Sites created by NeginGroup suffer from cross site scripting and remote SQL injection vulnerabilities. Note that this finding houses site-specific data.
73bf857fa364642f3fa21c1fb9d3e05d25d39ed86e9f9879052560a5cb108b6f
AuraCMS version 3.0 suffers from cross site scripting and local file inclusion vulnerabilities.
5a35bc77f37b80e3b6ae5d1eaf892a6a012cf4c579dda292eeb102b6f33561da
Check_MK suffers from an arbitrary file disclosure vulnerability.
29ea17ad8196b8ca5a593382f3d744479bd2f4a883b8f7db788780575f11978e
The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.
efe876f026d805aec0ae402905d0f399166b1e85133b042ab6011a6439d5095f
It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.
14014726ae194fcbd52254b00f5e7e99823908207f8227e73309d1f9549f50e1
Red Hat Security Advisory 2014-0581-01 - OpenStack Dashboard provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators. A flaw was discovered in OpenStack Dashboard that could allow a remote attacker to conduct cross-site scripting attacks if they were able to trick a horizon user into using a malicious heat template. Note that only setups exposing the orchestration dashboard in OpenStack Dashboard were affected.
3cf9b2341558bbe8305cde1cdbe8f36482a30e22137a9d73e93d3f39be026b5e
Red Hat Security Advisory 2014-0580-01 - The OpenStack Identity service authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication including user name and password credentials, token-based systems, and AWS-style logins. The openstack-keystone packages have been upgraded to upstream version 2013.2.3, which provides a number of bug fixes over the previous version. The following security issue is also fixed with this release: It was found that the memcached token back end of OpenStack Identity did not correctly invalidate a revoked trust token, allowing users with revoked tokens to retain access to services they should no longer be able to access. Note that only OpenStack Identity setups using the memcached back end for tokens were affected.
cbbf882a59e7a04c181ef09556964cf1dbb16484778d505b0c2a9c16a7da6974
Red Hat Security Advisory 2014-0578-01 - OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances, managing networks, and controlling access through users and projects. It was found that overwriting the disk inside of an instance with a malicious image, and then switching the instance to rescue mode, could potentially allow an authenticated user to access arbitrary files on the compute host depending on the file permissions and SELinux constraints of those files. Only setups that used libvirt to spawn instances and which had the use of cow images disabled were affected.
63b3fb8b016547bd70086401213819f350561fb27cbc25c07899d9a76fa6e893
Red Hat Security Advisory 2014-0517-01 - The openstack-foreman-installer package provides facilities for rapidly deploying Red Hat Enterprise Linux OpenStack Platform 4. It was discovered that the Qpid configuration created by openstack-foreman-installer did not have authentication enabled when run with default settings in standalone mode. An attacker able to establish a TCP connection to Qpid could access any OpenStack back end using Qpid without any authentication. This update also fixes several bugs and adds enhancements.
0c5878fb3ca39f4bfc286dcd8a1b7c27424d3484ba4a69d122cb5e3b11cf8a28
Red Hat Security Advisory 2014-0582-01 - Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issue is also fixed with this release: It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.
b8593d70dd43aadb30773782fde079796ce4e875ae531e2e5e5e45c520c7f18d
Red Hat Security Advisory 2014-0516-01 - OpenStack Networking is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum' as the core component of OpenStack Networking. A flaw was found in the way OpenStack Networking performed authorization checks on created ports. An authenticated user could potentially use this flaw to create ports on a router belonging to a different tenant, allowing unauthorized access to the network of other tenants. Note that only OpenStack Networking setups using plug-ins that rely on the l3-agent were affected.
c0588230b69d9979c0b5ff1a318a4d0d3c47c4b2e44dde5b16954df8d2d433c8
Red Hat Security Advisory 2014-0579-01 - OpenStack Orchestration is a template-driven engine used to specify and deploy configurations for Compute, Storage, and OpenStack Networking. It can also be used to automate post-deployment actions, which in turn allows automated provisioning of infrastructure, services, and applications. Orchestration can also be integrated with Telemetry alarms to implement auto-scaling for certain infrastructure resources. The openstack-heat-templates package provides heat example templates and image building elements for the openstack-heat package. It was discovered that certain heat templates used HTTP to insecurely download packages and signing keys via Yum. An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system.
ca06ea7eab4f54b7a387adbdef2d7be82b8761ba25ef9e19be26524fc94c5aff
Red Hat Security Advisory 2014-0573-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.3 will be retired as of June 30, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 6.3 EUS after June 30, 2014. In addition, technical support through Red Hat's Global Support Services will no longer be provided after this date. We encourage customers to plan their migration from Red Hat Enterprise Linux 6.3 to a more recent version of Red Hat Enterprise Linux. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux 6 release.
84add74bf4934fa3246c88972d5837845c5ad62f8afe71ced2c17006b0030dd8
Red Hat Security Advisory 2014-0575-01 - In accordance with the Red Hat Enterprise Developer Toolset Life Cycle policy, the Red Hat Developer Toolset Version 1 offering will be retired as of June 30, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Developer Toolset Version 1 after June 30, 2014. In addition, technical support through Red Hat's Global Support Services will no longer be provided for Red Hat Developer Toolset Version 1 after this date. We encourage customers to plan their migration from Red Hat Enterprise Developer Toolset Version 1 to a more recent release of Red Hat Developer Toolset. As a benefit of the Red Hat subscription model, customers can use their active Red Hat Developer Toolset subscriptions to entitle any system on a currently supported version of this product.
8f642504c1f6988e2155666984c9463204d4155f4e20cc5bdfc8dfd7360d8f32
A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Versions affected include Apache Tomcat 8.0.0-RC2 to 8.0.3.
28c61c41ea4c82aebf18e1389e65f0ee95408b53ccd619f2378c0bef49785f6a
HandsomeWeb SOS Webpages versions 1.1.11 and below suffer from backup and password hash disclosure vulnerabilities.
95fa3a37604887c4a9477550b3793f175517c90416e587a425c76050ebc648db
sb0x Project is a lightweight framework for penetration testing. Written in Python.
953f243708008c8e9e0c5ea69aad3cb16ab0c0bda7560bb9d7119548d2637301
Red Hat Security Advisory 2014-0559-01 - The Red Hat Enterprise Virtualization Manager data warehouse package provides the Extract-Transform-Load process and database scripts to create a historic database API. It also provides SQL BI reports creation for management and monitoring. It was found that the ovirt-engine-dwh setup script logged the history database password in plain text to a world-readable file. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database.
5f8888f9aa9c43980c066c5c06f05a1024c407ad8a7c6d15802f4a3f4416332c
Red Hat Security Advisory 2014-0558-01 - The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports. It was found that the ovirt-engine-reports setup script logged the reports database password in plain text to a world-readable file. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database.
bd0f437915b49f2d01976ffbb4ea6447e6ebe809ba39ea5a11c9372893c02d44
Red Hat Security Advisory 2014-0561-01 - cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP with NTLM authentication, LDAP, SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials.
9b7178c65f513e070e77be94e77db2220728f4e898877c6359747fcc720c3823
Red Hat Security Advisory 2014-0557-01 - The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. A race condition leading to a use-after-free flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled the addition of fragments to the LRU list under certain conditions. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system by sending a large amount of specially crafted fragmented packets to that system.
11e08a25ccc9449b51fc974bf55d7895cac1d67aa00b70338d758bd8911c49a6
Red Hat Security Advisory 2014-0560-01 - The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a special file that blocks on read access could use this flaw to cause libvirtd to hang indefinitely, resulting in a denial of service on the system.
94239f6d883bee6d500f9c0488f7c3ba34b9d4128102a893c9f3c00863ef0452
Debian Linux Security Advisory 2938-1 - The initial organization and setup of Squeeze LTS has now happened and it is ready for taking over security support once the standard security support ends at the end of the month.
55b2d8374ef4e842a1b1dcf7cc65636b8bee542b9491e4d37a0a0a7f7fbce5e2
Debian Linux Security Advisory 2937-1 - Two security issues have been found in the Python WSGI adapter module for Apache.
3fc32fb17b4ab3171b0696918d378ce832f0f9298ccdc887b01b36b1574b34eb
Gentoo Linux Security Advisory 201405-28 - A remote command injection vulnerability has been discovered in xmonad-contrib. Versions less than 0.11.2 are affected.
38fb811a8cac5932b75fa59e16b42be8839538cf9284093511c23adc5ced82a8