This archive contains all of the 187 exploits added to Packet Storm in January, 2015.
baa98ae3798024bcce58888a633b7094d55481d0fcde94647dc46ea8af74dcc7SnipSnap versions 0.5.2a, 1.0b1, and 1.0b2 suffer from a cross site scripting vulnerability. This vulnerability was already previously discovered by Sony in February of 2012.
fcea8ba9882cab2ac85b8f16e4498e3aa6343df7e0a6823369ecd9b60bd92259ZeroCMS versions 1.3.3 and below suffer from a remote SQL injection vulnerability.
7a722243425576450bf2793f79504ddaee5269e4e0f2cf4894a7c56f85b50c08SIPhone Enterprise PBX suffers from a remote SQL injection vulnerability that allows for authentication bypass.
d46433623631bc3d4ce7e1609af807e93bcad3cd22ea89953d7aad7cb9d92d65Asus RT-N10 Plus with firmware version 2.1.1.1.70 suffers from a cross site scripting vulnerability.
52834296326caf3b9233a242ffe1a865ee9dddc03118fc76297f3bfe0a1ac589Symantec Encryption Management Server versions prior to 3.2.0 MP6 suffers from a remote command injection vulnerability.
3bc3eeac36113e210abe514dc8172c9c2bb90bb59bbe5d343e9ac303b7490024NPDS CMS Revolution-13 suffers from a remote SQL injection vulnerability.
142ca9db88be9cf3d50167d0e6ca107fc856238d9b989d450adedf97f40190ccMcAfee Data Loss Prevention Endpoint version 9.3.200.23 suffers from an arbitrary write privilege escalation vulnerability.
b96f5506ade3562db4422d9d10574de13efea0a185c340127a4a630ff1c8727dThis advisory details a vulnerability found within Kaseya Browser Android application. A path traversal vulnerability was discovered within an exported content provider, resulting in the disclosure of arbitrary files, including internal application files.
cd0eed73304887bcbc11bac4f7dca27d8f196f11666aa9eebef47a9489785ca8MantisBT version 1.2.17 suffers from improper access control, cross site scripting, and remote SQL injection vulnerabilities.
66702fafa02a9dbc923285c073b3f395b675adad64da5dfa2394ca10e6440fd2This advisory details multiple vulnerabilities found within the Kaseya BYOD Gateway software. By chaining a combination of lacking SSL verification, poor authentication mechanisms and arbitrary redirection vulnerabilities, a malicious entity may potentially compromise any Kaseya BYOD installation. The Kaseya BYOD Gateway software uses a redirection feature, wherein users are redirected to their local Kaseya installation via Kaseya's hosted servers. The update request from the BYOD Gateway software to the Kaseya hosted servers was not found to verify SSL certificates and fails to implement any form of authentication, instead relying on the length of the gateway identifier to provide security. Thus, the security of the solution depends on an attacker's ability to enumerate the gateway identifier. Once a malicious user enumerates the Gateway identifier, then they may update the redirect rule for that customer in Kaseya's hosted servers, redirecting customers to a malicious Kaseya BYOD Gateway. Version 7.0.2 is affected.
84b242264d948879e1883fb40c965edd3e0f9240397d1c5870d701482625f9beManageEngine Firewall Analyzer versions 8.0 and below suffer from cross site scripting and directory traversal vulnerabilities.
6ee156b0d54a8f1ed09c9f4838b7ee5144db4b15ab8239f4c4fb15af63710762Multiple direct object reference vulnerabilities were found within the AirWatch cloud console. VMWare advised that these issues also affect on-premise AirWatch deployments. A malicious AirWatch user may leverage several direct object references to gain access to information regarding other AirWatch customers using the AirWatch cloud. This includes viewing groups and downloading private APKs belonging to other organizations.
5468547ad7baa8b8e0d41f706bd7a80458d99dc96cd25a19ec2e1b6344263f4fUniPDF version 1.1 suffers from a buffer overflow vulnerability. This is a SEH overwrite denial of service proof of concept exploit.
7c9adc7186397aed0cb3bfb2dfaacca61f412e296b377460a47fa10b0f8d7d95There is an authentication bypass vulnerability in ClearSCADA that can be exploited by triggering an exception in dbserver.exe and taking advantage of the way the program handles it.
7297622cf93f018ee50d502b4deb7ac9d83396bceed64caa328eab02705135a7ManageEngine OpManager, Applications Manager, and IT360 suffer from arbitrary file download, directory content disclosure, and blind SQL injection vulnerabilities.
673d176c6994825278245d24a4e3dd01607a5db291f3f9c6d510ddb9184591faFortinet FortiOS with firmware 5.0 build 4457 (GA Patch 7) suffers from a CAPWAP daemon DTLS denial of service vulnerability and man-in-the-middle vulnerability.
1d7eabcba5b448e1f50b41f696a137829a3448ee8819d84a471f0f1752e6f73cFortinet FortiClient suffers from broken SSL certificate validation and hardcoded encryption key vulnerabilities. This affects FortiClient iOS version 5.2.028 and FortiClient Android version 5.2.3.091.
89b742d1f97f2adee5b04d0eebd11f2dfb73e303bea379908618783f651c1060The tcpip.sys driver fails to sufficiently validate memory objects used during the processing of a user-provided IOCTL. By crafting an input buffer that will be passed to the Tcp device through the NtDeviceIoControlFile() function, it is possible to trigger a vulnerability that would allow an attacker to elevate privileges. Proof of concept exploit included.
9d61f1a5823955c19741ad2d57e256f3641cf2f035e04e442eac8b77fd3054eaSupportCenter Plus version 7.9 suffers from a cross site scripting vulnerability.
d131e51f9d4f84b47ce89564902bd285461a72417d6720d9dc2d4bb58a8e2a66Fortinet FortiAuthenticator suffers from subshell bypass, cross site scripting, password disclosure, and file disclosure vulnerabilities.
2316f48a2a964f620060702d77fc255206e56d4b01b414a4518441e617b7964eBlubrry PowerPress version 6.0 suffers from a cross site scripting vulnerability.
a72310b5a80497f919f65c7d62fb01deeafbb3b70942d303e143f5a6101df8a2Cisco Meraki Systems Manager suffers from cross site request forgery, abuse of functionality, and cross site scripting vulnerabilities.
9c34baf2089dd34e016937a33e17e5155490db6c285d7340f4b9688fcc63d496WordPress Geo Mashup plugin versions 1.8.2 and below suffer from a cross site scripting vulnerability.
f7fa1ff3301b956e7f022f4b40335250c37a4a7d39eaadff8a0681bf634e9fefWordPress Photo Gallery plugin version 1.2.8 suffers from a cross site scripting vulnerability.
5e09f504c2a41251b089a8e7c0f3be0f49c6c8b6a0af82aca50dfdce76422a3c
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed