The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

computer vulnerability CVE-2016-7162

file-roller: file removal via symbolic linking

Synthesis of the vulnerability

An attacker can create an archive including symbolic links to be opened with file-roller, in order to delete user files.
Impacted products: openSUSE, openSUSE Leap, Solaris.
Severity: 2/4.
Consequences: data deletion.
Provenance: document.
Creation date: 20/09/2016.
Identifiers: bulletinjul2018, CVE-2016-7162, openSUSE-SU-2016:2338-1, VIGILANCE-VUL-20645.

Description of the vulnerability

An attacker can create an archive including symbolic links to be opened with file-roller, in order to delete user files.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 20644

WordPress Neosense: file upload via qquploader

Synthesis of the vulnerability

An attacker can upload a malicious file via qquploader on WordPress Neosense, in order for example to upload a Trojan.
Impacted products: WordPress Plugins ~ not comprehensive.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 20/09/2016.
Identifiers: VIGILANCE-VUL-20644.

Description of the vulnerability

The Neosense plugin can be installed on WordPress.

It can be used to upload a file. However, as the file type is not restricted, a PHP file can be uploaded on the server, and then invoked.

An attacker can therefore upload a malicious file via qquploader on WordPress Neosense, in order for example to upload a Trojan.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 20643

SafeNet eToken PRO: vulnerability via APDU

Synthesis of the vulnerability

A vulnerability via APDU of SafeNet eToken PRO was announced.
Impacted products: SafeNet eToken.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: intranet client.
Creation date: 19/09/2016.
Identifiers: VIGILANCE-VUL-20643.

Description of the vulnerability

A vulnerability via APDU of SafeNet eToken PRO was announced.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-7425

Linux kernel: buffer overflow via arcmsr_iop_message_xfer

Synthesis of the vulnerability

An attacker can generate a buffer overflow via arcmsr_iop_message_xfer() on the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Linux, openSUSE, openSUSE Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Creation date: 19/09/2016.
Identifiers: CERTFR-2016-AVI-393, CERTFR-2016-AVI-426, CERTFR-2017-AVI-001, CERTFR-2017-AVI-016, CERTFR-2017-AVI-034, CERTFR-2017-AVI-053, CERTFR-2017-AVI-054, CVE-2016-7425, DLA-670-1, DSA-3696-1, openSUSE-SU-2016:2583-1, openSUSE-SU-2016:2625-1, openSUSE-SU-2016:3021-1, SUSE-SU-2016:2912-1, SUSE-SU-2016:2976-1, SUSE-SU-2016:3069-1, SUSE-SU-2016:3304-1, SUSE-SU-2017:0181-1, SUSE-SU-2017:0333-1, SUSE-SU-2017:0471-1, SUSE-SU-2017:0494-1, USN-3144-1, USN-3144-2, USN-3145-1, USN-3145-2, USN-3146-1, USN-3146-2, USN-3147-1, USN-3161-1, USN-3161-2, USN-3161-3, USN-3161-4, USN-3162-1, USN-3162-2, VIGILANCE-VUL-20642.

Description of the vulnerability

The Noyau Linux product offers a web service.

However, if the size of data from the SCSI command is greater than the size of the storage array, an overflow occurs in arcmsr_iop_message_xfer().

An attacker can therefore generate a buffer overflow via arcmsr_iop_message_xfer() on the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-6415

Cisco IOS, IOS XR, IOS XE: information disclosure via IKE

Synthesis of the vulnerability

An attacker can read a memory fragment via IKE packets sent to a router Cisco IOS, IOS XR or IOS XE, in order to obtain sensitive information.
Impacted products: Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco Router.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 19/09/2016.
Identifiers: CERTFR-2016-ALE-007, cisco-sa-20160916-ikev1, CSCvb29204, CSCvb36055, CVE-2016-6415, VIGILANCE-VUL-20641.

Description of the vulnerability

The Cisco IOS, IOS XR and IOS XE products offer an IKE service, the signaling protocol for IPsec.

However, when a IKE version 1 packet is handled, the router may return the content of an uninitialized memory area in a response packet.

An attacker can therefore read a memory fragment via IKE packets sent to a router Cisco IOS, IOS XR or IOS XE, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-5284

Mozilla Firefox: disabling of key validation of the add-on server update

Synthesis of the vulnerability

An attacker can use a valid TLS certificate for the Mozilla update sever, in order to supply illicit browser extensions.
Impacted products: Debian, Fedora, Firefox, SeaMonkey, openSUSE, openSUSE Leap, RHEL, Slackware, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: internet server.
Creation date: 19/09/2016.
Identifiers: CVE-2016-5284, DLA-636-1, DLA-636-2, DSA-3674-1, FEDORA-2016-a6672dbd40, FEDORA-2016-de277b9183, MFSA-2016-86, openSUSE-SU-2016:2368-1, openSUSE-SU-2016:2386-1, RHSA-2016:1912-01, SSA:2016-265-02, USN-3076-1, VIGILANCE-VUL-20640.

Description of the vulnerability

The Mozilla Firefox updates its add-ons from a dedicated server.

In order to avoid attacks using an illicit although cryptographically valid TLS certificate, Firefox monitors server public keys changes. However, this check has been erroneously disabled in the version 48.

An attacker can therefore use a valid TLS certificate for the Mozilla update sever, in order to supply illicit browser extensions.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-5017

Apache Zookeeper: buffer overflow

Synthesis of the vulnerability

An attacker can generate a buffer overflow of Apache Zookeeper, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 19/09/2016.
Identifiers: CVE-2016-5017, DLA-630-1, FEDORA-2016-54a717d5d6, FEDORA-2016-5557ccf1f9, VIGILANCE-VUL-20639.

Description of the vulnerability

An attacker can generate a buffer overflow of Apache Zookeeper, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-6801

Apache Jackrabbit: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Apache Jackrabbit, in order to force the victim to perform operations.
Impacted products: Debian.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 19/09/2016.
Identifiers: CVE-2016-6801, DLA-629-1, DSA-3679-1, VIGILANCE-VUL-20638.

Description of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Apache Jackrabbit, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 20637

MIT krb5: security improvement via DES disabling

Synthesis of the vulnerability

The security of MIT krb5 was improved by disabling by default the DES encryption algorithm, which is now to be considered weak.
Impacted products: MIT krb5.
Severity: 1/4.
Consequences: no consequence.
Provenance: internet client.
Creation date: 19/09/2016.
Identifiers: VIGILANCE-VUL-20637.

Description of the vulnerability

This bulletin is about a security improvement.

It does not describe a vulnerability.

The security of MIT krb5 was therefore improved by disabling by default the DES encryption algorithm, which is now to be considered weak.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-4855

php-adodb: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of php-adodb, in order to run JavaScript code in the context of the web site.
Impacted products: Fedora.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/09/2016.
Identifiers: CVE-2016-4855, FEDORA-2016-7d6ca385a4, FEDORA-2016-fed6f8c57d, VIGILANCE-VUL-20636.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting of php-adodb, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2851