The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability announce 15037

SSL: revocation of CCA

Synthesis of the vulnerability

The Government of India Controller of Certifying Authorities certification authority emitted certificates to spoof several Google domains.
Impacted products: Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista, SSL protocol.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 11/07/2014.
Identifiers: 2982792, VIGILANCE-VUL-15037.

Description of the vulnerability

The Government of India Controller of Certifying Authorities certification authority emitted certificates to spoof several Google domains (VIGILANCE-ACTU-4436).

It is thus recommended to delete this certification authority or to update the Certificate Trust List.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-4856

WordPress Polldaddy Polls and Ratings: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of WordPress Polldaddy Polls and Ratings, in order to execute JavaScript code in the context of the web site.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 11/07/2014.
Identifiers: CVE-2014-4856, VIGILANCE-VUL-15036.

Description of the vulnerability

The Polldaddy Polls and Ratings plugin can be installed on WordPress.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of WordPress Polldaddy Polls and Ratings, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2013-5567

Cisco ASA: infinite loop of Filter Inspect

Synthesis of the vulnerability

When the Filter and Inspect features are enabled, an attacker can generate an infinite loop in Cisco ASA, in order to trigger a denial of service.
Impacted products: ASA.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 11/07/2014.
Identifiers: CSCui45606, CVE-2013-5567, VIGILANCE-VUL-15035.

Description of the vulnerability

When the Filter and Inspect features are enabled, an attacker can generate an infinite loop in Cisco ASA, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-0475

glibc: directory traversal of Locale

Synthesis of the vulnerability

An attacker can traverse directories with a special Locale path sent to an application compiled for the glibc, in order to read a file located outside the Locales directory for example.
Impacted products: Debian, Fedora, openSUSE, RHEL, Slackware, Ubuntu, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Creation date: 11/07/2014.
Identifiers: 17137, CVE-2014-0475, DSA-2976-1, FEDORA-2014-9824, FEDORA-2014-9830, MDVSA-2014:152, MDVSA-2015:168, openSUSE-SU-2014:1115-1, RHSA-2014:1110-01, RHSA-2014:1118-01, SSA:2014-296-01, USN-2306-1, USN-2306-2, USN-2306-3, VIGILANCE-VUL-15034.

Description of the vulnerability

The LC_* and LANG environment variable defines the Locale: format of time, currency, language, etc.

However, sequences such as "/.." can be used to go in the upper directory of the path used by the glibc to store Locales. An attacker can therefore force a malicious Locale to be loaded (for example via OpenSSH configured to use ForceCommand).

An attacker can therefore traverse directories with a special Locale path sent to an application compiled for the glibc, in order to read a file located outside the Locales directory for example.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-4910

X.Org: directory traversal of Intel backlight_helper

Synthesis of the vulnerability

An attacker can traverse directories via Intel backlight_helper of X.Org, in order to read a file with root privileges.
Impacted products: XOrg Bundle ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 11/07/2014.
Identifiers: CVE-2014-4910, VIGILANCE-VUL-15033.

Description of the vulnerability

The X.Org product has an Intel driver, which provides the backlight_helper tool.

This tool builds the access path using the interface name:
  "/sys/class/backlight/%s/brightness"

However, sequences such as "/.." can be used to go in the upper directory.

An attacker can therefore traverse directories via Intel backlight_helper of X.Org, in order to read a file with root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-3319

Cisco Unified Communications Manager: directory traversal of RTMT

Synthesis of the vulnerability

An attacker can traverse directories in RTMT of Cisco Unified Communications Manager, in order to read a file outside the service root path.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 10/07/2014.
Identifiers: CSCup57676, CVE-2014-3319, VIGILANCE-VUL-15032.

Description of the vulnerability

The Cisco Unified Communications Manager product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory.

An attacker can therefore traverse directories in RTMT of Cisco Unified Communications Manager, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-4700

Citrix XenDesktop: privilege escalation via Pooled Random Desktop Groups

Synthesis of the vulnerability

An attacker can use a Pooled Random Desktop Group of Citrix XenDesktop, in order to escalate his privileges.
Impacted products: XenDesktop.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user account.
Creation date: 10/07/2014.
Identifiers: CERTFR-2014-AVI-310, CTX139591, CVE-2014-4700, VIGILANCE-VUL-15031.

Description of the vulnerability

The Citrix XenDesktop product can be deployed in mode Pooled Random Desktop Groups, with ShutdownDesktopsAfterUse disabled.

However, in this configuration, an attacker can access to the desktop of another user.

An attacker can therefore use a Pooled Random Desktop Group of Citrix XenDesktop, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-3315

Cisco Unified Communications Manager: Cross Site Scripting of DNA viewfilecontents.do

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting in DNA viewfilecontents.do of Cisco Unified Communications Manager, in order to execute JavaScript code in the context of the web site.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 10/07/2014.
Identifiers: CSCup76308, CVE-2014-3315, VIGILANCE-VUL-15030.

Description of the vulnerability

The Cisco Unified Communications Manager product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting in DNA viewfilecontents.do of Cisco Unified Communications Manager, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-3316

Cisco Unified Communications Manager: file upload via DNA

Synthesis of the vulnerability

An attacker can upload a malicious file via DNA on Cisco Unified Communications Manager, in order for example to upload a Trojan.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: user access/rights, data creation/edition.
Provenance: intranet client.
Creation date: 10/07/2014.
Identifiers: CSCup76297, CVE-2014-3316, VIGILANCE-VUL-15029.

Description of the vulnerability

The Cisco Unified Communications Manager product offers a web service.

It can be used to upload a file. However, this file can be uploaded in an restricted directory on the server.

An attacker can therefore upload a malicious file via DNA on Cisco Unified Communications Manager, in order for example to upload a Trojan.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-3317

Cisco Unified Communications Manager: denial of service via DNA

Synthesis of the vulnerability

An attacker can delete files via DNA of Cisco Unified Communications Manager, in order to trigger a denial of service.
Impacted products: Cisco CUCM.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 10/07/2014.
Identifiers: CSCup76314, CVE-2014-3317, VIGILANCE-VUL-15028.

Description of the vulnerability

The Cisco Unified Communications Manager product offers a web service.

However, user's data are directly inserted in an access path. Sequences such as "/.." can thus be used to go in the upper directory to delete files.

An attacker can therefore delete files via DNA of Cisco Unified Communications Manager, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821