - IOFireWireFamily\n - IOAcceleratorFamily\n - IOHIDFamily\n - IOKit\n - IOSurface\n - Kernel\n - kext tools\n - libarchive\n - LibreSSL\n - OpenLDAP\n - OpenPAM\n - OpenSSL\n - Power Management\n - Security\n - syslog\n - WiFi\n - xar\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\n\nFurthermore, CVE-2016-6304, CVE-2016-7596, and CVE-2016-7604 also\naffect Mac OS X versions 10.10.5 and 10.11.6. However, this plugin\ndoes not check those versions.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207423\");\n # http://lists.apple.com/archives/security-announce/2016/Dec/msg00003.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?38dabd46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.12.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\napp_info = vcf::apple::get_macos_info();\n\nvcf::apple::check_macos_restrictions(restrictions:['10.12']);\n\nconstraints = [{ \"fixed_version\" : \"10.12.2\" }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:06:54", "references": ["https://security.gentoo.org/glsa/201511-02"], "pluginID": "86908", "description": "The remote host is affected by the vulnerability described in GLSA-201511-02 (Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions.\n Workaround :\n\n There is no known workaround at this time.", "edition": 4, "reporter": "Tenable", "published": "2015-11-18T00:00:00", "title": "GLSA-201511-02 : Adobe Flash Player: Multiple vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7660", "CVE-2015-7663", "CVE-2015-7654", "CVE-2015-8042", "CVE-2015-7658", "CVE-2015-8043", "CVE-2015-7634", "CVE-2015-7625", "CVE-2015-7661", "CVE-2015-7651", "CVE-2015-7652", "CVE-2015-5569", "CVE-2015-7627", "CVE-2015-7633", "CVE-2015-7630", "CVE-2015-7629", "CVE-2015-7647", "CVE-2015-7656", "CVE-2015-7657", "CVE-2015-7653", "CVE-2015-7626", "CVE-2015-7655", "CVE-2015-8046", "CVE-2015-7648", "CVE-2015-7646", "CVE-2015-7643", "CVE-2015-7628", "CVE-2015-7645", "CVE-2015-7632", "CVE-2015-8044", "CVE-2015-7631", "CVE-2015-7644", "CVE-2015-7659", "CVE-2015-7662"], "modified": "2015-12-12T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:adobe-flash"], "id": "GENTOO_GLSA-201511-02.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86908", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201511-02.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86908);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2015/12/12 18:38:05 $\");\n\n script_cve_id(\"CVE-2015-5569\", \"CVE-2015-7625\", \"CVE-2015-7626\", \"CVE-2015-7627\", \"CVE-2015-7628\", \"CVE-2015-7629\", \"CVE-2015-7630\", \"CVE-2015-7631\", \"CVE-2015-7632\", \"CVE-2015-7633\", \"CVE-2015-7634\", \"CVE-2015-7643\", \"CVE-2015-7644\", \"CVE-2015-7645\", \"CVE-2015-7646\", \"CVE-2015-7647\", \"CVE-2015-7648\", \"CVE-2015-7651\", \"CVE-2015-7652\", \"CVE-2015-7653\", \"CVE-2015-7654\", \"CVE-2015-7655\", \"CVE-2015-7656\", \"CVE-2015-7657\", \"CVE-2015-7658\", \"CVE-2015-7659\", \"CVE-2015-7660\", \"CVE-2015-7661\", \"CVE-2015-7662\", \"CVE-2015-7663\", \"CVE-2015-8042\", \"CVE-2015-8043\", \"CVE-2015-8044\", \"CVE-2015-8046\");\n script_xref(name:\"GLSA\", value:\"201511-02\");\n\n script_name(english:\"GLSA-201511-02 : Adobe Flash Player: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201511-02\n(Adobe Flash Player: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Flash Player.\n Please review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, obtain\n sensitive information, or bypass security restrictions.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201511-02\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Adobe Flash Player users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-plugins/adobe-flash-11.2.202.548'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adobe-flash\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-plugins/adobe-flash\", unaffected:make_list(\"ge 11.2.202.548\"), vulnerable:make_list(\"lt 11.2.202.548\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Flash Player\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openbugbounty": [{"lastseen": "2018-08-15T22:34:47", "_object_types": ["robots.models.base.Bulletin", "robots.models.openbugbounty.OpenbugbountyBulletin"], "references": [], "openbugbounty": {"mirror": "http://153241.openbounty.org/mirror/", "patchStatus": "patched"}, "description": "##### Open Bug Bounty ID: OBB-153241\n\nDescription| Value \n---|--- \nAffected Website:| unl.edu \nOpen Bug Bounty Program:| Create your bounty program now. It's open and free. \nVulnerable Application:| Custom Code \nVulnerability Type:| XSS (Cross Site Scripting) / CWE-79 \nCVSSv3 Score:| 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] \nRemediation Guide:| OWASP XSS Prevention Cheat Sheet \n \n##### Vulnerable URL:\n \n \n http://www.unl.edu:8080/wdn/templates_4.1/scripts/compressed/plugins/mediaelement/flashmediaelement.swf?jsinitfunctio%gn=alert`OPENBUGBOUNTY`\n \n\n##### Coordinated Disclosure Timeline\n\nDescription| Value \n---|--- \nVulnerability Reported:| 15 May, 2016 05:28 GMT \nVulnerability Verified:| 16 May, 2016 10:53 GMT \nWebsite Operator Notified:| 16 May, 2016 10:53 GMT \nPublic Report Published[without any technical details]:| 16 May, 2016 10:53 GMT \nVulnerability Fixed:| 15 February, 2017 16:57 GMT \nPublic Disclosure: A security researcher can delete the report before public disclosure, afterwards the report cannot be deleted or modified anymore. The researcher can also postpone public disclosure date as long as reasonably required to remediate the vulnerability.| 14 June, 2016 05:28 GMT\n", "reporter": "Spam404", "published": "2016-05-15T05:28:00", "type": "openbugbounty", "title": "unl.edu XSS vulnerability ", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "bugbounty", "cvelist": [], "_object_type": "robots.models.openbugbounty.OpenbugbountyBulletin", "modified": "2016-06-14T05:28:00", "id": "OBB:153241", "href": "https://www.openbugbounty.org/reports/153241/", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-11-03T10:24:28", "references": [], "edition": 1, "description": "", "reporter": "Sven Freund", "published": "2016-03-24T00:00:00", "type": "packetstorm", "title": "innovaphone IP222 UDP Denial Of Service", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-24T00:00:00", "href": "https://packetstormsecurity.com/files/136422/innovaphone-IP222-UDP-Denial-Of-Service.html", "id": "PACKETSTORM:136422", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2016-016 \nProduct: innovaphone IP222 \nManufacturer: innovaphone AG \nAffected Version(s): 11r2 sr9 \nTested Version(s): 11r2 sr9 \nVulnerability Type: Improper Input Validation (CWE-20) \nRisk Level: High \nSolution Status: Fixed \nManufacturer Notification: 2016-03-04 \nSolution Date: Unknown \nPublic Disclosure: 2016-03-24 \nCVE Reference: Not yet assigned \nAuthor of Advisory: Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe innovaphone IP222 is a Voice over IP telephone solution, which \nprovides many communication functionalities, for instance, announcement \nfunction, password protected administration via web browser (HTTPS), \nmultiple registration up to six users at the same time and many other \nfeatures. \n \nThe manufacturer innovaphone AG describes the product as follows \n(see [1]): \n \n\"The IP222 telephone unites a very modern design with groundbreaking \ntechnological details. It belongs to the innovaphone product family that \nwon the popular 'red dot award: product design'.\" \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nThe innovaphone IP222 offers different protocols, like H.323 or SIP, to \nfulfil the various requirements. The discovered vulnerability was found \nin the protocol SIP/UDP. Therefore a specially crafted SIP request to \nthe open 5060/UDP port causes a denial of service condition by crashing \nthe innovaphone IP222 phone immediately. Remote code execution via this \nsecurity vulnerability may also be possible, but was not confirmed by \nthe SySS GmbH. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nThe SySS GmbH developed a proof-of-concept software tool for crashing \nthe innovaphone IP222 with a specially crafted SIP request by causing a \nbuffer overflow. \n \nsip = (method +\" sip:105@\" + server + \" SIP/2.0\\r\\n\" \n\"To: <sip:\" + server + \":5060>\\r\\n\" \n\"Via: SIP/2.0/UDP \" + <ATTACK> + \" xxx;x:5060;branch=z9hG4bK00003510 \n00001\\r\\n\" \n\"From: \\x22xtestsip\\x22<sip:\" + server + \"@dude>\\r\\n\" \n\"Call-ID: 1@dude\\r\\n\" \n\"CSeq: 1 \" + method + \"\\r\\n\" \n\"Content-Length: 0\\r\\n\\r\\n\") \n \nThe variable <ATTACK> must be replaced by a string which contains at \nleast 3878 characters. After transmitting this SIP request to the \ninnovaphone IP222, the VoIP phone will crash and restart immediately. \nRemote code execution via this security vulnerability may also be \npossible, but was not confirmed by the SySS GmbH. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the innovaphone AG, the described security \nissue has been fixed in software version v12r1 / v11r2sr11 / v10sr32. \n \nPlease contact the manufacturer for further information or support. \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2016-03-04: Vulnerability reported to manufacturer \n2016-03-09: Manufacturer acknowledges e-mail with SySS security advisory \nand described the security issue as fixed \n2016-03-24: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for innovaphone IP222 \nhttps://www.innovaphone.com/en/ip-telefonie/ip-telefone/ip222.html \n[2] SySS Security Advisory SYSS-2016-016 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-016.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Sven Freund of the SySS GmbH. \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1 \n \niQEcBAEBCgAGBQJW86Z+AAoJEIpfqFNBXUbc2K8IAKmkXeBy3Bjv9bsm2wV3k+dv \n+P3ZkUKnPL3cLq35oQMfBZnrkDsE5w45bVPtnhILfi+XrXIm19ntCVZpVt1q5jLH \nXTxARgETAhUwTvPsoqEbLqUoqrbqIUGQd9lxca8aMX1RdAUdx7WuVHunjpgFxpIv \nmccHTebYgGzE3aWuBFhnm2+RYK7kWIZf/X/F20ohk6kUfOA8HMAj4tSn9wxuR8Gv \n2dCcONVlOzMZAucaQ/2LJhTHxwP52hbpFPNsZFXy5yKg7UtVIQ2fUohZgqSGWtsJ \n1BZAIET+PYGkWxGxHj/a+Apl5kPOO/7Nu272FuZKr0gZcKZaqgwK1RcH/LJg5Go= \n=g9z7 \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/136422/SYSS-2016-016.txt"}, {"lastseen": "2016-11-03T10:21:36", "references": [], "edition": 1, "description": "", "reporter": "Sven Freund", "published": "2016-03-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "packetstorm", "title": "innovaphone IP222 11r2 sr9 Download Denial Of Service", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-24T00:00:00", "href": "https://packetstormsecurity.com/files/136423/innovaphone-IP222-11r2-sr9-Download-Denial-Of-Service.html", "id": "PACKETSTORM:136423", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2016-017 \nProduct: innovaphone IP222 \nManufacturer: innovaphone AG \nAffected Version(s): 11r2 sr9 \nTested Version(s): 11r2 sr9 \nVulnerability Type: Improper Input Validation (CWE-20) \nRisk Level: High \nSolution Status: Fixed \nManufacturer Notification: 2016-03-04 \nSolution Date: Unknown \nPublic Disclosure: 2016-03-24 \nCVE Reference: Not yet assigned \nAuthor of Advisory: Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe innovaphone IP222 is a Voice over IP telephone solution, which \nprovides many communication functionalities, for instance, announcement \nfunction, password protected administration via web browser (HTTPS), \nmultiple registration up to six users at the same time and many other \nfeatures. \n \nThe manufacturer innovaphone AG describes the product as follows \n(see [1]): \n \n\"The IP222 telephone unites a very modern design with groundbreaking \ntechnological details. It belongs to the innovaphone product family that \nwon the popular 'red dot award: product design'.\" \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nAt startup the innovaphone IP222 sends an HTTP request for a special \nPNG file to the involved server system. After the download has finished, \nthe image is displayed on the phone by selecting the receiver screen in \nthe menu. Providing a large image file (6.9 MB) within the download \nprocess and selecting the receiver screen on the phone will lead to a \ncrash of the application and cause a denial of service condition. Remote \ncode execution via this security vulnerability may also be possible, but \nwas not confirmed by the SySS GmbH. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nThe innovaphone IP222 sends the following HTTP request to the server \nsystem during startup. \n \nGET /mypbx_logo.png HTTP/1.1 \nUser-Agent: innovaphone-IP222/113392 \nHost: 192.168.5.27 \n \nIf the server system answers this request with a large PNG file, \nthe innovaphone IP222 will crash and restart when selecting the receiver \nscreen in the menu. Remote code execution via this security \nvulnerability may also be possible, but was not confirmed by the \nSySS GmbH. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the innovaphone AG, the described security \nissue has been fixed in software version v12r1 / v11r2sr12. \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2016-03-04: Vulnerability reported to manufacturer \n2016-03-09: Manufacturer acknowledges e-mail with SySS security advisory \nand described the security issue as fixed \n2016-03-24: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for innovaphone IP222 \nhttps://www.innovaphone.com/en/ip-telefonie/ip-telefone/ip222.html \n[2] SySS Security Advisory SYSS-2016-017 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-017.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Sven Freund of the SySS GmbH. \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1 \n \niQEcBAEBCgAGBQJW86afAAoJEIpfqFNBXUbcnmQH/A++TsYSIHOB81z+j/YmNnBZ \nyyhAw3q2zvcFcg4jfH2Z2bCspaBzYNbwT3SmN3eesE3kd0z/wm9pFvRDDAns1W3b \nciYdK4289waDfDUlniw8usc5UjbGPdwKPVRwzFFckMEJC58PUWZ/XEs5X6oBZNwf \n9rKTMIjCJyxOE+7mv7R8jD7E52iGM+dlqS296WDZJvzLCjCBA9ORMRZhFAA8ywdq \nhSilfN30ouXyI0eSEn7TmyjZsip9ED9ixmmxEyPrM4noA30YGV3tRJ4aznAve7B9 \nwxFBdD119ag/3NyHAmm970jVo58oQwOuQWFtEZvuhEPklRIpgz+gencfR6FMCTA= \n=0xAE \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136423/SYSS-2016-017.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-11-03T10:18:10", "references": [], "edition": 1, "description": "", "reporter": "Sven Freund", "published": "2016-03-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "innovaphone IP222 11r2 sr9 Brute Force", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-24T00:00:00", "href": "https://packetstormsecurity.com/files/136424/innovaphone-IP222-11r2-sr9-Brute-Force.html", "id": "PACKETSTORM:136424", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2016-018 \nProduct: innovaphone IP222 \nManufacturer: innovaphone AG \nAffected Version(s): 11r2 sr9 \nTested Version(s): 11r2 sr9 \nVulnerability Type: Improper Restriction of Excessive Authentication \nAttempts (CWE-307) \nRisk Level: Medium \nSolution Status: Fixed \nManufacturer Notification: 2016-03-04 \nSolution Date: Unknown \nPublic Disclosure: 2016-03-24 \nCVE Reference: Not yet assigned \nAuthor of Advisory: Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe innovaphone IP222 is a Voice over IP telephone solution, which \nprovides many communication functionalities, for instance, announcement \nfunction, password protected administration via web browser (HTTPS), \nmultiple registration up to six users at the same time and many other \nfeatures. \n \nThe manufacturer innovaphone AG describes the product as follows \n(see [1]): \n \n\"The IP222 telephone unites a very modern design with groundbreaking \ntechnological details. It belongs to the innovaphone product family that \nwon the popular 'red dot award: product design'.\" \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nThe innovaphone IP222 provides a password protected administration \ninterface, which can be accessed via a web browser. Although the basic \nauthentication was disabled and instead the digest authentication is \nused, it is still possible to perform brute-force attacks against the \npassword authentication process. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nThe innovaphone IP222 provides a password protected administration \ninterface, which could be accessed via a web browser, but possesses no \ncountermeasures against brute-force attacks. Therefore, it is possible \nto perform brute-force attacks with common tools like Nmap or Hydra: \n \nnmap -p80 --min-rate=200 --script http-brute --script-args http-brute. \npath=\"CMD0/mod_cmd.xml\" 192.168.5.23 -d \n \n(...) \n \nOverall sending rates: 1042.75 packets / s. \nNSE: Script scanning 192.168.5.23. \nNSE: Starting runlevel 1 (of 1) scan. \nNSE: Starting http-brute against 192.168.5.23:80. \nInitiating NSE at 16:24 \nNSE: Discovered account: test:test - Valid credentials \n \nDue to the current configuration settings, the sending rate for a web \nbased brute-force attack is almost 1042.75 packets per second. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the innovaphone AG, the described security \nissue has been addressed by the following workaround: \n \nhttp://wiki.innovaphone.com/index.php?title=Course12:Advanced_-_Reverse_Proxy#No-Nos \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2016-03-04: Vulnerability reported to manufacturer \n2016-03-09: Manufacturer acknowledges e-mail with SySS security advisory \nand described the security issue as fixed \n2016-03-24: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for innovaphone IP222 \nhttps://www.innovaphone.com/en/ip-telefonie/ip-telefone/ip222.html \n[2] SySS Security Advisory SYSS-2016-018 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-018.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Sven Freund of the SySS GmbH. \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1 \n \niQEcBAEBCgAGBQJW86aoAAoJEIpfqFNBXUbcuDAH+wXRZ+mazbOMzHzA/jBeYh/I \nmdEFToeqRzPiY9bRNBDuo0TpMjQ/YCIIhK3G8nJdysGAIYlaVIGnuEwB63fQ8D8y \nFHSH1bopEAtEgWEGNBP7sGWpF4RvVfHV+YyKBGNAehs1L1UuNreaoIYlzKVKpaQP \noHsDFEatR6jfhsZtkQ3dz7WjAyUrWRl6RCX9m2aK5mijtbOcWBoVKqMX0j7t/uxk \nmgKhoELjmosQGMjLzPNBiCEdVzMGZbtX5/D+aQ7ectkoiCRg3cwg/99z1loPYTrn \nIcWNCGNI3natcUuKihbILpLtRq6FyCLzybVm2mRiHHtS6C6sfkWsRJlYTd/QOew= \n=wgkw \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136424/SYSS-2016-018.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-11-03T10:25:02", "references": [], "edition": 1, "description": "", "reporter": "Matthias Deeg", "published": "2016-03-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "packetstorm", "title": "perfact::mpa Insecure Direct Object Reference", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-01T00:00:00", "href": "https://packetstormsecurity.com/files/136012/perfact-mpa-Insecure-Direct-Object-Reference.html", "id": "PACKETSTORM:136012", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2015-067 \nProduct: perfact::mpa \nManufacturer: PerFact Innovation GmbH & Co. KG \nAffected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2 \nTested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2 \nVulnerability Type: Insecure Direct Object References (CWE-932) \nRisk Level: High \nSolution Status: Fixed \nManufacturer Notification: 2015-12-18 \nSolution Date: 2016-01-18 \nPublic Disclosure: 2016-02-29 \nCVE Reference: Not yet assigned \nAuthors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe software solution perfact::mpa is a software architecture that, for \ninstance, is used to build web applications for the secure and reliable \nremote maintenance of machines via the Internet (see [1]). \n \nAccording to the manufacturer, remote control software built with \nperfact::mpa impresses through the following features: \n \n* location-independent and central monitoring, \n* maintenance and error management, \n* authorized remote access, and \n* integrated documentation of incidents and services. \n \nDue to improper authorization checks, unauthorized users can download \narbitrary files that have been uploaded previously. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nSySS GmbH found out that unauthorized users are able to download \narbitrary files of other users that have been uploaded via the file \nupload functionality. \n \nAs the file names of uploaded files are incremental integer values, it \nis possible to enumerate and download all uploaded files without any \nauthorization. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nUploaded files can be download without authorization using the following \nURL, where the file ID is an incremental integer value. \n \nhttps://<HOST>/<PATH>/file/<FILE ID>/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the PerFact Innovation GmbH & Co. KG, the \ndescribed security issue has been fixed in PerFact DB_Utils (toolkit) \nsoftware version 3.2. \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2015-12-18: Vulnerability reported to manufacturer \n2016-01-18: Response from manufacturer with detailed information about \nthe reported security vulnerability and its solution status \n2016-02-05: E-mail to manufacturer according two open questions \n2016-02-05: Response from manufacturer with further information \n2016-02-29: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for perfact::mpa \nhttp://perfact.de/mpa/index_html \n[2] SySS Security Advisory SYSS-2015-067 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-067.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Matthias Deeg and Sven Freund \nof the SySS GmbH. \n \nE-Mail: matthias.deeg (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc \nKey fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n \n-----BEGIN PGP SIGNATURE----- \n \niQIcBAEBCgAGBQJW0/ACAAoJENmkv2o0rU2rkN4P/1GjC/HikaWUsN2n+5DkYaWy \nIx9WGPCGGDXtdTjN+Ojgof1Sb1iELrVXi0eeeGfi5szUCY4ypIXhPAU7kvtivb8P \nUx81PPUxfkSAJ5rKC5iEqWwe1AtRhsTS8RhTsN5DBwko7V3JYEtLnrhSl+unQ7Wu \nnd6a1gCe6a0UFKHtky6hCTA7Xc7e9qooXSlgwCDq2m1I6iQxHw9XYfa6bKqsDOU4 \nTtzP+qUgckQ3323OFuFtbaW0FVRb9syY10H1qaeHwetRc/XDzMk6KLfXDyLcTr0F \ncBHTWBbm7sgFLB1Q5hAtyTjiR7ckZYDmLs49sEGXYTozMClT6xtxE53VLlNwWL+u \n7phNuhz8gftkmWwre/izXFpx77juOFVkNVhenVofWgc5p7ixqbcyVM5oFMbC8SsA \nrUtGoPRrbBZiFqTI1wHoLCnktEjo83j0HMpIvMTlg21FO4IHzIyCmIH2RCmaFf0k \n9AtnUvNzqexI4TRI0mqhbXGyT+7NriHuCcNpNZRvruOLcSLo0kiWP3s4Box8ZXPA \nvnE1eRQ8p3aqqZdnfS19Ewz+tVQo70ERyAbFAjCmtvkig3fQBOJjr0ycAaleahbS \nlCKrUHZTDk8cdWVVCaKKDXOrypkKr+jed2TTuYLP5YmHWP6bal4DxrAsdrru6jFC \nYTERsGqN6LMUCQDkRiSf \n=lQuh \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136012/SYSS-2015-067.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-11-03T10:24:16", "references": [], "edition": 1, "description": "", "reporter": "Matthias Deeg", "published": "2016-03-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "packetstorm", "title": "perfact::mpa Insecure Direct Object Reference", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-01T00:00:00", "href": "https://packetstormsecurity.com/files/136016/perfact-mpa-Insecure-Direct-Object-Reference.html", "id": "PACKETSTORM:136016", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2015-072 \nProduct(s): perfact::mpa \nManufacturer: PerFact Innovation GmbH & Co. KG \nAffected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2 \nTested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2 \nVulnerability Type: Insecure Direct Object References (CWE-932) \nRisk Level: Medium \nSolution Status: Fixed \nManufacturer Notification: 2015-12-18 \nSolution Date: 2016-01-18 \nPublic Disclosure: 2016-02-29 \nCVE Reference: Not yet assigned \nAuthors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe software solution perfact::mpa is a software architecture that, for \ninstance, is used to build web applications for the secure and reliable \nremote maintenance of machines via the Internet (see [1]). \n \nAccording to the manufacturer, remote control software built with \nperfact::mpa impresses through the following features: \n \n* location-independent and central monitoring, \n* maintenance and error management, \n* authorized remote access, and \n* integrated documentation of incidents and services. \n \nDue to improper authorization checks, different web application \nresources can be directly accessed. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nThe SySS GmbH found out that different resources of the web application \nperfact::mpa can be directly accessed by the correct URL due to improper \nuser authorization checks. That is, unauthorized users can access \ndifferent functions of the perfact::mpa web application. \n \nWith unauthorized access to many web application resources, an attacker \ncan put the integrity of the web application database at risk by \ntriggering functions or possibly find security vulnerabilities in the \nextended attack surface. For instance, within the test period the SySS \nGmbH could identify several OS command injection vulnerabilities in web \napplication functions that could be accessed by unauthorized users \n(see security advisory SYSS-2015-065). \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nSome examples of accessible web application resources that are not \ndirectly accessibly via the offered navigation menus of restricted \nusers are: \n \n* https://<HOST>/<PATH>/logic_d/method_listing \n* https://<HOST>/<PATH>/printer_d/method_listing \n* https://<HOST>/<PATH>/SOAP_WS/load_service \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the PerFact Innovation GmbH & Co. KG, the \ndescribed security issue has been fixed in PerFact DB_Utils (toolkit) \nsoftware version 3.2. \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2015-12-18: Vulnerability reported to manufacturer \n2016-01-18: Response from manufacturer with detailed information about \nthe reported security vulnerability and its solution status \n2016-02-05: E-mail to manufacturer according two open questions \n2016-02-05: Response from manufacturer with further information \n2016-02-29: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for perfact::mpa \nhttp://perfact.de/mpa/index_html \n[2] SySS Security Advisory SYSS-2015-072 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-072.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Matthias Deeg and Sven Freund \nof the SySS GmbH. \n \nE-Mail: matthias.deeg (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc \nKey fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n \n-----BEGIN PGP SIGNATURE----- \n \niQIcBAEBCgAGBQJW0/AKAAoJENmkv2o0rU2r9x4P/12EapQ3vvrXRj7P5UEev2YY \nPtb4U7uOj9+Ob1KGuGqVDR1aARth0kl06BrpzeuU9VS8xymx5VWtT+l4iTjdVyQG \nAdY7Dn7u8seeSmVnZL1Fb5HYypo23e/losoNzwbbdR0Ajb5nakCeKjo4jqQFm6Cu \npQOiXLiQHJtym16MB9YTdz69kbV74aJOCRwl0PVDFU5kMgQwJ3H29FtaKbdHVRin \nt2Ps+U8Typ7gqsWVBQ/UWRgFio1xIeu/r0sLeBDDPOen2zNKRrUUzEzWErH0soH4 \n0z2JzpLEzmiow0b0nMCvq/kI14vzVfjDMB66U3UBwTJPN0Ypvg01KzK6zwkLChz6 \ngxESa7oAQ2VobsS4pSVc8lv1QVrkj2T1L7NljUTpqCECBBQscrudGlzQB3CgGPuE \nH0+bCtbJkXU3inV49S/ulVIzUA/4V2C4Xxn+pwb/2xochonsJ81NL9YOB2sE4I7Z \ngG0usf3T3ArMvLVJCD2b0oyjS6BmTTo4JXFEEg+NglBjw8Y+f6ptr5fN6qYYsiVW \nmzod+PHJJO+GloirTJcpPkhtkzwwAepSPM044g0CUPUhXVpKaOMBCdb+ovNq4SV/ \nktKLr3nhuCa2IWjBOIjo7lpokSsEwblrF7h2weLe4mXKxes0oWtXdWOySoy7Z65p \n1UJG4a/0+KbaOhyuaZQk \n=5LZ8 \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136016/SYSS-2015-072.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-11-03T10:25:56", "references": [], "description": "", "edition": 1, "reporter": "Matthias Deeg", "published": "2016-03-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "perfact::mpa Cross Site Request Forgery", "type": "packetstorm", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-01T00:00:00", "id": "PACKETSTORM:136013", "href": "https://packetstormsecurity.com/files/136013/perfact-mpa-Cross-Site-Request-Forgery.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2015-071 \nProduct(s): perfact::mpa \nManufacturer: PerFact Innovation GmbH & Co. KG \nAffected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2 \nTested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2 \nVulnerability Type: Cross-Site Request Forgery (CWE-352) \nRisk Level: Medium \nSolution Status: Fixed \nManufacturer Notification: 2015-12-18 \nSolution Date: 2016-01-18 \nPublic Disclosure: 2016-02-29 \nCVE Reference: Not yet assigned \nAuthors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe software solution perfact::mpa is a software architecture that, for \ninstance, is used to build web applications for the secure and reliable \nremote maintenance of machines via the Internet (see [1]). \n \nAccording to the manufacturer, remote control software built with \nperfact::mpa impresses through the following features: \n \n* location-independent and central monitoring, \n* maintenance and error management, \n* authorized remote access, and \n* integrated documentation of incidents and services. \n \nDue to missing protection mechanisms, the web application perfact::mpa \nis vulnerable to cross-site request forgery (CSRF) attacks. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nThe tested web application perfact::mpa offers no protection against \ncross-site request forgery (CSRF) attacks. This kind of attack forces \nend users respectively their web browsers to perform unwanted actions \nin a web application context in which they are currently authenticated. \n \nCSRF attacks specifically target state-changing requests, for example in \norder to enable or disable a feature, and not data theft, as an attacker \nusually has no possibility to see the response of the forged request. \n \nIn general, CSRF attacks are conducted with the help of the victim, for \nexample by a user visiting an attacker-controlled URL sent by e-mail in \nits web browser. Often, cross-site request forgery attacks make use of \ncross-site scripting attacks, but this is not mandatory. \n \nCSRF attacks can also be performed against a web application if a victim \nis only visiting an attacker-controlled web server. In this case, the \nattacker-controlled web server is used to generate a specially crafted \nHTTP request in the context of the user's web browser which is then sent \nto the vulnerable target web application. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nThe SySS GmbH could successfully demonstrate a CSRF attack against the \nperfact::mpa web application by using the found persistent cross-site \nscripting vulnerability in the file upload functionality (see \nsecurity advisory SYSS-2015-066). \n \nThe following JavaScript attack vector was used which was automatically \nexecuted when the uploaded attacker-controlled HTML file was opened by a \nvictim. \n \n<script>location.href=\"https://<HOST>/<PATH>/MPA2/External/ExtAdmin/db_edit_action \n?layout_tabnum=&id=&selector_copy_from=&do_delete=&delete_next_id=&do_save=Speichern \n&name=<NAME>&random_password=<PASSWORD>&password=<PASSWORD>&password_repeat=<PASSWORD> \n&fullname=<FULL_NAME>&email=<EMAIL>&phone=&passwordexpires= \n&passwordexpires_date=&passwordexpires_time=&disabled%3Adefault=\";</script> \n \nIf this attack vector was executed in the context of a perfact::mpa \nsystem administrator, a new external administrator with the defined \naccount data would be created. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the PerFact Innovation GmbH & Co. KG, the \ndescribed security issue has been fixed in PerFact DB_Utils (toolkit) \nsoftware version 3.2. \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2015-12-18: Vulnerability reported to manufacturer \n2016-01-18: Response from manufacturer with detailed information about \nthe reported security vulnerability and its solution status \n2016-02-05: E-mail to manufacturer according two open questions \n2016-02-05: Response from manufacturer with further information \n2016-02-29: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for perfact::mpa \nhttp://perfact.de/mpa/index_html \n[2] SySS Security Advisory SYSS-2015-071 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-071.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Matthias Deeg and Sven Freund \nof the SySS GmbH. \n \nE-Mail: matthias.deeg (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc \nKey fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n \n-----BEGIN PGP SIGNATURE----- \n \niQIcBAEBCgAGBQJW0/ASAAoJENmkv2o0rU2rkh8P/RVnz8RKPTTCTFhyLQDbLde7 \nWi5K/34T2JffZKEspK4nz5UcXp5nYNdA5myvCFgVfkZDwCjO61RtOJDFZaJpunMK \nAIbzMdR33hretpoZgdxOuD18pFIBbxOcTT7BlL+DgcTGqZNzXKMuQvgmwkyS8nU5 \n7mg7DTKFX4w1r+t1G2XmVU9uSVk5PFVeKkaZLcVue9L+3JUTuLe9foG4teO23Sw3 \ntXbJ201VWmavZfVJMKX4qku8X0PxQj0BJ7gp9oGIpnHis/MeJqBVeqGJVnqMqJe1 \nlWoi0nmOZNFf1ty57rQ/DgHqfpOO2N8rfoQpXzYx5aXU3pFoPhlL/k187EiuhAmU \nyO9T9dlYq1iprMcNyeNj2JppsHRkFgCBEzKdpqWPxXDS5kXveIlsiAFSUR1uiouS \npe+8OXRaj/ErsaBywMjLUBHJwaVr2fRm21aFv4ie9BuGeA8CR9QTO3E0y+Nvu7Av \nhVQjFm0Jga3npOnq3gy2l2UjwMql/ehIYE177LfYl9hK5Uhtl5sRhdAYCkDcINhc \nIH+c63uwKBDFRWyqTMB2DG5iIe8ZmuRivUnhaGqJy0vvulIu8FdwZg8DTN6eDjZL \nMjth9vK//cwE2wDlQ6Wr5JarO5ZOidjSkvYzPJUriqneHz0gUH+zWgQA9/Zv7xc3 \nyIW9LXJi5atDQXz2P51c \n=jjvR \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136013/SYSS-2015-071.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-11-03T10:27:31", "references": [], "edition": 1, "description": "", "reporter": "Matthias Deeg", "published": "2016-03-01T00:00:00", "type": "packetstorm", "title": "perfact::mpa Open Redirect", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-01T00:00:00", "href": "https://packetstormsecurity.com/files/136015/perfact-mpa-Open-Redirect.html", "id": "PACKETSTORM:136015", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2015-073 \nProduct(s): perfact::mpa \nManufacturer: PerFact Innovation GmbH & Co. KG \nAffected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2 \nTested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2 \nVulnerability Type: URL Redirection to Untrusted Site (CWE-601) \nRisk Level: Low \nSolution Status: Fixed \nManufacturer Notification: 2015-12-18 \nSolution Date: 2016-01-18 \nPublic Disclosure: 2016-02-29 \nCVE Reference: Not yet assigned \nAuthors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe software solution perfact::mpa is a software architecture that, for \ninstance, is used to build web applications for the secure and reliable \nremote maintenance of machines via the Internet (see [1]). \n \nAccording to the manufacturer, remote control software built with \nperfact::mpa impresses through the following features: \n \n* location-independent and central monitoring, \n* maintenance and error management, \n* authorized remote access, and \n* integrated documentation of incidents and services. \n \nThe web application perfact::mpa uses attacker-controlled input to \nredirect a user to another site (open redirect). \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nThe SySS GmbH found out that the web application perfact:mpa accepts \nuser-controlled input via the URL parameter \"redir\" that can be used to \nredirect victims to an arbitrary site which simplifies so-called \nphishing attacks. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nThe following URL redirects a user to the web site of the SySS GmbH: \n \nhttps://<HOST>/<PATH>/MPA2/i18n_lang_id?lang_id=1&redir=https://www.syss.de \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the PerFact Innovation GmbH & Co. KG, the \ndescribed security issue has been fixed in PerFact DB_Utils (toolkit) \nsoftware version 3.2. \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2015-12-18: Vulnerability reported to manufacturer \n2016-01-18: Response from manufacturer with detailed information about \nthe reported security vulnerability and its solution status \n2016-02-05: E-mail to manufacturer according two open questions \n2016-02-05: Response from manufacturer with further information \n2016-02-29: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for perfact::mpa \nhttp://perfact.de/mpa/index_html \n[2] SySS Security Advisory SYSS-2015-073 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-073.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Matthias Deeg and Sven Freund \nof the SySS GmbH. \n \nE-Mail: matthias.deeg (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc \nKey fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n \n-----BEGIN PGP SIGNATURE----- \n \niQIcBAEBCgAGBQJW0/AUAAoJENmkv2o0rU2rDrIP/j3TIOlTm5kG+NYvD0VIfMy6 \nqwkMjJv9zqRBtm3Xd2rMs25N9NQqg5/YhTsrs0nkGsSbX+Iy8TrkGRm6dOgUlS/F \nu3ZQmGq2jUXmlGkmfkSg7HNn7Cv3mBhTjmt2v1DxngL7fo71oph0e3vhsDI/TEx3 \nwcTZrjcz7ovOxS1GQpm1Q89FCphxpUy+Di0RDIbKVe77zhpWSBllq132cGNrFhIS \nyWmQlCtiUCMggca73p6L3Bzs1RztpyN2ixnR27KqOi+M6NfnBWmCiUoTdfjekOrF \nlevCy0ZMvRbZo3bwKz+wBgxaB71fd2j7SbUX/GWTAbX9mpghytwV/CpjIzgdoSmJ \ni+IWTKyZ/3+2i8kx6ykvb/syr8Qfjpcjp+fETzPkZuN2c2A8j/amdfXFdMOCmgDe \najnYC7BkTHAY1vH5XqPnV9ngZZF3BRRDfi9DmbmGbDJTM3yXjCNaHPnHbHMATdxw \nNZqLydKWEmH+in5U8V5dgzYtnJEMxqFLEsmRky6I/mze/qTfXl3DEdRP7oOEhkMF \nwnu+JPFJD7SDV0qkFvxM8Glo5DKXPIMPColZDYBi7OeOpBK0RA7F19xRCFmmcuP9 \nJ2SKf8N+VKTXYnxbUdcW6VwJ2hM0/b/+LLfc4EaAFD8EN46Ls2uXhgyeQjZzN/TA \nidv5YOP60cFc3xB2FWuV \n=5w5A \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136015/SYSS-2015-073.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-11-03T10:17:23", "references": [], "edition": 1, "description": "", "reporter": "Matthias Deeg", "published": "2016-03-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "packetstorm", "title": "perfact::mpa Reflected Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-01T00:00:00", "href": "https://packetstormsecurity.com/files/136011/perfact-mpa-Reflected-Cross-Site-Scripting.html", "id": "PACKETSTORM:136011", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2015-070 \nProduct: perfact::mpa \nManufacturer: PerFact Innovation GmbH & Co. KG \nAffected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2 \nTested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2 \nVulnerability Type: Cross-Site Scripting (CWE-79) \nRisk Level: Medium \nSolution Status: Fixed \nManufacturer Notification: 2015-12-18 \nSolution Date: 2016-01-18 \nPublic Disclosure: 2016-02-29 \nCVE Reference: Not yet assigned \nAuthors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe software solution perfact::mpa is a software architecture that, for \ninstance, is used to build web applications for the secure and reliable \nremote maintenance of machines via the Internet (see [1]). \n \nAccording to the manufacturer, remote control software built with \nperfact::mpa impresses through the following features: \n \n* location-independent and central monitoring, \n* maintenance and error management, \n* authorized remote access, and \n* integrated documentation of incidents and services. \n \nDue to improper input validation, the web application perfact::mpa is \nvulnerable to reflected cross-site scripting attacks. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nSySS GmbH found out that the request new user and translation \nfunctionalities of the web application perfact::mpa are prone to reflected \ncross-site scripting attacks. \n \nThis cross-site scripting vulnerability allows an attacker to send a \nmanipulated link to his victim in order to execute arbitrary JavaScript \ncode in the context of his victim's web browser. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \n1) NewAppUserReq (request new user functionality) \n \nThe following URL is an example of an attack vector exploiting a \nreflected cross-site scripting vulnerability via the parameter \n\"no_user_name\" of the request new user functionality: \n \nhttps://<HOST>/<PATH>/MPA2/MPA2/Open/NewAppUserReq/index_html?no_user=1 \n&no_user_name=<script>alert(\"SySS XSS!\")</script> \n \n \n2) i18n_wrapper_call (translation functionality) \n \nThe following URL is an example for an attack vector exploiting a \nreflected cross-site scripting vulnerability via the parameter \n\"content\" of the translation functionality (i18n_wrapper_call): \n \nhttps://<HOST>/<PATH>/i18n_wrapper_call \n?content=%3Cscript%3Ealert%28%22SySS%20XSS!%22%29%3C/script%3E \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the PerFact Innovation GmbH & Co. KG, the \ndescribed security issue has been fixed in PerFact DB_Utils (toolkit) \nsoftware version 3.2. \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2015-12-18: Vulnerability reported to manufacturer \n2016-01-18: Response from manufacturer with detailed information about \nthe reported security vulnerability and its solution status \n2016-02-05: E-mail to manufacturer according two open questions \n2016-02-05: Response from manufacturer with further information \n2016-02-29: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for perfact::mpa \nhttp://perfact.de/mpa/index_html \n[2] SySS Security Advisory SYSS-2015-070 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-070.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Matthias Deeg and Sven Freund \nof the SySS GmbH. \n \nE-Mail: matthias.deeg (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc \nKey fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n \n-----BEGIN PGP SIGNATURE----- \n \niQIcBAEBCgAGBQJW0/AIAAoJENmkv2o0rU2ri/gP/1YJoIZoLGropW6R8kxpz0l0 \nGB8oM+PXC2KEI101suBNI5ezLvPuonAFjobq0w5ChfEj7EEfsiAVUZ5Ftdk2mgqG \nUvrpMXm3UU5nxXjniqxK/23BgH0yazQv/c1Fp+gqGwp7UIFazt2x6eLGowcbJ3Df \n4ePJmm6MFOlvoh457ePmZ81QwZFgHgrwVnr3Hhk4myblxZvXdJRnK+rRYuiPq4Ga \n4wxoU3L2OjvDunFAKKUhCWk5+cAC+U/uwELH7rYko5M9eoz6FGBoXZBGamsQlyRh \nACoL6GJCkfMykwvDJEQ2hZywFnuW43uIlasndmNKDP1p3I7UHcFNTf9ogx33+RVr \n9WsvCk0wZaOTvP95wHle2WJx2jrcbetG3m2CPVkVAOZEYaoXGVzqmjK/SabsIooV \nEfcMjJUCRyiyytyAbjR4MzjpTkQ7CqR4ylzPFY7tIjZmA1aAg/1Ocv8KY7W5Fv// \nD8PZtZj25+lWmaSwuVneV9n+gR43oIAc42//Xb4pcbF77hYd6aS3616KEsJ69ea/ \nP2wvOcqN1KxfvyBPc1DcSj01/IsHlqgdQiZQqh8eHNGxZBW5HTUeUcJ/xD4Undxn \nZE5CH23m/5RIwXVb2TL2jzmTaV8LcESxOVidIaKA6ux3gNpRLs+ZdDBX6UXH4l3P \nleR6vzI/DeTs2+gbilYm \n=5GI9 \n-----END PGP SIGNATURE----- \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/136011/SYSS-2015-070.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-11-03T10:21:19", "references": [], "edition": 1, "description": "", "reporter": "Matthias Deeg", "published": "2016-03-01T00:00:00", "type": "packetstorm", "title": "perfact::mpa Insecure Direct Object Reference", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-01T00:00:00", "href": "https://packetstormsecurity.com/files/136014/perfact-mpa-Insecure-Direct-Object-Reference.html", "id": "PACKETSTORM:136014", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2015-069 \nProduct: perfact::mpa \nManufacturer: PerFact Innovation GmbH & Co. KG \nAffected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2 \nTested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2 \nVulnerability Type: Insecure Direct Object References (CWE-932) \nRisk Level: High \nSolution Status: Fixed \nManufacturer Notification: 2015-12-18 \nSolution Date: 2016-01-18 \nPublic Disclosure: 2016-02-29 \nCVE Reference: Not yet assigned \nAuthors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe software solution perfact::mpa is a software architecture that, for \ninstance, is used to build web applications for the secure and reliable \nremote maintenance of machines via the Internet (see [1]). \n \nAccording to the manufacturer, remote control software built with \nperfact::mpa impresses through the following features: \n \n* location-independent and central monitoring, \n* maintenance and error management, \n* authorized remote access, and \n* integrated documentation of incidents and services. \n \nDue to improper authorization checks, any logged in user can download \nvalid VPN configuration files of arbitrary existing remote sessions. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nThe SySS GmbH found out that any logged in user is able to download \nvalid VPN configuration files of arbitrary existing remote sessions. \n \nAll an intruder needs to know is the URL with the dynamic parameter \n\"brsessid\". Due to the modification of this incremental increasing \ninteger value, it is possible to enumerate and download a valid \nVPN configuration file for every existing remote session. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \nThe following URL is an exemplary request to download a valid VPN \nconfiguration file for the remote session identified by the ID \n\"brsessid\": \n \nhttps://<HOST>/<PATH>/MPA2/RoleSession/Link/connect?brsess_id=<BRSESSID>&brvpnnode_id=1 \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the PerFact Innovation GmbH & Co. KG, the \ndescribed security issue has been fixed in PerFact DB_Utils (toolkit) \nsoftware version 3.2. \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2015-12-18: Vulnerability reported to manufacturer \n2016-01-18: Response from manufacturer with detailed information about \nthe reported security vulnerability and its solution status \n2016-02-05: E-mail to manufacturer according two open questions \n2016-02-05: Response from manufacturer with further information \n2016-02-29: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for perfact::mpa \nhttp://perfact.de/mpa/index_html \n[2] SySS Security Advisory SYSS-2015-069 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-069.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Matthias Deeg and Sven Freund \nof the SySS GmbH. \n \nE-Mail: matthias.deeg (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc \nKey fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n \n-----BEGIN PGP SIGNATURE----- \n \niQIcBAEBCgAGBQJW0/AFAAoJENmkv2o0rU2rQSAP/0/zhmg+uzJaPxZJ0/N4y5Jz \nIwNr+Dla9lPglGtkGOogmDImR7D10csqYXD4jDCgkJN/yxYCbJYv3anKOPy87yiY \n/GNk6vGuzcbGCBmq3sxxF8cuuTygEshTDeGE8lY7HArWq30Kyf9ob2CA8dMPxpA2 \nSDCv5Glv0I8BFkd3JHlGrs/yLZ4HVRMv1Bnwqzv8PXDWcQPpy7Lhz0z3l3w60aK8 \nCZCvmgX2nfX1nTgopQqiB/kYqnOK6QkAxvudepfOZqn7cXgM94vd8fnwYW1HRVgK \nH8ftEa+UQa0WmvtZ4tEBvav0mGgivw5yixXbZxt0OxyMz585MVHKAu4SgxKfTjNl \nz83fvGkxIpSSwjSKNEgy57gHofN9rwOUdvFj35JnUiszcGT0WA1Np3CEGny5TA+N \nwj7p7MgkiYglv0DMmHkgvdiow0fgN5Gz9At2D6EINZuw9KR9SdDPmn6utIFMBVbG \nmltSyBnPok5jEnPV9KfrXH5XBBsUy2MM1pQla8HYMmaicAvbbfEHy9RboVJCSVKL \npkyMQx1quUph43E0hpPGnIQO7djJJ/bT4aZtFRWTI+tqdB3Z1FvGbzzuRKZabhTh \nSgh0uP+8UecrxG9YLXBb5JK8TKpPZbPXjX1Qlte1/U07XUpcWgXGqNzhVUU7dXHD \nq6KQNEPgR3SgCO1bMo+9 \n=x2/v \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/136014/SYSS-2015-069.txt"}, {"lastseen": "2016-11-03T10:22:57", "references": [], "edition": 1, "description": "", "reporter": "Matthias Deeg", "published": "2016-03-01T00:00:00", "type": "packetstorm", "title": "perfact::mpa Persistent Cross Site Scripting", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-03-01T00:00:00", "href": "https://packetstormsecurity.com/files/136017/perfact-mpa-Persistent-Cross-Site-Scripting.html", "id": "PACKETSTORM:136017", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA512 \n \nAdvisory ID: SYSS-2015-066 \nProduct: perfact::mpa \nManufacturer: PerFact Innovation GmbH & Co. KG \nAffected Version(s): Custom versions using PerFact DB_Utils (Toolkit) < v3.2 \nTested Version(s): Custom version with PerFact DB_Utils (Toolkit) < v3.2 \nVulnerability Type: Cross-Site Scripting (CWE-79) \nRisk Level: High \nSolution Status: Fixed \nManufacturer Notification: 2015-12-18 \nSolution Date: 2016-01-18 \nPublic Disclosure: 2016-02-29 \nCVE Reference: Not yet assigned \nAuthors of Advisory: Matthias Deeg and Sven Freund (SySS GmbH) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nOverview: \n \nThe software solution perfact::mpa is a software architecture that, for \ninstance, is used to build web applications for the secure and reliable \nremote maintenance of machines via the Internet (see [1]). \n \nAccording to the manufacturer, remote control software built with \nperfact::mpa impresses through the following features: \n \n* location-independent and central monitoring, \n* maintenance and error management, \n* authorized remote access, and \n* integrated documentation of incidents and services. \n \nDue to improper input validation, the web application perfact::mpa is \nvulnerable to persistent cross-site scripting attacks. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nVulnerability Details: \n \nThe SySS GmbH found out that different functions of the web application \nperfact::mpa are prone to persistent cross-site scripting attacks due to \ninsufficient user input validation. \n \nThis kind of attack enables an attacker to persistently store attack \nvectors in form of arbitrary code, for instance JavaScript code, in the \nweb application database, which may be executed in the context of other \nusers. \n \n1) Persistent Cross-Site Scripting via uploaded HTML files \n \nThe SySS GmbH also found out that the file upload functionality for \nfile attachments to remote sessions allows the upload of HTML documents \ncontaining JavaScript code which enables an attacker to perform \npersistent cross-site scripting attacks. \n \n \n2) Persistent Cross-Site Scripting via export report functionality \n \nFurther examples for persistent cross-site scripting vulnerabilities \nwere identified in the export report functionality (stored report) of \nmany views providing this option that could be exploited via different \nparameters. \n \nAccording to test results of the SySS GmbH, all report views generated \nby the export report functionality are prone to persistent cross-site \nscripting attacks, if an attacker can control any of the displayed \ninformation, for example a description parameter. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nProof of Concept (PoC): \n \n1) Persistent Cross-Site Scripting via uploaded HTML files \n \nAn authenticated user can upload an HTML file containing arbitrary \nJavaScript code as an attachment to a remote session. \n \nIf this attached file is opened by another user within the perfact::mpa \nweb application, the attacker-controlled JavaScript is executed in the \ncontext of the victim. \n \n \n2) Persistent Cross-Site Scripting via export report functionality \n \nIf an attacker can control any of the displayed information of a stored \nreport, she or he is able to execute JavaScript code in the context of \nother users that are viewing this report. \n \nFor example, the following simple attack vector can be used as user \ndescription value of a user account: \n \nTest<script>alert(1)</script> \n \n \nThe following output is an excerpt of the resulting HTML source code of \nthe stored report generated by the export report functionality \ncontaining the injected JavaScript code: \n \n(...) \n<td class=\"export_as_text\">Test<script>alert(1)</script></td> \n(...) \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSolution: \n \nAccording to information by the PerFact Innovation GmbH & Co. KG, the \ndescribed security issue has been fixed in PerFact DB_Utils (toolkit) \nsoftware version 3.2. \n \nPlease contact the manufacturer for further information or support. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclosure Timeline: \n \n2015-12-18: Vulnerability reported to manufacturer \n2016-01-18: Response from manufacturer with detailed information about \nthe reported security vulnerability and its solution status \n2016-02-05: E-mail to manufacturer according two open questions \n2016-02-05: Response from manufacturer with further information \n2016-02-29: Public release of security advisory \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nReferences: \n \n[1] Product Web Site for perfact::mpa \nhttp://perfact.de/mpa/index_html \n[2] SySS Security Advisory SYSS-2015-066 \nhttps://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-066.txt \n[3] SySS Responsible Disclosure Policy \nhttps://www.syss.de/en/responsible-disclosure-policy/ \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCredits: \n \nThis security vulnerability was found by Matthias Deeg and Sven Freund \nof the SySS GmbH. \n \nE-Mail: matthias.deeg (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc \nKey fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB \n \nE-Mail: sven.freund (at) syss.de \nPublic Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc \nKey fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nDisclaimer: \n \nThe information provided in this security advisory is provided \"as is\" \nand without warranty of any kind. Details of this security advisory may \nbe updated in order to provide as accurate information as possible. The \nlatest version of this security advisory is available on the SySS Web \nsite. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nCopyright: \n \nCreative Commons - Attribution (by) - Version 3.0 \nURL: http://creativecommons.org/licenses/by/3.0/deed.en \n \n-----BEGIN PGP SIGNATURE----- \n \niQIcBAEBCgAGBQJW0+/3AAoJENmkv2o0rU2r8noQAJ4ZCybGIXu8JHN1yOYuPxX2 \nNWCFWqtwjm3E8iAP2jHaB63ps0HBFKzYXiRWAB6/Uk8hBnorwjQjkRQCY/evyjLH \nHVk5Tvukr5bZqHnkUGLwed3Xz/jnVZlaeb/OMU7fQASDS06v/LxILkqIvBp577GM \nlV6NKWHZgMz57ObADtJY6ffIJCNKYf+uPbECdMkpACsWKn2Kbh6l8xNARULh6yu3 \nAIIj8MJmJrYrph0V1tnyDXUtV++iFfO4YdqwI0WLPvEbmjOUEVbGtkzSdEgTfl9X \nrN4Zmh9mcvdyhOMO0S+0w+4YgqXwmX6oqucMlAAQWc/8Wh95GP2oIuW6mjAKylIo \nhNCFSmpctvXAbWINJLbC0rerCS8t+iEOkWZmkEyW6AIboEamwcebZ9N9/IFOYQcZ \ntOhLdNqW5ltxpfKrbvFxAokh7Rvl1Up2gBNJWyDVHcYU+nQiecieHLiS1IGNoq5T \nBTWcxw2KZRal750KKlMGM3kso3p9S0X/PIk7uDmPesdddOyAi+qTzMn6IZVh6tX3 \nFTSNrlIHrQu5t3cOsQ9Gq6R5KjbHA+1jqq2X5SvCkKDuDX2HfSit7wi4lr0LEKeD \nX7+m4dYxFSZ1K5quegV1Dqt4dMKURsrvnzabBDNwQc2pnepdNaxTG2ZZP/q1H2GT \npnWUhWJloSq3AungqknK \n=FHIW \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/136017/SYSS-2015-066.txt"}], "gentoo": [{"lastseen": "2016-09-06T19:46:29", "references": ["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7656", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7631", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7633", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7658", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7652", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7630", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7632", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7657", "https://bugs.gentoo.org/show_bug.cgi?id=563014", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7628", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7644", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7661", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7629", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7645", "https://bugs.gentoo.org/show_bug.cgi?id=563172", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7646", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7634", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7643", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7647", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8042", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7654", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8044", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7662", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8046", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7653", "https://bugs.gentoo.org/show_bug.cgi?id=565318", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7626", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7663", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7627", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7651", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5569", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7660", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7655", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7648", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7625", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7659", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8043"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "11.2.202.548", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "www-plugins/adobe-flash", "operator": "lt"}], "edition": 1, "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-plugins/adobe-flash-11.2.202.548\"", "reporter": "Gentoo Foundation", "published": "2015-11-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7660", "CVE-2015-7663", "CVE-2015-7654", "CVE-2015-8042", "CVE-2015-7658", "CVE-2015-8043", "CVE-2015-7634", "CVE-2015-7625", "CVE-2015-7661", "CVE-2015-7651", "CVE-2015-7652", "CVE-2015-5569", "CVE-2015-7627", "CVE-2015-7633", "CVE-2015-7630", "CVE-2015-7629", "CVE-2015-7647", "CVE-2015-7656", "CVE-2015-7657", "CVE-2015-7653", "CVE-2015-7626", "CVE-2015-7655", "CVE-2015-8046", "CVE-2015-7648", "CVE-2015-7646", "CVE-2015-7643", "CVE-2015-7628", "CVE-2015-7645", "CVE-2015-7632", "CVE-2015-8044", "CVE-2015-7631", "CVE-2015-7644", "CVE-2015-7659", "CVE-2015-7662"], "modified": "2015-11-17T00:00:00", "id": "GLSA-201511-02", "href": "https://security.gentoo.org/glsa/201511-02", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
