The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of BES

security bulletin CVE-2017-3894

BlackBerry BES/UEM: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of BlackBerry BES/UEM, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 10/05/2017.
Identifiers: BSRT-2017-004, CVE-2017-3894, VIGILANCE-VUL-22699.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The BlackBerry BES/UEM product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of BlackBerry BES/UEM, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

security threat CVE-2016-3128 CVE-2016-3130

BlackBerry Enterprise Service: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of BlackBerry Enterprise Service.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/01/2017.
Identifiers: BSRT-2017-001, BSRT-2017-002, CVE-2016-3128, CVE-2016-3130, VIGILANCE-VUL-21549.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in BlackBerry Enterprise Service.

An attacker can bypass security features via Illegitimate Device, in order to escalate his privileges. [severity:2/4; BSRT-2017-001, CVE-2016-3128]

An attacker can bypass security features via Sniffing, in order to obtain sensitive information. [severity:2/4; BSRT-2017-002, CVE-2016-3130]
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2016-1916 CVE-2016-1917 CVE-2016-1918

BlackBerry Enterprise Service: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of BlackBerry Enterprise Service.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 13/04/2016.
Identifiers: BSRT-2016-003, BSRT-2016-004, BSRT-2016-005, CVE-2016-1916, CVE-2016-1917, CVE-2016-1918, CVE-2016-3126, VIGILANCE-VUL-19368.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in BlackBerry Enterprise Service.

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; BSRT-2016-003, CVE-2016-1916]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; BSRT-2016-004, CVE-2016-1917]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; BSRT-2016-004, CVE-2016-1918]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; BSRT-2016-005, CVE-2016-3126]
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2016-1914 CVE-2016-1915

BlackBerry Enterprise Service: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of BlackBerry Enterprise Service.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/02/2016.
Identifiers: 000038033, BSRT-2016-001, CVE-2016-1914, CVE-2016-1915, VIGILANCE-VUL-19000.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in BlackBerry Enterprise Service.

An attacker can use a SQL injection, in order to read or alter data. [severity:2/4; CVE-2016-1914]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-1915]
Full Vigil@nce bulletin... (Free trial)

cybersecurity vulnerability CVE-2016-1914 CVE-2016-1915

BlackBerry Enterprise Service: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of BlackBerry Enterprise Service.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/02/2016.
Revision date: 18/02/2016.
Identifiers: BSRT-2016-001, CVE-2016-1914, CVE-2016-1915, VIGILANCE-VUL-18943.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in BlackBerry Enterprise Service.

An attacker can use a SQL injection in the HTTP request parameter "imageName", in order to read or alter data. [severity:2/4; CVE-2016-1914]

An attacker can trigger a Cross Site Scripting in the HTTP request parameter "locale", in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-1915]
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2015-4112

BlackBerry Enterprise Service: Cross Frame Scripting of Management Console

Synthesis of the vulnerability

An attacker can trigger a Cross Frame Scripting in Management Console of BlackBerry Enterprise Service, in order to run JavaScript code in the context of the web site.
Severity: 2/4.
Creation date: 12/11/2015.
Identifiers: BSRT-2015-002, CVE-2015-4112, VIGILANCE-VUL-18296.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The BlackBerry Enterprise Service product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Frame Scripting in Management Console of BlackBerry Enterprise Service, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Severity: 3/4.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2014-1469

BlackBerry Enterprise Service: information disclosure via activity log files

Synthesis of the vulnerability

An attacker can trigger an error with Enterprise Instant Messenger of BlackBerry Enterprise Service, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 14/08/2014.
Identifiers: BSRT-2014-007, CVE-2014-1469, VIGILANCE-VUL-15186.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The BlackBerry Enterprise Service product offers an Instant Messaging function.

Access to this service requires creation of a communication session and user authentication. However, in some cases, when an error occurs at the beginning or the end of session, the server records in its activity logs the secrets used for communication encryption or user authentication.

An attacker who can read the activity log files can therefore get sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer weakness announce CVE-2014-0195

OpenSSL: buffer overflow of DTLS

Synthesis of the vulnerability

An attacker can generate a buffer overflow via DTLS of OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Severity: 3/4.
Creation date: 05/06/2014.
Identifiers: aid-06062014, c04336637, c04363613, c04368523, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, CERTFR-2014-AVI-291, cisco-sa-20140605-openssl, CTX140876, CVE-2014-0195, DOC-53313, DSA-2950-1, DSA-2950-2, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:14.openssl, HPSBMU03069, HPSBUX03046, JSA10629, KB36051, MDVSA-2014:106, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0764-1, openSUSE-SU-2014:0765-1, openSUSE-SU-2016:0640-1, RHSA-2014:0625-01, RHSA-2014:0628-01, RHSA-2014:0679-01, SA40006, SA80, SB10075, SOL15356, SSA:2014-156-03, SSRT101590, USN-2232-1, USN-2232-2, USN-2232-3, USN-2232-4, VIGILANCE-VUL-14846, ZDI-14-173.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol.

However, if the size of data of a DTLS fragment is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow via DTLS of OpenSSL, in order to trigger a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2014-0221

OpenSSL: denial of service via DTLS Recursion

Synthesis of the vulnerability

An attacker, who is located on a DTLS server, can use a malicious handshake, in order to trigger a denial of service in OpenSSL client applications.
Severity: 2/4.
Creation date: 05/06/2014.
Identifiers: aid-06062014, c04336637, c04363613, c04368523, CERTFR-2014-AVI-253, CERTFR-2014-AVI-254, CERTFR-2014-AVI-255, CERTFR-2014-AVI-260, CERTFR-2014-AVI-279, CERTFR-2014-AVI-286, cisco-sa-20140605-openssl, CTX140876, CVE-2014-0221, DOC-53313, DSA-2950-1, DSA-2950-2, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2014-7101, FEDORA-2014-7102, FG-IR-14-018, FreeBSD-SA-14:14.openssl, HPSBMU03069, HPSBUX03046, JSA10629, KB36051, MDVSA-2014:105, MDVSA-2014:106, MDVSA-2015:062, NetBSD-SA2014-006, openSUSE-SU-2014:0764-1, openSUSE-SU-2014:0765-1, openSUSE-SU-2016:0640-1, RHSA-2014:0625-01, RHSA-2014:0628-01, RHSA-2014:0679-01, RHSA-2014:1019-01, RHSA-2014:1020-01, RHSA-2014:1021-01, RHSA-2014:1053-01, SA40006, SA80, SB10075, SOL15343, SSA:2014-156-03, SSRT101590, SUSE-SU-2014:0759-1, SUSE-SU-2014:0759-2, SUSE-SU-2014:0761-1, SUSE-SU-2014:0762-1, USN-2232-1, USN-2232-2, USN-2232-3, USN-2232-4, VIGILANCE-VUL-14845.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL product implements DTLS, which uses a handshake.

However, a special handshake triggers an infinite recursion in the OpenSSL client.

An attacker, who is located on a DTLS server, can therefore use a malicious handshake, in order to trigger a denial of service in OpenSSL client applications.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.