seclist.org

Posted by Shlomi Fish on Sep 13

See:

https://github.com/docbook/xslt10-stylesheets/pull/144

«
See https://ruby-doc.org/stdlib-2.0.0/libdoc/tmpdir/rdoc/Dir.html -
tmpdir returns the same value everytime and as a result the tmpdirs can
be identical or existing.

SECURITY!

Thanks to phaul from #ruby .
»

There is a patch that seems to work well in the mageia linux package, but
no PoC exploit.

Posted by rant on Sep 13

=====[ Tempest Security Intelligence - ADV-03/2019
]==========================

Piwigo - Version 2.9.5

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================
 * Overview
 * Detailed description
 * Timeline of disclosure
 * Thanks & Acknowledgments
 * References

=====[ Vulnerability...

Posted by Debashis Pal on Sep 13

#!/usr/bin/python

# Exploit Type : DOS
# Exploit Title: FTPShell client 6.74 - Local Buffer Overflow (SEH)
# Vulnerable Software & version : FTPShell client 6.74
# Vendor Homepage: https://www.ftpshell.com/
# Software Link: https://www.ftpshell.com/downloadclient.htm
# Tested Windows : Windows Vista Ultimate SP2(32-bit), Windows 7
Professional SP1(32-bit)
# Exploit Author: Debashis Pal
# Timeline
# Vulnerability Discover Date:...

Posted by Manuel Garcia Cardenas on Sep 13

=============================================
MGC ALERT 2019-003
- Original release date: June 13, 2019
- Last revised: September 13, 2019
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,3/10 (CVSS Base Score)
- CVE-ID: CVE-2019-12922
=============================================

I. VULNERABILITY
-------------------------
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery

II. BACKGROUND
-------------------------
phpMyAdmin is a free...

Posted by SEC Consult Vulnerability Lab on Sep 12

SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
=======================================================================
title: Stored and reflected XSS vulnerabilities
product: LimeSurvey
vulnerable version: <= 3.17.13
fixed version: =>3.17.14
CVE number: CVE-2019-16172, CVE-2019-16173
impact: medium
homepage: https://www.limesurvey.org/...

Posted by Info on Sep 10

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: SlickQuiz
Vendor URL: https://wordpress.org/plugins/slickquiz/
Type: SQL Injection [CWE-74]
Date found: 2019-05-30
Date published: 2019-09-10
CVSSv3 Score: 8.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
CVE: CVE-2019-12516

2. CREDITS
==========
This vulnerability was discovered and researched by...

Posted by Info on Sep 10

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: SlickQuiz
Vendor URL: https://wordpress.org/plugins/slickquiz/
Type: Cross-Site Scripting [CWE-79]
Date found: 2019-05-30
Date published: 2019-09-10
CVSSv3 Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE: CVE-2019-12517

2. CREDITS
==========
This vulnerability was discovered and...

Posted by Daniel Bishtawi on Sep 10

Hello,

We are informing you about the vulnerabilities in OpenEdx version
Ironwood.1.

Here are the details:

Information
--------------------
Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting Vulnerabilities in OpenEdx
version Ironwood.1
Affected Software: OpenEdx
Affected Versions: Ironwood.1
Homepage: https://open.edx.org/
Vulnerability: Cross site Scripting
Severity: Medium
Status: Fixed
CVSS Score (3.0):...

Posted by hyp3rlinx on Sep 09

Fixed a bug in the save report logic.

from subprocess import Popen, PIPE
import sys,argparse,re

# NtFileSins v2.1
# Fixed: save() logic to log report in case no Zone.Identifiers found.
# Added: Check for Zone.Identifer:$DATA to see if any identified files were
downloaded from internet.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE...

Posted by Elar Lang on Sep 09

Title: CVE-2018-18809 Path traversal in Tibco JasperSoft
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: Tibco JasperSoft (https://www.jaspersoft.com/)
Vulnerability: Path traversal
CVE: CVE-2018-18809

# Path traversal
Vulnerability is in reportresource/reportresource/ service and in resource
parameter. There is "defence" - value for resource param must start with
net/sf/jasperreports/.

Available for remote not...

Posted by Debashis Pal on Sep 09

#!/usr/bin/python

# Exploit Title: Core FTP LE Version 2.2, build 1935 - Local Buffer
Overflow (SEH Unicode)
# Vulnerability Details: Core FTP LE Version 2.2, build 1935 is prone to a
buffer overflow vulnerability that may result in a DoS user local folder
selection pane
# Exploit Type : DOS
# Date: 08-Sep-2019
# Vulnerable Software: Core FTP LE
# Version: Version 2.2, build 1935
# Vendor Homepage: http://www.coreftp.com/
# Software Link:...

Posted by Kevin Kotas via Fulldisclosure on Sep 09

CA20190904-01: Security Notice for CA Common Services Distributed
Intelligence Architecture (DIA)

Issued: September 4th, 2019
Last Updated: September 4th, 2019

CA Technologies, A Broadcom Company, is alerting customers to a
potential risk with CA Common Services in the Distributed
Intelligence Architecture (DIA) component. A vulnerability exists,
CVE-2019-13656, that can allow a remote attacker to execute arbitrary
code. CA published solutions...

Posted by Marcin Kozlowski on Sep 09

Hi list,

Read about potential UAF in PHP and Ruby via regex library "oniguruma" (for
example here:
https://thehackernews.com/2019/09/php-programming-language.html)

However, I didn't find default PHP and Ruby vulnerable:

https://github.com/kkos/oniguruma/issues/153

My investigation showed the onig_new_deluxe() is not used by default.
However, modified PHP to use it and fuzzed it and was able to reproduce UAF
in 7 mins :)

Write...

Posted by hyp3rlinx on Sep 09

NtFileSins v2, exploits Windows privileged file access enumeration
vulnerability to gather intelligence on privileged users. This version
includes Zone.Identifier checks to see if any discovered files were
internet downloaded.

from subprocess import Popen, PIPE
import sys,argparse,re

# NtFileSins v2
# Added: Check for Zone.Identifer:$DATA to see if any identified files were
downloaded from internet.
#
# Windows File Enumeration Intel Gathering....

Posted by Vulnerability Lab on Sep 09

Document Title:
===============
Dabman & Imperial (i&d) Web Radio Devices - Undocumented Telnet Backdoor
& Command Execution Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2183

Video: https://www.vulnerability-lab.com/get_content.php?id=2190

Vulnerability Magazine:...

Posted by paw on Sep 06

Update:

[+] CVE-id: CVE-2019-15952

Il 30/08/19 19:45, paw ha scritto:

Posted by hyp3rlinx on Sep 06

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
Windows NTFS

NTFS is a proprietary journaling file system developed by Microsoft.
Starting with Windows NT 3.1, it is the default file system of the Windows
NT family.

[Vulnerability Type]...

Posted by Asterisk Security Team on Sep 05

Asterisk Project Security Advisory - AST-2019-005

Product Asterisk
Summary Remote Crash Vulnerability in audio transcoding
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Minor...

Posted by Asterisk Security Team on Sep 05

Asterisk Project Security Advisory - AST-2019-004

Product Asterisk
Summary Crash when negotiating for T.38 with a declined
stream
Nature of Advisory Remote Crash
Susceptibility Remote Authenticated Sessions...

Posted by SEC Consult Vulnerability Lab on Sep 04

SEC Consult Vulnerability Lab Security Advisory < 20190904-0 >
=======================================================================
title: Multiple vulnerabilities
product: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P,
Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160,
Cisco 160W
vulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15...