HP ArcSight ESM and ArcSight ESM Express CVE-2017-14356 SQL Injection Vulnerability


HP ArcSight ESM and ArcSight ESM Express CVE-2017-14356 SQL Injection Vulnerability

Bugtraq ID: 101627
Class: Input Validation Error
CVE:

CVE-2017-14356

Remote: Yes
Local: No
Published: Oct 31 2017 12:00AM
Updated: Nov 01 2017 12:05AM
Credit: Cosmin Maier from Zeroday.PRO Threat Research Lab
Vulnerable:

HP ArcSight ESM Express 6.0
HP ArcSight ESM 6.8
HP ArcSight ESM 6.5
HP ArcSight ESM 6.0

Not Vulnerable:

HP ArcSight ESM Express 6.9.1c Patch 4
HP ArcSight ESM Express 6.11.0 Patch 1
HP ArcSight ESM 6.9.1c Patch 4
HP ArcSight ESM 6.11.0 Patch 1

McAfee Network Data Loss Prevention CVE-2017-3933 Unspecified Cross Site Scripting Vulnerability


McAfee Network Data Loss Prevention CVE-2017-3933 Unspecified Cross Site Scripting Vulnerability

Bugtraq ID: 101628
Class: Input Validation Error
CVE:

CVE-2017-3933

Remote: Yes
Local: No
Published: Oct 31 2017 12:00AM
Updated: Nov 01 2017 12:05AM
Credit: State Bank Of India.
Vulnerable:

McAfee Network Data Loss Prevention 9.2.2
McAfee Network Data Loss Prevention 9.2.1
McAfee Network Data Loss Prevention 9.3
McAfee Network Data Loss Prevention 9.2.0
McAfee Network Data Loss Prevention 9.1
McAfee Network Data Loss Prevention 9.0
McAfee Network Data Loss Prevention 8.6

Not Vulnerable:

McAfee Network Data Loss Preventation 9.3.4.1.5

Trihedral Engineering Limited VTScada ICSA-17-304-02 Multiple Local Security Vulnerability


Trihedral Engineering Limited VTScada ICSA-17-304-02 Multiple Local Security Vulnerability

Bugtraq ID: 101629
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Oct 31 2017 12:00AM
Updated: Nov 01 2017 12:05AM
Credit: Karn Ganeshen and Mark Cross.
Vulnerable:

Trihedral Engineering Limited VTScada 11.3.3
Trihedral Engineering Limited VTScada 11.3.2

Not Vulnerable:

Trihedral Engineering Limited VTScada 11.3.5

WordPress 4.8.3 Security Release

WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara.

This release includes a change in behaviour for the esc_sql() function. Most developers will not be affected by this change, you can read more details in the developer note.

Thank you to the reporter of this issue for practicing responsible disclosure.

Download WordPress 4.8.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.3.

Read More

Firefox 58 to Block Canvas Browser Fingerprinting By Default to Stop Online Tracking

firefox-html5-canvas-browser-fingerprinting

Do you know? Thousands of websites use HTML5 Canvas—a method supported by all major browsers that allow websites to dynamically draw graphics on web pages—to track and potentially identify users across the websites by secretly fingerprinting their web browsers.

Over three years ago, the concern surrounding browser fingerprinting was highlighted by computer security experts from Princeton University and KU Leuven University in Belgium.

In 2014, the researchers demonstrated how browser’s native Canvas element can be used to draw unique images to assign each user’s device a number (a fingerprint) that uniquely identifies them.

These fingerprints are then used to detect when that specific user visits affiliated websites and create a profile of the user’s web browsing habits, which is then shared among advertising partners for targeted advertisements.

Since then many third-party plugins and add-ons (ex. Canvas Defender) emerged online to help users identify and block Canvas fingerprinting, but no web browser except Tor browser by default blocks Canvas fingerprinting.

Good news—the wait is over.

Mozilla is testing a new feature in the upcoming version of its Firefox web browser that will grant users the ability to block canvas fingerprinting.

The browser will now explicitly ask user permission if any website or service attempts to use HTML5 Canvas Image Data in Firefox, according to a discussion on the Firefox bug tracking forum.

The permission prompt that Firefox displays reads:

“Will you allow [site] to use your HTML5 canvas image data? This may be used to uniquely identify your computer.”

Once you get this message, it’s up to you whether you want to allow access to canvas fingerprinting or just block it. You can also check the “always remember my decision” box to remember your choice on future visits as well.

Starting with Firefox 58, this feature would be made available for every Firefox user from January 2018, but those who want to try it early can install the latest pre-release version of the browser, i.e. Firefox Nightly.

Besides providing users control over canvas fingerprinting, Firefox 58 will also remove the controversial WoSign and its subsidiary StartCom root certificates from Mozilla’s root store.

With the release of Firefox 52, Mozilla already stopped allowing websites to access the Battery Status API and the information about the website visitor’s device, and also implemented protection against system font fingerprinting.