Next Page >>
Affected Versions
ID: ES-20100601
Advisory URL:
http://resources.enablesecurity.com/advisories/ES-20100601-dotdefender4.txt
Affected Versions: version 4.0
Fixed versions: 4.01-3 (and later)
Description:
After the form data is sent, JDownloader will, depending on transmitted
_Referer/Source and/or User-Agent_, ask for permission to add Links from
external Website/Application, the code is executed after the user
confirms.
- -- Affected Versions
All versions prior 2010-01-25 (with Click'n'Load 2 support) are
vulnerable. (Release version 0.9.334)
- -- Solutions
| | version (version 0.9.8c-4 or later) and regenerate all |
| | keys used by Asterisk. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-----------------------------------+----------------+-------------------|
| Asterisk Open Source | 1.0.x | N/A |
|-----------------------------------+----------------+-------------------|
| Resolution | Users should upgrade to a version listed in the |
| | "Corrected In" section below. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-------------------------------+----------------+-----------------------|
| Asterisk Open Source | 1.2.x | Unaffected |
|-------------------------------+----------------+-----------------------|
3. Attempt to find additional vulnerabilities in the server to carry
out the "corporate network to control center" attack vector mentioned in
C4's S4 2008 paper "Control System Attack Vectors and Examples: Field Site
and Corporate Network" (http://www.c4-security.com/index-5.html).
Affected Versions
-------------------------
PI Server - All versions
Workaround/Fix
-----------------------
SonicWALL EX7000
SonicWALL EX6000
SonicWALL EX-1600
SonicWALL EX-1500
SonicWALL EX-750
Affected Versions: 10.0.4 and all previous versions
10.5.1 without hotfix
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch
Discovered by: Nikolas Sotiriu
| | embarrassment of reporting a vulnerability that wasn't) |
| | in the future. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release Series | |
|-----------------+----------------+-------------------------------------|
| Zaptel | 1.2.x | All versions prior to 1.2.22 |
|-----------------+----------------+-------------------------------------|
Details
=======
Product: Owl Intranet Engine
Affected Versions: 1.01, possibly all older versions
Fixed Versions: none
Vulnerability Type: Information Disclosure, Unsalted Password Hashes
Security Risk: low
Vendor URL: http://owl.anytimecomm.com
Vendor Status: decided not to fix
| | in total will be enforced. Any further RTP payloads will |
| | be discarded. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+---------+---------------------------------|
| Asterisk Open Source | 1.0.x | Unaffected |
--------------------------------------------------------------------------------
HTC
--------------------------------------------------------------------------------
Affected Versions:
--------------------------------------------------------------------------------
We have verified the following devices as having this issue (there may
be others including some non-HTC phones):
Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
Glacier - Version FRG83
http://test.app.net/home.action?user=&password=&action!login:cantLogin<script>alert(document.cookie
</script>=some_value
Affected Versions
All releases of Apache Struts 2 framework prior to 2.2.3 were found vulnerable to the above attacks.
Other open source and commercial products using XWork framework could be vulnerable to similar attacks.
This allows an attacker to enumerate what files and directories exist within
the www root directory and beyond
by using 200, 403 and 404 errors as a guide.
Affected Versions: Firmware V3.4.0_ap (others unknown)
III. VENDOR RESPONSE
12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded. Stated the DG632 is an end of life
| Resolution | Upgrade to one of the versions below, or apply one of the |
| | patches specified in the Patches section. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------+------------+------------------------------|
| Asterisk Open Source | 1.2.x | All versions prior to 1.2.32 |
+------------------------------------------------------------------------+
| Resolution | Upgrade to Asterisk release 1.4.15 or higher. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|----------------------------------+--------------+----------------------|
| Asterisk Open Source | 1.0.x | All versions |
The CALLERID(num) and CALLERID(name) channel values, and any
strings passed to the URIENCODE dialplan function should be
limited in this manner.
Affected Versions
Product Release Series
Asterisk Open Source 1.2.x All versions
Asterisk Open Source 1.4.x All versions
Asterisk Open Source 1.6.x All versions
Asterisk Open Source 1.8.x All versions
TN> This attack can be carried out internally within the network, or over the
TN> Internet
TN> if the administrator has enabled the "Remote Management" feature on the
TN> router.
TN> Affected Versions: Firmware V3.4.0_ap (others unknown)
TN> III. VENDOR RESPONSE
TN> 12 June, 2009 - Contacted vendor.
TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life
Resolution Failed writes to manager clients are flagged and the connection
closed.
Affected Versions
Product Release Series
Asterisk Open Source 1.6.1.x All versions
Asterisk Open Source 1.6.2.x All versions
Asterisk Open Source 1.8.x All versions
Details
=======
Product: Geo++(R) GNCASTER
Affected Versions: <= 1.4.0.7
Fixed Versions: 1.4.0.8
Vulnerability Type: Memory corruption
Security Risk: high
Vendor URL: http://www.geopp.de
Vendor Status: notified
Details
=======
Product: IceWarp eMail Server / WebMail Server
Affected Versions: 9.4.1
Fixed Versions: 9.4.2
Vulnerability Type: Cross Site Scripting
Security Risk: high
Vendor URL: http://www.icewarp.com/
Vendor Status: notified, fixed version released
against a threat model that includes others gaining access to their
machines (either through hardware seizure or multiple user accounts)
should change their passphrases and scrub their disks.
=========================================================================
Affected Versions
All versions of FireGPG previous to 0.6 are vulnerable. Version 0.6 was
released on 10/17/2008 in response to this issue.
- moxie
Barracuda Networks Technical Alert
http://www.barracudanetworks.com/ns/support/tech_alert.php
Affected Versions
Barracuda Spam Firewall (Firmware v3.5.11.020, Model 600)
Other products/versions might be affected.
ID: ES-20090500
Advisory URL:
http://resources.enablesecurity.com/advisories/ES-20090500-profense.txt
Affected Versions: versions prior to 2.4.4 and 2.2.22
Fixed versions: 2.4.4, 2.2.22 and later
Description:
| | is enabled and in another instance it is checked to be |
| | non-NULL before being passed. |
+------------------------------------------------------------------------+
+------------------------------------------------------------------------+
| Affected Versions |
|------------------------------------------------------------------------|
| Product | Release | |
| | Series | |
|-------------------------------+------------+---------------------------|
| Asterisk Open Source | 1.0.x | All versions |
point would be to subscribe to MyReview newsletter, if not done yet.
Version and platform Affected
Affected Platforms - Any
Affected Software - MyReview, http://myreview.intellagence.eu/
Affected Versions - Any (prior or equal to 1.9.9, as 2.0 is still in beta)
Severity - High
Requirements
Authentication - None
Access - Distant (Internet)
Vendor Contacted...........: 2009-12-14
Fix from Vendor............: 2010-12-14
Advisory Published.........: 2010-12-15
=====[ Affected Versions
Vulnerable:
IBM TSM 6.1: 6.1.0.0 through 6.1.3.0
IBM TSM 5.5: 5.5.0.0 through 5.5.2.7
IBM TSM 5.4: 5.4.0.0 through 5.4.3.3
In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware as specified in our SysScan08 presentation, in order to cause harm to the grid.
Both documents are available at http://www.c4-security.com/index-5.html .
Affected Versions
-------------------------
PCU400 4.4
PCU400 4.5
PCU400 4.6
Other versions may be vulnerable, as they were not tested.
Details
=======
Product: IceWarp eMail Server / WebMail Server
Affected Versions: 9.4.1
Fixed Versions: 9.4.2
Vulnerability Type: Cross Site Scripting
Security Risk: medium
Vendor URL: http://www.icewarp.com/
Vendor Status: notified, fixed version released
[img]invalid.jpg[url= onerror=alert(1) z=] a[/url][/img]
An alert will be show in every topic the user posts in and also in its profile.
- Affected Versions:
Community Server 2007
(may affect others)
- Unaffected Versions:
ZyWALL USG-300
ZyWALL USG-1000
ZyWALL USG-1050
ZyWALL USG-2000
Possibly other ZLD-based products
Affected Versions: Firmware Releases before April 25, 2011
Fixed Versions: Firmware Releases from or after April 25, 2011
Vulnerability Type: Authentication Bypass
Security Risk: high
Vendor URL: http://www.zyxel.com/
Vendor Status: fixed version released
The following exploit allows forcing external browser redirects:
url_placeholder/load.php?browVerOK=true&browVerPerfect=false&javaVersion=any%0D%0ALocation: %20http://www.google.com%0D%0A&javaVendor=Sun%20Microsystems %20Inc.&javaEnabled=true&welcome=true&detectionFlag=1&popupBlocked=no
Affected Versions
IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6)
Mitigation
Next Page>>
|
