iUSB v1.2 iOS – Arbitrary Code Execution Vulnerability

Posted by Vulnerability Lab on Dec 16 Document Title: =============== iUSB v1.2 iOS – Arbitrary Code Execution Vulnerability References (Source): ====================http://www.vulnerability-lab.com/get_content.php?id=1374 Release Date: ============= 2014-12-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1374 Common Vulnerability Scoring System: ==================================== 8.7 Product & Service Introduction:…

[Onapsis Security Advisory 2014-034] SAP Business Objects Search Token Privilege Escalation via CORBA

Posted by Onapsis Research Labs on Dec 16 Onapsis Security Advisory ONAPSIS-2014-034: SAP Business Objects Search Token Privilege Escalation via CORBA 1. Impact on Business ===================== By exploiting this vulnerability a remote and potentially unauthenticated attacker would be able to access or modify any information stored on the SAP BusineesObjects server. The attacker could also connect to the business systems …

[SE-2014-02] Google App Engine Java security sandbox bypasses (status update)

Posted by Security Explorations on Dec 16 Hello All, We would like to provide a status update to the initial announcement [1] made a week ago regarding our SE-2014-02 security research project targeting Google App Engine for Java. Information regarding vulnerabilities and associated PoC codes (Issues 1-22 / unconfirmed Issues 23-35) was sent to Google on Dec 07, 2014. Google …

CVE-2014-5438: Arris TG862G – Cross-site Scripting (XSS)

Posted by Seth Art on Dec 16 ———– Vendor: ———– Arris Interactive, LLC (http://www.arrisi.com/) ISP: Comcast Xfinity —————————————– Affected Products/Versions: —————————————– HW: Arris Touchstone TG862G/CT (Xfinity branded) SW: Version 7.6.59S.CT (Tested) —————– Description: —————– Title: Cross-site Scripting (XSS) CVE: CVE-2014-5438 CWE: CWE-79:…

CVE-2014-5437: Arris TG862G – Cross-site Request Forgery (CSRF)

Posted by Seth Art on Dec 16 ———– Vendor: ———– Arris Interactive, LLC (http://www.arrisi.com/) ISP: Comcast Xfinity —————————————– Affected Products/Versions: —————————————– HW: Arris Touchstone TG862G/CT (Xfinity branded) SW: Version 7.6.59S.CT (Tested) —————– Description: —————– Title: Cross-site Request Forgery (CSRF) CVE: CVE-2014-5437 CWE: CWE-352:…

fulldisclosure:你的文件

Posted by 庄容如 on Dec 16 庄容如:您好!! 《销售精英技能提升训练营》 【培训时间】2014年12月13-14北京、12月18-19上海、12月20-21深圳 【培训对象】总经理、销售总监、区域经理、销售经理、业务代表、销售培训专员等。 【授课方式】讲师讲授 + 视频演绎 + 案例研讨 +角色扮演 + 讲师点评 + 落地工具 【培训费用】1980元/2天/1人,(含资料费、午餐、茶点)…

CA20141215-01: Security Notice for CA LISA Release Automation

Posted by Williams, Ken on Dec 16 CA20141215-01: Security Notice for CA LISA Release Automation Issued: December 15, 2014 CA Technologies Support is alerting customers to multiple vulnerabilities in CA Release Automation (formerly CA LISA Release Automation, change effective 2014-09-19). The first vulnerability, CVE-2014-8246, is a cross-site request forgery (CSRF) issue related to insufficient validation. A remote attacker can potentially …

Defense in depth — the Microsoft way (part 23): two quotes or not to quote…

Posted by Stefan Kanthak on Dec 15 Hi @ll, some Windows commands/programs fail when (one of) their command line argument(s) is/are enclosed in quotes; for example: %SystemRoot%System32FontView.Exe “<pathname>.TTF” %SystemRoot%System32FONTVIEW.Exe /P “<filename>.TTF” %SystemRoot%System32RunDLL32.Exe %SystemRoot%System32SetupAPI.Dll,InstallHinfSection <section> <flags> “<pathname>.INF” The failure messages shown…

Rooted CON 2014 talks (dubbed into english) are now online

Posted by omarbv on Dec 15 Hello, Maybe you are interested in take a look to the talks given in the last RootedCON edition, now are avalaible in Youtube 🙂 https://www.youtube.com/playlist?list=PLUOjNfYgonUvwqY2EOzeJlHgZEsQc_Hvh Br, — RootedCON – www.rootedcon.es @omarbv

Docker 1.3.3 – Security Advisory [11 Dec 2014]

Posted by Eric Windisch on Dec 15 Docker 1.3.3 has been released to address several vulnerabilities and is immediately available for all supported platforms: https://docs.docker.com/installation/ <https://docs.docker.com/installation/> This release addresses vulnerabilities which could be exploited by a malicious Dockerfile, image, or registry to compromise a Docker host, modify images, or spoof official repository images. Note that today we also saw the …