Open-Xchange AppSuite versions 7.4.1 and below suffer from script insertion and traversal vulnerabilities.
f64894541784a5965d5e8dd55defafbccab9ab8f246cce119db4b1e2c9d56811Debian Linux Security Advisory 2845-1 - This DSA updates the MySQL 5.1 database to 5.1.73. This fixes multiple unspecified security problems in MySQL.
fa7f40229dc90120ac0e0aa2eb8e2e1325f67ad09b177a5753770abee5251c4fMandriva Linux Security Advisory 2014-010 - Multiple vulnerabilities has been discovered and corrected in memcached. The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service via a request to delete a key, which does not account for the lack of a null terminator in the key and triggers a buffer over-read when printing to stderr. memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials. Various other issues have also been addressed.
56e23873dfb9810e91b41765d15d9e18cafd0f9578ff6c5806a952a61bf20fc8Mandriva Linux Security Advisory 2014-006 - xslt.c in libxslt before 1.1.25 allows context-dependent attackers to cause a denial of service via a stylesheet that embeds a DTD, which causes a structure to be accessed as a different type. NOTE: this issue is due to an incomplete fix for CVE-2012-2825. The updated packages have been patched to correct this issue.
d503e763b57122b1bd5ea97bd2b93533c0511e842cf6a0c87bc31b04792daf0dMandriva Linux Security Advisory 2014-005 - The TLS driver in ejabberd before 2.1.12 supports weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack. The updated packages have been upgraded to the 2.1.13 version which is not vulnerable to this issue.
4f694e5ddc207e0db057b3c0ee6d0aba1eca623fa95f4affcd6efca3d29ffc0dUbuntu Security Notice 2083-1 - It was discovered that Graphviz incorrectly handled memory in the yyerror function. If a user were tricked into opening a specially crafted dot file, an attacker could cause Graphviz to crash, or possibly execute arbitrary code. It was discovered that Graphviz incorrectly handled memory in the chkNum function. If a user were tricked into opening a specially crafted dot file, an attacker could cause Graphviz to crash, or possibly execute arbitrary code. Various other issues were also addressed.
25439a91952048a0b2275a1f124b3b5aa430718a373e261797e5b2b191ca184cMandriva Linux Security Advisory 2014-004 - Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service via a long string in the last key value in the variable list to the process_cgivars function in extinfo.c, status.c, trends.c in cgi/, which triggers a heap-based buffer over-read. Off-by-one error in the process_cgivars function in contrib/daemonchk.c in Nagios Core 3.5.1, 4.0.2, and earlier allows remote authenticated users to obtain sensitive information from process memory or cause a denial of service via a long string in the last key value in the variable list, which triggers a heap-based buffer over-read. The updated packages have been patched to correct these issues.
2a8a2c2fafea3404e1ed0dab309c14b4a4dc58b3300bfb3a8153d0ae8063119fMandriva Linux Security Advisory 2014-003 - Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor before 2.14 might allow remote attackers to execute arbitrary shell commands via $() shell metacharacters, which are processed by bash. The updated packages have been patched to correct this issue.
ae3af96c61f5cb0bcc8ef2cfd7bd0d9f0aa1fdf1facbc9382e974b70630cdf6eMandriva Linux Security Advisory 2014-002 - The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature. The updated packages for Enterprise Server 5 have been patched to correct this issue. The updated packages for Business Server 1 have been upgraded to the 9.9.4-P2 version which is unaffected by this issue.
68b6dd6470caf042a0953b19a031782926ab5363c4da8f8ff80fd46eaa48eecfRed Hat Security Advisory 2014-0030-01 - Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.
836069891824f01a4d1a0c0c357d7e19a31e12bd8afa1255bf2a8c7943cd1cf7FreeBSD Security Advisory - Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. This issue only affects authoritative nameservers with at least one NSEC3-signed zone. Recursive-only servers are not at risk. An attacker who can send a specially crafted query could cause named(8) to crash, resulting in a denial of service.
42bd91e5a207d906b383d2f4b8c14bcb28389b0113837035f0080c510470026dDrupal Anonymous Posting third party module version 7.x suffers from a cross site scripting vulnerability.
3f66516fa2d17f145270d1b32bfdcb6d5737821a00485d9156519b16c187b504Drupal core versions 6.x and 7.x suffer from impersonation, access bypass, and security hardening vulnerabilities.
f5c6a398f6c3eb4be7409e8de673476647efb02968ec5e6d76e45d68ffbfdae9A local stored cross site scripting vulnerability affects Y! Toolbar for FireFox on MAC version 3.1.0.20130813024103 and Windows version 2.5.9.2013418100420.
142248a0c37ee7fab8c5439b25c68e5735667f364eea08f98a2fd5994f534c29The JavaScriptUtils.javaScriptEscape() method did not escape all characters that are sensitive within either a JS single quoted string, JS double quoted string, or HTML script data context. In most cases this will result in an unexploitable parse error but in some cases it could result in a cross site scripting vulnerability. Spring MVC versions 3.0.0 through 3.2.1 are affected.
242790135a9927b7deb87c43607a629b3269e553eee7b7f28d9784435b870ce8FreeBSD Security Advisory - The ntpd(8) daemon supports a query 'monlist' which provides a history of recent NTP clients without any authentication. An attacker can send 'monlist' queries and use that as an amplification of a reflection attack.
855ebbd21f6a31190a872cdb3928fdba92ff66aa654805455eab3998917e5b1eFreeBSD Security Advisory - A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2.
8cfc9cbab96b1b477732894dceb5515843f94bda1957f4f8b56f78b5d7e6a1d7Debian Linux Security Advisory 2844-1 - It was discovered that djvulibre, the Open Source DjVu implementation project, can be crashed or possibly make it execute arbitrary code when processing a specially crafted djvu file.
d7ca29eafee9d5e622caf3059b505b8d854dd08ed68522086213d1b74c3930ecCisco Security Advisory - Cisco Secure Access Control System (ACS) is affected by privilege escalation, command injection, and unauthenticated user access vulnerabilities.
a877e0bdd634a90d1446f6d3d275b8802a4064aed2a3213f2c1790df2d560db7Red Hat Security Advisory 2014-0028-01 - The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security bulletin APSB14-02, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.335.
72b1fad90804590637bc1f91825768c2f1bff69b80340ba1322986cb8a7d3048Ubuntu Security Notice 2082-1 - Jann Horn discovered that the CUPS lppasswd tool incorrectly read a user configuration file in certain configurations. A local attacker could use this to read sensitive information from certain files, bypassing access restrictions.
8ccfc6fba38df9120e96e707d0a9e03460184e1d2c68c90777c3dda22d9ec4a9FreeBSD Security Advisory - The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it has received a specifically crafted GETBULK PDU request.
351d8fb78b9b65fa1c1b3fa7aa44fd6aea60e5ffb76d66cf7adff1a3a4be8a3eRed Hat Security Advisory 2014-0027-01 - These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
15425be109ffb343bbfa132d01e00c82e3d7dd3b6dc1ee6d38438bb9d9c79311Red Hat Security Advisory 2014-0026-01 - These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. An input validation flaw was discovered in the font layout engine in the 2D component. A specially crafted font file could trigger Java Virtual Machine memory corruption when processed. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions. Multiple improper permission check issues were discovered in the CORBA, JNDI, and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
7ce7722a786811cc9fd25703a94b2466957f87a55820b192300e001de18281ebRed Hat Security Advisory 2014-0029-01 - Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 6.2.0 serves as a replacement for Red Hat JBoss Data Grid 6.1.0. It includes various bug fixes and enhancements which are detailed in the Red Hat JBoss Data Grid 6.2.0 Release Notes.
7722ac9b8d1472e20430051056e03e4d1e7c7b5612da1613cc03b70b9c2bd362
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed