New User, Welcome!     Login

Next Page >>

Vendor Notification

FAA US Academy (AFS) - Auth Bypass Vulnerability

Report-Timeline:
================
2011-02-07:     Vendor Notification 1
2011-03-23:     Vendor Notification 2
2011-07-19:     Vendor Notification 3
2011-**-**:     Vendor Response/Feedback
2011-**-**:     Vendor Fix/Patch 
2012-01-28:     Public or Non-Public Disclosure

ARISg5 (Version 5.0) Cross Site Scripting Vulnerability

=====================
V. DISCLOSURE TIMELINE
=====================

Jan 2009 Vulnerability found
Jan 2009 Vendor Notification
Feb 2010 Vendor Notification (Before Disclosure) 
Feb 2010 Public Disclosure

=====================
VI. CRETID

Crystal Office Suite v1.43 - Buffer Overflow Vulnerability

A Vulnerability Laboratory Researcher discovered a Local Buffer Overflow vulnerability on Crystal Office Suite v1.43. 


Report-Timeline:
================
2012-04-02:     Vendor Notification 1
2012-04-08:     Vendor Notification 2
2012-04-09:     Vendor Response/Feedback
2012-04-12:     Public or Non-Public Disclosure

PHP Volunteer Management 'id' 1.0.2 Multiple Vulnerabilities

##### ToC #####

0x01 Description
0x02 XSS
0x03 SQL Injection
0x04 Vendor Notification

##### 0x01 Description #####

This is a PHP Volunteer Management software. Keep track of Volunteer
hours worked and location assignments. This system is built on

Aris AGX agXchange ESM Cross Site Scripting Vulnerability

=====================
V. DISCLOSURE TIMELINE
=====================

Jan 2009 Vulnerability found
Jan 2009 Vendor Notification
March 2010 Public Disclosure

=====================
VI. CREDIT
=====================

XSS vulnerability in Expression CMS

Vulnerability ID: HTB22618
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_expression_cms_1.html
Product: Expression 
Vendor: Backbone Technology ( http://www.backbonetechnology.com ) 
Vulnerable Version: Current at 18.09.2010 and Probably Prior Versions
Vendor Notification: 22 September 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

XSS (cross site scripting) vulnerability in Serendipity

Vulnerability ID: HTB22595
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_serendipity.html
Product: Serendipity
Vendor: Serendipity Team ( http://www.s9y.org/ ) 
Vulnerable Version: 1.5.3 and probably prior versions
Vendor Notification: 26 August 2010 
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

XSS vulnerability in Pixie

Vulnerability ID: HTB22468
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pixie.html
Product: Pixie
Vendor: Toggle Labs Ltd ( http://www.getpixie.co.uk/ ) 
Vulnerable Version: 1.0.4 and Probably Prior Versions
Vendor Notification: 01 July 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

XSS vulnerability in BXR

Vulnerability ID: HTB22504
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_bxr.html
Product: BXR
Vendor: Hulihan Applications ( http://hulihanapplications.com/projects/bxr ) 
Vulnerable Version: 0.6.8 and Probably Prior Versions
Vendor Notification: 22 July 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Team SHATTER Security Advisory: Oracle Database SQL Injection in SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET (DB02)

Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
http://www.appsecinc.com/resources/alerts/oracle/2008-01.shtml

Timeline:
Vendor Notification - 9/24/2007
Vendor Response - 9/28/2007
Fix - 4/15/2008
Public Disclosure - 4/28/2008

Application Security, Inc's database security solutions have helped over

SQL injection vulnerability in ImpressPages CMS

Vulnerability ID: HTB22385
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_impresspages_cms_1.html
Product: ImpressPages CMS
Vendor: Apro Media
Vulnerable Version: 1.0.4 and Probably Prior Versions
Vendor Notification: 12 May 2010 
Vulnerability Type: SQL Injection
Status: Fixed by Vendor
Risk level: Low 
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)

Application Logic Error in DT Centrepiece

Vulnerability ID: HTB22522
Reference: http://www.htbridge.ch/advisory/application_logic_error_in_dt_centrepiece.html
Product: DT Centrepiece
Vendor: DT Services ( http://www.dt.net.nz/ ) 
Vulnerable Version: 4.5 and Probably Prior Versions
Vendor Notification: 22 July 2010 
Vulnerability Type: Application Logic Error
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

XSS vulnerability in gpEasy CMS

Vulnerability ID: HTB22370
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_gpeasy_cms.html
Product: gpEasy CMS
Vendor: gpeasy
Vulnerable Version: 1.6.2 and Probably Prior Versions
Vendor Notification: 05 May 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Fixed by Vendor
Risk level: Medium 
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)

SQL injection vulnerability in MODx CMS and Application Framework

Vulnerability ID: HTB22413
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_modx_cms_and_application_framework_1.html
Product: MODx CMS and Application Framework
Vendor: MODx 
Vulnerable Version: 1.0.3 and Probably Prior Versions
Vendor Notification: 28 May 2010 
Vulnerability Type: SQL Injection
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)

SQL injection vulnerability in WebDB

Vulnerability ID: HTB22429
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_webdb.html
Product: WebDB
Vendor: Lois Software
Vulnerable Version: 2.0a and Probably Prior Versions
Vendor Notification: 10 June 2010 
Vulnerability Type: SQL Injection
Status: Fixed by Vendor
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Team SHATTER Security Advisory: Oracle Database SQL Injection in SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET (DB02)

Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
http://www.appsecinc.com/resources/alerts/oracle/2008-01.shtml

Timeline:
Vendor Notification - 9/24/2007
Vendor Response - 9/28/2007
Fix - 4/15/2008
Public Disclosure - 4/28/2008

Application Security, Inc's database security solutions have helped over

JSPWiki Multiple Vulnerabilities

    The non-existent number must be between 1 and 10 character
otherwise a standard 500 error will be displayed.



Vendor Notification
------------------------------------------------------------
The JSPWiki project was notified on September 10, 2007.  Janne
Jalkanen developed and implemented a fix by September 18, 2007.

FW: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server

Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs

Product:        Easy File Sharing Web Server, current versions, default installation
Vendor:         http://www.sharing-file.com/

Vendor Notification and Disclosure:
08/22/09: EFSW support notified of issue.
08/22/09: EFSW said it is not an issue because you can turn off direct file access.
08/23/09: EFSW support notified that FILES.SDB file can be directly accessed.
08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you can.
12/15/09: Hammer of God released full details after waiting 4 months for vendor to fix.

XSS vulnerability in DT Centrepiece

Vulnerability ID: HTB22520
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_dt_centrepiece_1.html
Product: DT Centrepiece
Vendor: DT Services ( http://www.dt.net.nz/ ) 
Vulnerable Version: 4.5 and Probably Prior Versions
Vendor Notification: 22 July 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

SQL injection vulnerability in Elxis CMS

Vulnerability ID: HTB22613
Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_elxis_cms.html
Product: Elxis CMS
Vendor: Elxis Team ( http://www.elxis.org/ ) 
Vulnerable Version: 2009.2 electra rev2631 and probably prior versions
Vendor Notification: 20 September 2010 
Vulnerability Type: SQL Injection
Status: Fixed by Vendor
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Stored XSS vulnerability in synType CMS comment text field

Vulnerability ID: HTB22417
Reference: http://www.htbridge.ch/advisory/stored_xss_vulnerability_in_syntype_cms_comment_text_field.html
Product: synType CMS
Vendor: MindArray GbR
Vulnerable Version: V.0.12.2 and Probably Prior Versions
Vendor Notification: 03 June 2010 
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

Team SHATTER Security Advisory: Multiple SQL Injection vulnerabilities in Oracle Enterprise Manager

Application Security, Inc advisory: http://www.appsecinc.com/resources/alerts/oracle/2009-04.shtml
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html


Timeline:
Vendor Notification - 7/11/2008
Vendor Response - 7/14/2008
Fix - 7/14/2009
Public Disclosure - 7/22/2009

Application Security, Inc's database security solutions have helped over 1,600 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements.

XSS vulnerability in Ronny CMS

Vulnerability ID: HTB22622
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_ronny_cms.html
Product: Ronny CMS
Vendor: TO4KA Programming Team ( http://ronny-cms.ru/ ) 
Vulnerable Version: 1.1 r935 and probably prior versions
Vendor Notification: 29 September 2010 
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

XSS vulnerability in SyndeoCMS

Vulnerability ID: HTB22492
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_syndeocms_1.html
Product: SyndeoCMS
Vendor: The SyndeoCMS team ( http://www.syndeocms.org/ ) 
Vulnerable Version: 2.9.0 and Probably Prior Versions
Vendor Notification: 12 July 2010 
Vulnerability Type: Stored XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

LFI in Novaboard

Vulnerability ID: HTB22657
Reference: http://www.htbridge.ch/advisory/lfi_in_novaboard.html
Product: Novaboard 
Vendor: Novaboard  ( http://www.novaboard.net/ ) 
Vulnerable Version: 1.1.4 and probably prior versions 
Vendor Notification: 13 October 2010 
Vulnerability Type: Local File Inclusion
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

LFI in eoCMS

Vulnerability ID: HTB22676
Reference: http://www.htbridge.ch/advisory/lfi_in_eocms_1.html
Product: eoCMS
Vendor: eocms.com ( http://eocms.com ) 
Vulnerable Version: 0.9.04
Vendor Notification: 21 October 2010 
Vulnerability Type: Local File Inclusion
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

XSS in Saurus CMS

Vulnerability ID: HTB22361
Reference: http://www.htbridge.ch/advisory/xss_in_saurus_cms.html
Product: Saurus CMS Community Editon
Vendor: Saurused Ltd
Vulnerable Version: 4.7.0
Vendor Notification: 27 April 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA (http://www.htbridge.ch/)

Re: XSS vulnerability in Pluck

: Vulnerability ID: HTB22610
: Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluck.html
: Vulnerable Version: 4.6.3 and probably prior versions
: Vendor Notification: 15 September 2010 
: Vulnerability Type: XSS (Cross Site Scripting)
: Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
: Risk level: Medium 
: Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

XSS vulnerability in PluXml

Vulnerability ID: HTB22633
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_pluxml_2.html
Product: PluXml
Vendor: PluXml Team ( http://pluxml.org/ ) 
Vulnerable Version: 5.0.1 and probably prior versions
Vendor Notification: 29 September 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)

XSS vulnerability in Spitfire

Vulnerability ID: HTB22485
Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_spitfire_2.html
Product: Spitfire
Vendor: Claus Muus ( http://spitfire.clausmuus.de/ ) 
Vulnerable Version: 1.0.336 and Probably Prior Versions
Vendor Notification: 08 July 2010 
Vulnerability Type: XSS (Cross Site Scripting)
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Next Page>>

Copyright © 1995-2012 LinuxRocket.net. All rights reserved.

Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!