FireHOL a simple yet powerful way to configure stateful iptables firewalls. It can be used for almost any purpose, including control of any number of internal/external/virtual interfaces, control of any combination of routed traffic, setting up DMZ routers and servers, and all kinds of NAT. It provides strong protection (flooding, spoofing, etc.), transparent caches, source MAC verification, blacklists, whitelists, and more. Its goal is to be completely abstracted and powerful but also easy to use, audit, and understand.
57beb36c4bd81f20966928a4fb627d11
Input passed via the '_redirect' GET parameter via 'service.cgi' script on various Peplink VPN-Firewall devices is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
5af9c98feacf1c9f241e8c52fcc8846f
WinPower version 4.9.0.4 suffers from a privilege escalation vulnerability. Proof of concept code included.
ed0607905b845ef7350dce9ad139b90e
Zurb Foundation versions 5.5.1 and 5.5.3 suffer from a cross site scripting vulnerability.
d76ca8deb88a2741d8e25843dfbaeef5
WordPress Insert Html Snippet plugin version 1.2 suffers from a cross site request forgery vulnerability.
70597e9717e758afa7044c6df0d23a30
Red Hat Security Advisory 2016-2823-01 - This release of Red Hat JBoss BRMS 6.4.0 serves as a replacement for Red Hat JBoss BRMS 6.3.4, and includes bug fixes and enhancements, which are documented in the Release Notes of the patch linked to in the References section. Security Fix: It was found that several XML parsers used by XStream had default settings that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
94227be66643a4ce9aa75b2772e98354
Red Hat Security Advisory 2016-2825-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 45.5.0. Security Fix: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
b7a04efb82d5871e8b28dcd19229f9fa
Red Hat Security Advisory 2016-2822-01 - This release of Red Hat JBoss BPM Suite 6.4.0 serves as a replacement for Red Hat JBoss BPM Suite 6.3.4, and includes bug fixes and enhancements, which are documented in the Release Notes of the patch linked to in the References section. Security Fix: It was found that several XML parsers used by XStream had default settings that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
dee7c00f687aff53c5ce4a18baf8b732
A specially crafted web-page can trigger an unknown memory corruption vulnerability in Google Chrome Accessibility code. An attacker can cause code to attempt to execute a method of an object using a vftable, when the pointer to that object is not valid, or the object is not of the expected type. Successful exploitation can lead to arbitrary code execution.
ab98628c1095fe66451caf0ac7387408
Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. This framework comes into play when the attacker is able to make traffic redirection, and such thing can be done in several ways such as: DNS tampering, DNS Cache Poisoning, ARP spoofing Wi-Fi Access Point impersonation, DHCP hijacking with your favorite tools. This way you can easy take control of a fully patched machine during a penetration test in a clean and easy way. The main idea behind the is to show the amount of trivial errors in the update process of mainstream applications.
49882afcf281d2336135649f9f846930
Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference.
e05505ff149a151d8a636928a77cde9f
Ubuntu Security Notice 3139-1 - Florian Larysch discovered that the Vim text editor did not properly validate values for the 'filetype', 'syntax', and 'keymap' options. An attacker could trick a user into opening a file with specially crafted modelines and possibly execute arbitrary code with the user's privileges.
8c65c9036076b54e0594e3d6963c865a
Eagle Speed USB modem software suffers from a privilege escalation vulnerability.
67a4ea9e0ca59f6d85e2f3fa2dc01b16
The Nuit Du Hack Call For Papers for 2017 has been announced. It will be held June 24th through the 25th, 2017 in Paris, France.
0a4cd7ad44964e211e56f0d4e1a07931
EnCase Forensic Imager versions 7.10 and below suffer from denial of service and heap-based buffer overflow vulnerabilities.
1c5bac58a0fdaf56c3881bb3ed6e6585
The BloomCON 2017 Forensics and Security conference will be held March 24th through the 25th, 2017 in Bloomsburg, PA, USA.
760e48cafe7c8b9bbc431306e2c8ba53
Biesta Billing version 4.0 Beta suffers from cross site request forgery and directory traversal vulnerabilities.
ffa53f44ee22e91a14f026523a749b80