wifi1
tower2
cat52
tower4
tower3
wifi2
cat51
wifi3
tower1
tower5
Security and Firewalls PDF Print E-mail
Written by Administrator   
Tuesday, April 26 2011 09:15

In today's internet, intrusion dectection is a must to ensure data reliablity for all parties. Nexus offers a state-of-the-art security solution to combat unauthorized access to your network. Firewalls are monitored contantly 24x7 by a trained staff with failsafe backup servers at every turn. Whether wirleline or wireless, Nexus has the manpower and resourses to protect your data.

 

Last Updated on Wednesday, March 27 2013 08:26
 

CERT Cyber Security Bulletins

US-CERT Bulletins
Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
  • SB15-019: Vulnerability Summary for the Week of January 12, 2015
    Original release date: January 19, 2015

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 do not properly validate files, which has unspecified impact and attack vectors.2015-01-1310.0CVE-2015-0301
    adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0306.2015-01-1310.0CVE-2015-0303
    adobe -- adobe_airHeap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0309.2015-01-1310.0CVE-2015-0304
    adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion."2015-01-139.3CVE-2015-0305
    CONFIRM
    adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0303.2015-01-1310.0CVE-2015-0306
    adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via unspecified vectors.2015-01-138.5CVE-2015-0307
    adobe -- adobe_airUse-after-free vulnerability in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allows attackers to execute arbitrary code via unspecified vectors.2015-01-1310.0CVE-2015-0308
    adobe -- adobe_airHeap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0304.2015-01-1310.0CVE-2015-0309
    awpcp -- another_wordpress_classifieds_pluginSQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the keywordphrase parameter in a dosearch action.2015-01-137.5CVE-2014-10013
    XF
    EXPLOIT-DB
    MISC
    dev4press -- gd_star_ratingSQL injection vulnerability in the GD Star Rating plugin 19.22 for WordPress allows remote administrators to execute arbitrary SQL commands via the s parameter in the gd-star-rating-stats page to wp-admin/admin.php.2015-01-127.5CVE-2014-2839
    XF
    FULLDISC
    divx -- directshowdemuxfilterMultiple integer signedness errors in DirectShowDemuxFilter, as used in Divx Web Player, Divx Player, and other Divx plugins, allow remote attackers to execute arbitrary code via a (1) negative or (2) large value in a Stream Format (STRF) chunk in an AVI file, which triggers a heap-based buffer overflow.2015-01-137.5CVE-2014-10024
    BID
    FULLDISC
    domphp -- domphpDirectory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php.2015-01-137.5CVE-2014-10037
    XF
    EXPLOIT-DB
    OSVDB
    domphp -- domphpSQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.2015-01-137.5CVE-2014-10038
    XF
    EXPLOIT-DB
    MISC
    OSVDB
    fluxbb -- fluxbbSQL injection vulnerability in profile.php in FluxBB before 1.4.13 and 1.5.x before 1.5.7 allows remote attackers to execute arbitrary SQL commands via the req_new_email parameter.2015-01-137.5CVE-2014-10029
    XF
    SECUNIA
    FULLDISC
    MISC
    hancom -- hancom_office_2010_seBuffer overflow in Hancom Office 2010 SE allows remote attackers to execute arbitrary via a long string in the Text attribute in a TEXTART XML element in an HML file.2015-01-127.5CVE-2013-7420
    XF
    BUGTRAQ
    ibm -- pureapplication_systemMultiple directory traversal vulnerabilities in the file-upload feature in IBM PureApplication System 1.0 before 1.0.0.4 iFix 10, 1.1 before 1.1.0.5, and 2.0 before 2.0.0.1 and Workload Deployer 3.1.0.7 before IF5 allow remote authenticated users to execute arbitrary code via a (1) Script Package, (2) Add-On, or (3) Emergency Fixes component.2015-01-099.0CVE-2014-6158
    ibm -- aixlquerylv in cmdlvm in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x allows local users to gain privileges via a crafted DBGCMD_LQUERYLV environment-variable value.2015-01-157.2CVE-2014-8904
    XF
    AIXAPAR
    AIXAPAR
    AIXAPAR
    AIXAPAR
    AIXAPAR
    ismail_fahmi -- ganesha_digital_libraryMultiple SQL injection vulnerabilities in Ganesha Digital Library (GDL) 4.2 allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) download.php or (2) main.php.2015-01-137.5CVE-2014-100031
    XF
    SECUNIA
    MISC
    itechscripts -- itechclassifiedsSQL injection vulnerability in ChangeEmail.php in iTechClassifieds 3.03.057 allows remote attackers to execute arbitrary SQL commands via the PreviewNum parameter. NOTE: the CatID parameter is already covered by CVE-2008-0685.2015-01-137.5CVE-2014-100020
    XF
    BID
    EXPLOIT-DB
    OSVDB
    libpng -- libpngHeap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16 might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.2015-01-1010.0CVE-2014-9495
    SECTRACK
    BID
    MLIST
    MISC
    MLIST
    licensepal -- arcticdeskSQL injection vulnerability in the ticket grid in the admin interface in LicensePal ArcticDesk before 1.2.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2015-01-137.5CVE-2014-100035
    linux -- linux_kernelRace condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.2015-01-097.2CVE-2014-9529
    CONFIRM
    MLIST
    CONFIRM
    maianscriptworld -- maian_uploaderSQL injection vulnerability in admin/data_files/move.php in Maian Uploader 4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.2015-01-137.5CVE-2014-10004
    XF
    MISC
    OSVDB
    microsoft -- windows_7The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not verify that an impersonation token is associated with an administrative account, which allows local users to gain privileges by running AppCompatCache.exe with a crafted DLL file, aka MSRC ID 20544 or "Microsoft Application Compatibility Infrastructure Elevation of Privilege Vulnerability."2015-01-137.2CVE-2015-0002
    MISC
    MISC
    MISC
    microsoft -- windows_7The User Profile Service (aka ProfSvc) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges by conducting a junction attack to load another user's UsrClass.dat registry hive, aka MSRC ID 20674 or "Microsoft User Profile Service Elevation of Privilege Vulnerability."2015-01-137.2CVE-2015-0004
    MISC
    microsoft -- windows_7Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows Telnet Service Buffer Overflow Vulnerability."2015-01-1310.0CVE-2015-0014
    microsoft -- windows_server_2003Microsoft Windows Server 2003 SP2, Server 2008 SP2 and R2 SP1, and Server 2012 Gold and R2 allow remote attackers to cause a denial of service (system hang and RADIUS outage) via crafted username strings to (1) Internet Authentication Service (IAS) or (2) Network Policy Server (NPS), aka "Network Policy Server RADIUS Implementation Denial of Service Vulnerability."2015-01-137.8CVE-2015-0015
    microsoft -- windows_7Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted pathname in an executable file, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Directory Traversal Elevation of Privilege Vulnerability."2015-01-139.3CVE-2015-0016
    mozilla -- firefoxMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.2015-01-147.5CVE-2014-8634
    CONFIRM
    CONFIRM
    mozilla -- firefoxMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.2015-01-147.5CVE-2014-8635
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    mozilla -- firefoxThe XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.2015-01-147.5CVE-2014-8636
    CONFIRM
    mozilla -- firefoxUse-after-free vulnerability in the WebRTC implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, and SeaMonkey before 2.32 allows remote attackers to execute arbitrary code via crafted track data.2015-01-147.5CVE-2014-8641
    CONFIRM
    mozilla -- firefoxMozilla Firefox before 35.0 on Windows allows remote attackers to bypass the Gecko Media Plugin (GMP) sandbox protection mechanism by leveraging access to the GMP process, as demonstrated by the OpenH264 plugin's process.2015-01-147.1CVE-2014-8643
    CONFIRM
    mtouch_quiz_project -- mtouch_quizSQL injection vulnerability in question.php in the mTouch Quiz before 3.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the quiz parameter to wp-admin/edit.php.2015-01-137.5CVE-2014-100022
    MISC
    XF
    SECUNIA
    phpjabbers -- event_booking_calendarSQL injection vulnerability in load-calendar.php in PHPJabbers Event Booking Calendar 2.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter.2015-01-137.5CVE-2014-10015
    MISC
    pomm-project -- pommSQL injection vulnerability in the LTree converter in Pomm before 1.1.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2015-01-137.5CVE-2014-100019
    CONFIRM
    XF
    BID
    SECUNIA
    qualcomm -- eudora_worldmailBuffer overflow in the IMAPd service in Qualcomm Eudora WorldMail 9.0.333.0 allows remote attackers to execute arbitrary code via a long string in a UID command.2015-01-137.5CVE-2014-10031
    XF
    EXPLOIT-DB
    OSVDB
    realnetworks -- realarcade_installerThe RACInstaller.StateCtrl.1 ActiveX control in InstallerDlg.dll in RealNetworks GameHouse RealArcade Installer 2.6.0.481 performs unexpected type conversions for invalid parameter types, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted arguments to the (1) AddTag, (2) Ping, (3) QueuePause, (4) QueueRemove, (5) QueueTop, (6) RemoveTag, (7) TagRemoved, or (8) message method.2015-01-1210.0CVE-2013-2603
    MISC
    MISC
    OSVDB
    realnetworks -- realarcade_installerRealNetworks GameHouse RealArcade Installer (aka ActiveMARK Game Installer) 2.6.0.481 and 3.0.7 uses weak permissions (Create Files/Write Data) for the GameHouse Games directory tree, which allows local users to gain privileges via a Trojan horse DLL in an individual game's directory, as demonstrated by DDRAW.DLL in the Zuma Deluxe directory.2015-01-127.2CVE-2013-2604
    MISC
    MISC
    OSVDB
    schneider-electric -- wonderware_intouch_access_anywhere_serverStack-based buffer overflow in Schneider Electric Wonderware InTouch Access Anywhere Server 10.6 and 11.0 allows remote attackers to execute arbitrary code via a request for a filename that does not exist.2015-01-0910.0CVE-2014-9190
    CONFIRM
    sendy -- sendySQL injection vulnerability in /send-to in Sendy 1.1.9.1 allows remote attackers to execute arbitrary SQL commands via the c parameter.2015-01-137.5CVE-2014-100011
    XF
    BID
    BUGTRAQ
    EXPLOIT-DB
    sendy -- sendySQL injection vulnerability in /app in Sendy 1.1.8.4 allows remote attackers to execute arbitrary SQL commands via the i parameter.2015-01-137.5CVE-2014-100012
    EXPLOIT-DB
    softbb -- softbbSQL injection vulnerability in redir_last_post_list.php in SoftBB 0.1.3 allows remote attackers to execute arbitrary SQL commands via the post parameter.2015-01-157.5CVE-2014-9560
    BID
    MISC
    FULLDISC
    MISC
    solidworks -- product_data_managementMultiple stack-based buffer overflows in pdmwService.exe in SolidWorks Workgroup PDM 2014 SP2 allow remote attackers to execute arbitrary code via a long string in a (1) 2001, (2) 2002, or (3) 2003 opcode to port 3000.2015-01-137.5CVE-2014-100014
    XF
    EXPLOIT-DB
    SECUNIA
    tecorange -- simple_e-documentSQL injection vulnerability in login.php in Simple e-document 1.31 allows remote attackers to execute arbitrary SQL commands via the username parameter.2015-01-137.5CVE-2014-10020
    XF
    EXPLOIT-DB
    MISC
    OSVDB
    topicsviewer -- topicsviewerMultiple SQL injection vulnerabilities in TopicsViewer 3.0 Beta 1 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) edit_block.php, (2) edit_cat.php, (3) edit_note.php, or (4) rmv_topic.php in admincp/.2015-01-137.5CVE-2014-10023
    XF
    BID
    EXPLOIT-DB
    MISC
    OSVDB
    OSVDB
    OSVDB
    OSVDB
    trendnet -- tv-ip422wStack-based buffer overflow in UltraCamLib in the UltraCam ActiveX Control (UltraCamX.ocx) for the TRENDnet SecurView camera TV-IP422WN allows remote attackers to execute arbitrary code via a long string to the (1) CGI_ParamSet, (2) OpenFileDlg, (3) SnapFileName, (4) Password, (5) SetCGIAPNAME, (6) AccountCode, or (7) RemoteHost function.2015-01-137.5CVE-2014-10011
    XF
    MISC
    MISC
    BID
    MISC
    welcart -- e-commerceMultiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) changeSort or (2) switch parameter in the usces_itemedit page to wp-admin/admin.php.2015-01-137.5CVE-2014-10017
    XF
    BID
    MISC
    wpsymposium -- wp_symposiumUnrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in server/php/.2015-01-137.5CVE-2014-10021
    EXPLOIT-DB
    yourmembers -- yourmembersSQL injection vulnerability in includes/ym-download_functions.include.php in the Code Futures YourMembers plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ym_download_id parameter to the default URI.2015-01-137.5CVE-2014-100003
    EXPLOIT-DB
    MISC
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to obtain sensitive keystroke information via unspecified vectors.2015-01-135.0CVE-2015-0302
    airties -- air_6372Cross-site scripting (XSS) vulnerability in top.html in the Airties Air 6372 modem allows remote attackers to inject arbitrary web script or HTML via the productboardtype parameter.2015-01-134.3CVE-2014-100032
    XF
    MISC
    apache -- traffic_serverApache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing.2015-01-135.0CVE-2014-10022
    CONFIRM
    SECTRACK
    MLIST
    apache -- cloudstackApache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call.2015-01-155.0CVE-2014-9593
    SECUNIA
    april's_super_functions_pack_project -- april's_super_functions_packCross-site scripting (XSS) vulnerability in readme.php in the April's Super Functions Pack plugin before 1.4.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: some of these details are obtained from third party information.2015-01-134.3CVE-2014-100026
    XF
    BID
    SECUNIA
    OSVDB
    awpcp -- another_wordpress_classifieds_pluginCross-site scripting (XSS) vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI.2015-01-134.3CVE-2014-10012
    XF
    MISC
    cisco -- anyconnect_secure_mobility_clientCisco AnyConnect on Android and OS X does not properly verify the host type, which allows remote attackers to spoof authentication forms and possibly capture credentials via unspecified vectors, aka Bug IDs CSCuo24931 and CSCuo24940.2015-01-145.0CVE-2014-3314
    cisco -- unified_communications_domain_managerCisco Unified Communication Domain Manager Platform Software allows remote attackers to cause a denial of service (CPU consumption, and performance degradation or service outage) via a flood of malformed TCP packets and UDP packets, aka Bug ID CSCup25276.2015-01-095.0CVE-2014-8020
    cisco -- identity_services_engine_softwareMultiple cross-site scripting (XSS) vulnerabilities in Cisco Identity Services Engine allow remote attackers to inject arbitrary web script or HTML via input to unspecified web pages, aka Bug IDs CSCur69835 and CSCur69776.2015-01-154.3CVE-2014-8022
    cisco -- webex_meetings_serverCisco WebEx Meetings Server 1.5 presents the same CAPTCHA challenge for each login attempt, which makes it easier for remote attackers to obtain access via a brute-force approach of guessing usernames, aka Bug ID CSCuj40321.2015-01-155.0CVE-2014-8034
    cisco -- webex_meetings_serverThe web framework in Cisco WebEx Meetings Server produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCuj40247.2015-01-095.0CVE-2014-8035
    cisco -- webex_meetings_serverThe outlookpa component in Cisco WebEx Meetings Server does not properly validate API input, which allows remote attackers to modify a meeting's invite list via a crafted URL, aka Bug ID CSCuj40254.2015-01-095.0CVE-2014-8036
    cisco -- asyncosMultiple cross-site scripting (XSS) vulnerabilities in the IronPort Spam Quarantine (ISQ) page in Cisco AsyncOS, as used on the Cisco Email Security Appliance (ESA) and Content Security Management Appliance (SMA), allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCus22925 and CSCup08113.2015-01-144.3CVE-2015-0577
    cisco -- adaptive_security_appliance_softwareCisco Adaptive Security Appliance (ASA) Software, when a DHCPv6 relay is configured, allows remote attackers to cause a denial of service (device reload) via crafted DHCP packets on the local network, aka Bug ID CSCur45455.2015-01-145.7CVE-2015-0578
    cisco -- telepresence_video_communication_serverCisco TelePresence Video Communication Server (VCS) and Cisco Expressway allow remote attackers to cause a denial of service (memory and CPU consumption, and partial outage) via crafted SIP packets, aka Bug ID CSCur12473.2015-01-145.0CVE-2015-0579
    cisco -- nx-osThe High Availability (HA) subsystem in Cisco NX-OS on MDS 9000 devices allows remote attackers to cause a denial of service via crafted traffic, aka Bug ID CSCuo09129.2015-01-095.0CVE-2015-0582
    cisco -- webex_meeting_centerCisco WebEx Meeting Center does not properly restrict the content of URLs, which allows remote attackers to obtain sensitive information via vectors related to file: URIs, aka Bug ID CSCus18281.2015-01-145.0CVE-2015-0583
    cisco -- unified_communications_domain_managerCross-site request forgery (CSRF) vulnerability in Cisco Unified Communications Domain Manager (UCDM) 10 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo77055.2015-01-156.8CVE-2015-0588
    cisco -- unified_communications_domain_managerCisco Unified Communications Domain Manager (UCDM) 10 allows remote attackers to cause a denial of service (daemon hang and GUI outage) via a flood of malformed TCP packets, aka Bug ID CSCur44177.2015-01-155.0CVE-2015-0591
    clientresponse_project -- clientresponseMultiple cross-site scripting (XSS) vulnerabilities in clientResponse 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Subject or (2) Message field.2015-01-134.3CVE-2014-100013
    XF
    EXPLOIT-DB
    context_project -- contextOpen redirect vulnerability in the Context UI module in the Context module 7.x-3.x before 7.x-3.6 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.2015-01-155.8CVE-2015-1051
    BID
    corel -- corelcadMultiple untrusted search path vulnerabilities in Corel CAD 2014 allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) FxManagedCommands_3.08_9.tx or (2) TD_Mgd_3.08_9.dll file in the current working directory.2015-01-154.6CVE-2014-8394
    BID
    BUGTRAQ
    MISC
    FULLDISC
    corel -- painterUntrusted search path vulnerability in Corel Painter 2015 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wacommt.dll file that is located in the same folder as the file being processed.2015-01-154.6CVE-2014-8395
    BID
    BUGTRAQ
    MISC
    FULLDISC
    corel -- pdf_fusionUntrusted search path vulnerability in Corel PDF Fusion allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse quserex.dll file that is located in the same folder as the file being processed.2015-01-154.6CVE-2014-8396
    BID
    BUGTRAQ
    MISC
    FULLDISC
    corel -- fastflickUntrusted search path vulnerability in Corel VideoStudio PRO X7 or FastFlick allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse u32ZLib.dll file that is located in the same folder as the file being processed.2015-01-154.6CVE-2014-8397
    BID
    BUGTRAQ
    MISC
    FULLDISC
    corel -- fastflickMultiple untrusted search path vulnerabilities in Corel FastFlick allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) igfxcmrt32.dll, (2) ipl.dll, (3) MSPStyleLib.dll, (4) uFioUtil.dll, (5) uhDSPlay.dll, (6) uipl.dll, (7) uvipl.dll, (8) VC1DecDll.dll, or (9) VC1DecDll_SSE3.dll file that is located in the same folder as the file being processed.2015-01-154.6CVE-2014-8398
    BID
    BUGTRAQ
    MISC
    FULLDISC
    couponphp -- couponphpMultiple SQL injection vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to execute arbitrary SQL commands via the (1) iDisplayLength or (2) iDisplayStart parameter to (a) comments_paginate.php or (b) stores_paginate.php in admin/ajax/.2015-01-136.5CVE-2014-10034
    XF
    MISC
    EXPLOIT-DB
    MISC
    OSVDB
    OSVDB
    CONFIRM
    couponphp -- couponphpMultiple cross-site scripting (XSS) vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to inject arbitrary web script or HTML via the (1) sEcho parameter to comments_paginate.php or (2) stores_paginate.php or the (3) affiliate_url, (4) description, (5) domain, (6) seo[description], (7) seo[heading], (8) seo[title], (9) seo[keywords], (10) setting[logo], (11) setting[perpage], or (12) setting[sitename] to admin/index.php.2015-01-134.3CVE-2014-10035
    MISC
    EXPLOIT-DB
    SECUNIA
    MISC
    OSVDB
    OSVDB
    OSVDB
    CONFIRM
    csphere -- clansphereCross-site scripting (XSS) vulnerability in ClanSphere 2011.4 allows remote attackers to inject arbitrary web script or HTML via the where parameter in a list action to index.php.2015-01-134.3CVE-2014-100010
    MISC
    BID
    BUGTRAQ
    SECUNIA
    FULLDISC
    d-link -- dir-60Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php.2015-01-136.8CVE-2014-100005
    XF
    SECUNIA
    MISC
    d-link -- dap-1360_firmwareMultiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 with firmware 2.5.4 and earlier allow remote attackers to hijack the authentication of unspecified users for requests that change the (1) Enable Wireless, (2) MBSSID, (3) BSSID, (4) Hide Access Point, (5) SSID, (6) Country, (7) Channel, (8) Wireless mode, or (9) Max Associated Clients setting via a crafted request to index.cgi.2015-01-136.8CVE-2014-10025
    MISC
    FULLDISC
    d-link -- dap-1360_firmwareindex.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows remote attackers to bypass authentication and obtain sensitive information by setting the client_login cookie to admin.2015-01-135.0CVE-2014-10026
    MISC
    FULLDISC
    d-link -- dap-1360_firmwareMultiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 router with firmware 2.5.4 and earlier allow remote attackers to hijack the authentication of unspecified users for requests that (1) change the MAC filter restrict mode, (2) add a MAC address to the filter, or (3) remove a MAC address from the filter via a crafted request to index.cgi.2015-01-136.8CVE-2014-10027
    MISC
    FULLDISC
    d-link -- dap-1360_firmwareCross-site scripting (XSS) vulnerability in D-Link DAP-1360 router with firmware 2.5.4 and later allows remote attackers to inject arbitrary web script or HTML via the res_buf parameter to index.cgi when res_config_id is set to 41.2015-01-134.3CVE-2014-10028
    MISC
    FULLDISC
    dev4press -- gd_star_ratingMultiple cross-site request forgery (CSRF) vulnerabilities in the GD Star Rating plugin 19.22 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct (1) SQL injection attacks via the s parameter in the gd-star-rating-stats page to wp-admin/admin.php or (2) cross-site scripting (XSS) attacks via unspecified vectors.2015-01-126.8CVE-2014-2838
    XF
    SECUNIA
    FULLDISC
    e107 -- e107Cross-site scripting (XSS) vulnerability in e107_admin/filemanager.php in e107 1.0.4 allows remote attackers to inject arbitrary web script or HTML via the e107_files/ file path in the QUERY_STRING.2015-01-154.3CVE-2015-1041
    MISC
    XF
    BID
    MLIST
    MISC
    MISC
    FULLDISC
    MISC
    f5 -- big-ip_application_security_managerCross-site scripting (XSS) vulnerability in F5 BIG-IP Application Security Manager (ASM) before 11.6 allows remote attackers to inject arbitrary web script or HTML via the Response Body field when creating a new user account.2015-01-154.3CVE-2015-1050
    XF
    BUGTRAQ
    FULLDISC
    MISC
    flatpress -- flatpressCross-site scripting (XSS) vulnerability in FlatPress 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter to the default URI.2015-01-134.3CVE-2014-100036
    MISC
    CONFIRM
    XF
    SECUNIA
    fluxbb -- fluxbbOpen redirect vulnerability in forums/login.php in FluxBB before 1.4.13 and 1.5.x before 1.5.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.2015-01-135.8CVE-2014-10030
    CONFIRM
    ganesha_digital_library_project -- ganesha_digital_libraryMultiple directory traversal vulnerabilities in class/session.php in Ganesha Digital Library (GDL) 4.2 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) newlang or (2) newtheme parameter.2015-01-135.0CVE-2014-100029
    XF
    MISC
    ganesha_digital_library_project -- ganesha_digital_libraryCross-site scripting (XSS) vulnerability in module/search/function.php in Ganesha Digital Library (GDL) 4.2 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter in a ByEge action.2015-01-134.3CVE-2014-100030
    XF
    SECUNIA
    MISC
    getusedtoit -- wp_slimstatCross-site scripting (XSS) vulnerability in the WP SlimStat plugin before 3.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted URL.2015-01-134.3CVE-2014-100027
    CONFIRM
    XF
    BID
    SECUNIA
    gnu -- binutilsThe _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.2015-01-155.0CVE-2014-8738
    CONFIRM
    CONFIRM
    MLIST
    MLIST
    MLIST
    haxx -- libcurlCRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.2015-01-154.3CVE-2014-8150
    DEBIAN
    SECUNIA
    SECUNIA
    haxx -- libcurlThe darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.2015-01-155.8CVE-2014-8151
    SECUNIA
    hk_exif_tags_project -- hk_exif_tagsCross-site scripting (XSS) vulnerability in the HK Exif Tags plugin before 1.12 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via an EXIF tag. NOTE: some of these details are obtained from third party information.2015-01-134.3CVE-2014-100007
    XF
    SECUNIA
    hp -- insight_control_server_deploymentCross-site scripting (XSS) vulnerability in the server in HP Insight Control allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-01-154.3CVE-2014-7881
    ibm -- sterling_b2b_integratorThe HTTP Server Adapter in IBM Sterling B2B Integrator 5.1 and 5.2.x and Sterling File Gateway 2.1 and 2.2 allows remote attackers to cause a denial of service (connection-slot exhaustion) via a crafted HTTP request.2015-01-095.0CVE-2014-6199
    XF
    ibm -- emptorisThe Echo API in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix11, 10.0.0.x before 10.0.0.1 iFix12, 10.0.1.x before 10.0.1.5 iFix2, and 10.0.2.x before 10.0.2.2 iFix5; Emptoris Sourcing 9.5 before 9.5.1.3 iFix2, 10.0.0.x before 10.0.0.1 iFix1, 10.0.1.x before 10.0.1.3 iFix1, and 10.0.2.x before 10.0.2.5; and Emptoris Program Management (aka PGM) and Strategic Supply Management (aka SSMP) 10.0.0.x before 10.0.0.3 iFix6, 10.0.1.x before 10.0.1.4 iFix1, and 10.0.2.x before 10.0.2.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2015-01-094.0CVE-2014-6212
    XF
    iwcn -- stark_crmMultiple cross-site request forgery (CSRF) vulnerabilities in Stark CRM 1.0 allow remote attackers to hijack the authentication of administrators for requests that add (1) an administrator via a crafted request to the admin page, (2) an agent via a crafted request to the agent page, (3) a sub-agent via a crafted request to the sub_agent page, (4) a partner via a crafted request to the partner page, or (5) a client via a crafted request to the client page.2015-01-136.8CVE-2014-10008
    XF
    XF
    MISC
    MISC
    SECUNIA
    iwcn -- stark_crmMultiple cross-site scripting (XSS) vulnerabilities in Stark CRM 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) first_name, (2) last_name, or (3) notes parameter to the client page; (4) insu_name or (5) price parameter to the add_insurance_cat page; or (6) status[] parameter to the add_status page.2015-01-134.3CVE-2014-10009
    XF
    MISC
    MISC
    SECUNIA
    jetbrains -- teamcityUnspecified vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to obtain sensitive information via unknown vectors.2015-01-135.0CVE-2014-10002
    SECUNIA
    jetbrains -- teamcityCross-site scripting (XSS) vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to inject arbitrary web script or HTML via the cameFromUrl parameter to feed/generateFeedUrl.html.2015-01-134.3CVE-2014-10036
    MISC
    XF
    SECUNIA
    CONFIRM
    joomlaskin -- js_multi_hotelCross-site scripting (XSS) vulnerability in includes/refreshDate.php in the Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the roomid parameter.2015-01-094.3CVE-2013-7419
    MISC
    joomlaskin -- js_multi_hotelCross-site scripting (XSS) vulnerability in includes/delete_img.php in the Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the path parameter.2015-01-134.3CVE-2014-100008
    XF
    MISC
    MISC
    joomlaskin -- js_multi_hotelThe Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 and earlier for WordPress allows remote attackers to obtain the installation path via a request to (1) functions.php, (2) myCalendar.php, (3) refreshDate.php, (4) show_image.php, (5) widget.php, (6) phpthumb/GdThumb.inc.php, or (7) phpthumb/thumb_plugins/gd_reflection.inc.php in includes/.2015-01-135.0CVE-2014-100009
    MISC
    MISC
    licensepal -- arcticdeskDirectory traversal vulnerability in LicensePal ArcticDesk before 1.2.5 allows remote attackers to read arbitrary files via unspecified vectors.2015-01-135.0CVE-2014-100033
    MISC
    SECUNIA
    licensepal -- arcticdeskCross-site scripting (XSS) vulnerability in the frontend interface in LicensePal ArcticDesk before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-01-134.3CVE-2014-100034
    XF
    SECUNIA
    litech -- router_advertisement_daemonThe L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd 2.0+, allows remote authenticated users to cause a denial of service (blocked router update processing) by creating eight routers and assigning an ipv6 non-provider subnet to each.2015-01-154.0CVE-2014-8153
    MISC
    CONFIRM
    CONFIRM
    BID
    maianscriptworld -- maian_uploaderMultiple cross-site scripting (XSS) vulnerabilities in Maian Uploader 4.0 allow remote attackers to inject arbitrary web script or HTML via the width parameter to (1) uploader/admin/js/load_flv.js.php or (2) uploader/js/load_flv.js.php.2015-01-134.3CVE-2014-10003
    XF
    MISC
    OSVDB
    maianscriptworld -- maian_uploaderMaian Uploader 4.0 allows remote attackers to obtain sensitive information via a request without the height parameter to load_flv.js.php, which reveals the installation path in an error message.2015-01-135.0CVE-2014-10005
    OSVDB
    MISC
    maianscriptworld -- maian_uploaderMultiple cross-site request forgery (CSRF) vulnerabilities in Maian Uploader 4.0 allow remote attackers to hijack the authentication of unspecified users for requests that conduct cross-site scripting (XSS) attacks via the width parameter to (1) uploader/admin/js/load_flv.js.php or (2) uploader/js/load_flv.js.php.2015-01-136.8CVE-2014-10006
    MISC
    maianscriptworld -- maian_weblogMultiple cross-site scripting (XSS) vulnerabilities in Maian Weblog 4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, or (3) subject parameter in a contact action to index.php.2015-01-134.3CVE-2014-10007
    MISC
    XF
    SECUNIA
    mantisbt -- mantisbtCross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename.2015-01-094.3CVE-2014-9271
    CONFIRM
    MLIST
    MLIST
    MLIST
    mantisbt -- mantisbtThe string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.2015-01-094.3CVE-2014-9272
    CONFIRM
    CONFIRM
    MLIST
    MLIST
    mcafee -- epolicy_orchestratorXML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.2015-01-094.0CVE-2015-0921
    FULLDISC
    FULLDISC
    MISC
    mcafee -- epolicy_orchestratorMcAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.2015-01-095.0CVE-2015-0922
    FULLDISC
    FULLDISC
    MISC
    microsoft -- windows_7The Network Location Awareness (NLA) service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not perform mutual authentication to determine a domain connection, which allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability."2015-01-136.1CVE-2015-0006
    microsoft -- windows_7mrxdav.sys (aka the WebDAV driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to bypass an impersonation protection mechanism, and obtain privileges for redirection of WebDAV requests, via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."2015-01-134.7CVE-2015-0011
    moip_project -- moipCross-site scripting (XSS) vulnerability in the Moip module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to the notification page callback.2015-01-094.3CVE-2014-9500
    MLIST
    MLIST
    mozilla -- firefoxMozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly initialize memory for BMP images, which allows remote attackers to obtain sensitive information from process memory via a crafted web page that triggers the rendering of malformed BMP data within a CANVAS element.2015-01-145.0CVE-2014-8637
    CONFIRM
    mozilla -- firefoxThe navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.2015-01-146.8CVE-2014-8638
    CONFIRM
    mozilla -- firefoxMozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server.2015-01-146.8CVE-2014-8639
    CONFIRM
    mozilla -- firefoxThe mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly restrict timeline operations, which allows remote attackers to cause a denial of service (uninitialized-memory read and application crash) via crafted API calls.2015-01-145.0CVE-2014-8640
    CONFIRM
    mozilla -- firefoxMozilla Firefox before 35.0 and SeaMonkey before 2.32 do not consider the id-pkix-ocsp-nocheck extension in deciding whether to trust an OCSP responder, which makes it easier for remote attackers to obtain sensitive information by sniffing the network during a session in which there was an incorrect decision to accept a compromised and revoked certificate.2015-01-144.3CVE-2014-8642
    CONFIRM
    mtouch_quiz_project -- mtouch_quizMultiple cross-site scripting (XSS) vulnerabilities in question.php in the mTouch Quiz before 3.0.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the quiz parameter to wp-admin/edit.php.2015-01-134.3CVE-2014-100023
    MISC
    XF
    XF
    SECUNIA
    mywebsiteadvisor -- simple_securityMultiple cross-site scripting (XSS) vulnerabilities in the MyWebsiteAdvisor Simple Security plugin 1.1.5 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) datefilter parameter in the access_log page to wp-admin/users.php or (2) simple_security_ip_blacklist[] parameter in an add_blacklist_ip action in the ip_blacklist page to wp-admin/users.php.2015-01-154.3CVE-2014-9570
    MISC
    BUGTRAQ
    orangehrm -- orangehrmCross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.2015-01-134.3CVE-2014-100021
    BID
    SECUNIA
    MISC
    oscommerce -- online_merchantSQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action.2015-01-136.5CVE-2014-10033
    CONFIRM
    XF
    MISC
    EXPLOIT-DB
    OSVDB
    panasonic -- arbitrator_back-end_server_mk_2.0_vpuPanasonic Arbitrator Back-End Server (BES) MK 2.0 VPU before 9.3.1 build 4.08.003.0, when USB Wi-Fi or Direct LAN is enabled, and MK 3.0 VPU before 9.3.1 build 5.06.000.0, when Embedded Wi-Fi or Direct LAN is enabled, does not use encryption, which allows remote attackers to obtain sensitive information by sniffing the network for client-server traffic, as demonstrated by Active Directory credential information.2015-01-154.3CVE-2014-9596
    photocati_media -- photocratiCross-site scripting (XSS) vulnerability in photocrati-gallery/ecomm-sizes.php in the Photocrati theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the prod_id parameter.2015-01-134.3CVE-2014-100016
    XF
    BID
    SECUNIA
    MISC
    OSVDB
    phpjabbers -- appointment_schedulerMultiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbers Appointment Scheduler 2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the i18n[1][name] parameter in a pjActionCreate action to the pjAdminServices controller or (2) add an administrator via a pjActionCreate action to the pjAdminUsers controller.2015-01-136.8CVE-2014-10001
    XF
    XF
    EXPLOIT-DB
    SECUNIA
    MISC
    phpjabbers -- appointment_schedulerDirectory traversal vulnerability in PHPJabbers Appointment Scheduler 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter in a pjActionDownload action to the pjBackup controller.2015-01-135.0CVE-2014-10010
    XF
    EXPLOIT-DB
    MISC
    phpjabbers -- event_booking_calendarMultiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbers Event Booking Calendar 2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) change the username and password of the administrator via an update action to the AdminOptions controller or conduct cross-site scripting (XSS) attacks via the (2) event_title parameter in a create action to the AdminEvents controller or (3) category_title parameter in a create action to the AdminCategories controller.2015-01-136.8CVE-2014-10014
    XF
    XF
    SECUNIA
    MISC
    phpkit -- phpkitCross-site scripting (XSS) vulnerability in the poll archive in PHPKIT 1.6.6 (Build 160014) allows remote attackers to inject arbitrary web script or HTML via the result parameter to upload_files/pk/include.php.2015-01-154.3CVE-2015-1052
    BID
    MISC
    MISC
    FULLDISC
    MISC
    phponlinechat -- phponlinechatCross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlineChat 3.0 allows remote attackers to inject arbitrary web script or HTML via the message field.2015-01-134.3CVE-2014-100017
    XF
    BID
    EXPLOIT-DB
    MISC
    pods_foundation -- podsCross-site scripting (XSS) vulnerability in the Pods plugin before 2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in an edit action in the pods page to wp-admin/admin.php.2015-01-154.3CVE-2014-7956
    BID
    BUGTRAQ
    FULLDISC
    MISC
    pods_foundation -- podsMultiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php.2015-01-156.8CVE-2014-7957
    BID
    BUGTRAQ
    FULLDISC
    MISC
    redhat -- jboss_data_virtualizationXML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.2015-01-155.0CVE-2014-0171
    CONFIRM
    roundcube -- webmailMultiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins.2015-01-156.8CVE-2014-9587
    CONFIRM
    MISC
    BID
    MLIST
    sap -- sap_kernelBuffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the ABAP VM, aka SAP Note 2059734.2015-01-156.5CVE-2014-9594
    SECUNIA
    MISC
    MISC
    sap -- sap_kernelBuffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the Spool System, aka SAP Note 2061271.2015-01-156.5CVE-2014-9595
    SECUNIA
    MISC
    MISC
    savsoft -- savsoft_quizCross-site request forgery (CSRF) vulnerability in index.php/user_data/insert_user in Savsoft Quiz allows remote attackers to hijack the authentication of administrators for requests that create an administrator account via a crafted request.2015-01-136.8CVE-2014-100025
    XF
    BID
    SECUNIA
    MISC
    scriptbrasil -- taboada_macronewsSQL injection vulnerability in news_popup.php in Taboada MacroNews 1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.2015-01-136.5CVE-2014-10032
    XF
    EXPLOIT-DB
    OSVDB
    seopanel -- seo_panelCross-site scripting (XSS) vulnerability in Seo Panel before 3.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-01-134.3CVE-2014-100024
    XF
    SECUNIA
    OSVDB
    seopressor -- seo_plugin_liveoptimCross-site request forgery (CSRF) vulnerability in the SEO Plugin LiveOptim plugin before 1.1.4-free for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.2015-01-136.8CVE-2014-100001
    XF
    SECUNIA
    sitecore -- cmsCross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information.2015-01-134.3CVE-2014-100004
    XF
    BID
    BUGTRAQ
    MISC
    SECUNIA
    OSVDB
    softbb -- softbbCross-site scripting (XSS) vulnerability in redir_last_post_list.php in SoftBB 0.1.3 allows remote attackers to inject arbitrary web script or HTML via the post parameter.2015-01-154.3CVE-2014-9561
    BID
    MISC
    FULLDISC
    MISC
    solidworks -- product_data_managementDirectory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in the filename in a file upload.2015-01-136.4CVE-2014-100015
    XF
    EXPLOIT-DB
    EXPLOIT-DB
    MISC
    storytlr -- storytlrCross-site scripting (XSS) vulnerability in Storytlr 1.3.dev and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to archives/.2015-01-134.3CVE-2014-100037
    MISC
    SECUNIA
    storytlr -- storytlrCross-site scripting (XSS) vulnerability in Storytlr 1.3.dev and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter to search/.2015-01-134.3CVE-2014-100038
    MISC
    XF
    SECUNIA
    suse -- gcabDirectory traversal vulnerability in the gcab_folder_extract function in libgcab/gcab-folder.c in gcab 0.4 allows remote attackers to write to arbitrary files via crafted path in a CAB file, as demonstrated by "\tmp\moo."2015-01-156.4CVE-2015-0552
    CONFIRM
    CONFIRM
    MLIST
    SUSE
    tapatalk -- tapatalkMultiple cross-site scripting (XSS) vulnerabilities in mobiquo/smartbanner/welcome.php in the Tapatalk (com.tapatalk.wbb4) plugin 1.x before 1.1.2 for Woltlab Burning Board 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) app_android_id or (2) app_kindle_url parameter.2015-01-154.3CVE-2014-8869
    MISC
    BID
    BUGTRAQ
    FULLDISC
    tapatalk -- tapatalkOpen redirect vulnerability in mobiquo/smartbanner/welcome.php in the Tapatalk (com.tapatalk.wbb4) plugin before 1.1.2 for Woltlab Burning Board 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the board_url parameter.2015-01-155.8CVE-2014-8870
    BID
    BUGTRAQ
    FULLDISC
    teracom -- t2-b-gawv1.4u10y-biCross-site scripting (XSS) vulnerability in webconfig/wlan/country.html/country in the Teracom T2-B-Gawv1.4U10Y-BI modem allows remote attackers to inject arbitrary web script or HTML via the essid parameter.2015-01-134.3CVE-2014-10018
    XF
    BID
    EXPLOIT-DB
    OSVDB
    teracom -- t2-b-gawv1.4u10y-biMultiple cross-site request forgery (CSRF) vulnerabilities in webconfig/wlan/country.html/country in the Teracom T2-B-Gawv1.4U10Y-BI modem allow remote attackers to hijack the authentication of administrators for requests that (1) change the SSID or (2) change the password via a crafted request.2015-01-136.8CVE-2014-10019
    XF
    EXPLOIT-DB
    tp-link -- tl-wr840n_firmwareCross-site request forgery (CSRF) vulnerability in the administration console in TP-Link TL-WR840N (V1) router with firmware before 3.13.27 build 141120 allows remote attackers to hijack the authentication of administrators for requests that change router settings via a configuration file import.2015-01-096.8CVE-2014-9510
    BID
    MISC
    FULLDISC
    unconfirmed_project -- unconfirmedCross-site scripting (XSS) vulnerability in the Unconfirmed plugin before 1.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter in the unconfirmed page to wp-admin/network/users.php.2015-01-134.3CVE-2014-100018
    CONFIRM
    MISC
    BID
    SECUNIA
    webcrafted_project -- webcraftedCross-site scripting (XSS) vulnerability in /signup in WEBCrafted allows remote attackers to inject arbitrary web script or HTML via the username.2015-01-134.3CVE-2014-100028
    XF
    BID
    SECUNIA
    MISC
    webtrees -- webtreesMultiple cross-site scripting (XSS) vulnerabilities in modules_v3/googlemap/wt_v3_street_view.php in webtrees before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) map, (2) streetview, or (3) reset parameter.2015-01-134.3CVE-2014-100006
    XF
    MISC
    SECUNIA
    welcart -- e-commerceMultiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) unspecified vectors related to purchase_limit or the (2) name, (3) intl, (4) nocod, or (5) time parameter in an add_delivery_method action to wp-admin/admin-ajax.php.2015-01-134.3CVE-2014-10016
    XF
    BID
    SECUNIA
    MISC
    wireshark -- wiresharkMultiple use-after-free vulnerabilities in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory.2015-01-095.0CVE-2015-0559
    CONFIRM
    CONFIRM
    wireshark -- wiresharkThe dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not initialize certain data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.2015-01-095.0CVE-2015-0560
    CONFIRM
    CONFIRM
    wireshark -- wiresharkasn1/lpp/lpp.cnf in the LPP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not validate a certain index value, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet.2015-01-095.0CVE-2015-0561
    CONFIRM
    CONFIRM
    wireshark -- wiresharkMultiple use-after-free vulnerabilities in epan/dissectors/packet-dec-dnart.c in the DEC DNA Routing Protocol dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory.2015-01-095.0CVE-2015-0562
    CONFIRM
    CONFIRM
    wireshark -- wiresharkepan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 uses an incorrect length value for certain string-append operations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.2015-01-095.0CVE-2015-0563
    CONFIRM
    CONFIRM
    CONFIRM
    wireshark -- wiresharkBuffer underflow in the ssl_decrypt_record function in epan/dissectors/packet-ssl-utils.c in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allows remote attackers to cause a denial of service (application crash) via a crafted packet that is improperly handled during decryption of an SSL session.2015-01-095.0CVE-2015-0564
    CONFIRM
    wpeasycart -- wp_easycartUnrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.2015-01-156.5CVE-2014-9308
    BID
    EXPLOIT-DB
    MISC
    MISC
    OSVDB
    xen -- xenThe evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU.2015-01-124.9CVE-2014-6268
    XF
    SECTRACK
    BID
    zfcuser_project -- zfcuserCross-site scripting (XSS) vulnerability in user/login.phtml in ZF-Commons ZfcUser before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.2015-01-154.3CVE-2015-1039
    CONFIRM
    CONFIRM
    BID
    MLIST
    zohocorp -- manageengine_supportcenter_plusDirectory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.2015-01-135.0CVE-2014-100002
    CONFIRM
    XF
    EXPLOIT-DB
    OSVDB
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    bedita -- beditaMultiple cross-site scripting (XSS) vulnerabilities in the administrative backend in BEdita 3.4.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lrealname field in the editProfile form to index.php/home/profile; the (2) data[title] or (3) data[description] field in the addQuickItem form to index.php; the (4) "note text" field in the saveNote form to index.php/areas; or the (5) titleBEObject or (6) tagsArea field in the updateForm form to index.php/documents/view.2015-01-153.5CVE-2015-1040
    CONFIRM
    BID
    MISC
    MLIST
    FULLDISC
    MISC
    codewrights -- hart_device_type_managerThe CodeWrights HART Device Type Manager (DTM) library in Emerson HART DTM before 1.4.181 allows physically proximate attackers to cause a denial of service (DTM outage and FDT Frame application hang) by transmitting crafted response packets on the 4-20 mA current loop.2015-01-092.1CVE-2014-9191
    godwin's_law_project -- godwin's_lawCross-site scripting (XSS) vulnerability in the Godwin's Law module before 7.x-1.1 for Drupal, when using the dblog module, allows remote authenticated users to inject arbitrary web script or HTML via a Watchdog message.2015-01-093.5CVE-2014-9499
    XF
    MLIST
    MLIST
    ibm -- curam_social_program_managementCross-site scripting (XSS) vulnerability in IBM Curam Social Program Management before 6.0.5.5a allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-01-093.5CVE-2014-3096
    linux -- linux_kernelThe parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.2015-01-092.1CVE-2014-9584
    CONFIRM
    CONFIRM
    MLIST
    CONFIRM
    linux -- linux_kernelThe vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD.2015-01-092.1CVE-2014-9585
    MLIST
    MLIST
    MISC
    CONFIRM
    malwarebytes -- malwarebytes_anti-exploitmbae.sys in Malwarebytes Anti-Exploit before 1.05.1.2014 allows local users to cause a denial of service (crash) via a crafted size in an unspecified IOCTL call, which triggers an out-of-bounds read. NOTE: some of these details are obtained from third party information.2015-01-132.1CVE-2014-100039
    CONFIRM
    OSVDB
    mantisbt -- mantisbtCross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.2015-01-092.6CVE-2014-9269
    CONFIRM
    DEBIAN
    MLIST
    MLIST
    mediawiki -- mediawikiCross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message.2015-01-163.5CVE-2014-9475
    MLIST
    MLIST
    DEBIAN
    microsoft -- windows_8The Windows Error Reporting (WER) component in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to bypass the Protected Process Light protection mechanism and read the contents of arbitrary process-memory locations by leveraging administrative privileges, aka "Windows Error Reporting Security Feature Bypass Vulnerability."2015-01-131.9CVE-2015-0001
    poll_chart_block_project -- poll_chart_blockCross-site scripting (XSS) vulnerability in the Poll Chart Block module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a poll node title.2015-01-093.5CVE-2014-9501
    MLIST
    MLIST
    redhat -- network_satelliteMultiple cross-site scripting (XSS) vulnerabilities in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allow remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the REST API.2015-01-153.5CVE-2014-7811
    redhat -- network_satelliteCross-site scripting (XSS) vulnerability in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allows remote authenticated users to inject arbitrary web script or HTML via the System Groups field.2015-01-153.5CVE-2014-7812
    school_administration_project -- school_administrationCross-site scripting (XSS) vulnerability in the School Administration module 7.x-1.x before 7.x-1.8 for Drupal allows remote authenticated users with permission to create or edit a class node to inject arbitrary web script or HTML via a node title.2015-01-093.5CVE-2014-9505
    XF
    MLIST
    MLIST
    siemens -- simatic_wincc_sm@rtclientThe Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to extract the password from storage via unspecified vectors.2015-01-142.1CVE-2014-5231
    siemens -- simatic_wincc_sm@rtclientThe Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows local users to bypass an intended application-password requirement by leveraging the running of the app in the background state.2015-01-141.9CVE-2014-5232
    siemens -- simatic_wincc_sm@rtclientThe Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to discover Sm@rtServer credentials by leveraging an error in the credential-processing mechanism.2015-01-141.9CVE-2014-5233
    webform_invitation_project -- webform_invitationCross-site scripting (XSS) vulnerability in the Webform Invitation module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.4 for Drupal allows remote authenticated users with the Webform: Create new content, Webform: Edit own content, or Webform: Edit any content permission to inject arbitrary web script or HTML via a node title.2015-01-093.5CVE-2014-9498
    MLIST
    MLIST
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


  • SB15-012: Vulnerability Summary for the Week of January 5, 2015
    Original release date: January 12, 2015

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    ajax_post_search_project -- ajax_post_searchSQL injection vulnerability in the "the_search_function" function in cardoza_ajax_search.php in the AJAX Post Search (cardoza-ajax-search) plugin before 1.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the srch_txt parameter in a "the_search_text" action to wp-admin/admin-ajax.php.2015-01-077.5CVE-2012-5853
    CONFIRM
    BUGTRAQ
    asus -- wrt_firmwarecommon.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.2015-01-0810.0CVE-2014-9583
    MISC
    EXPLOIT-DB
    MISC
    basic-cms -- sweetriceMultiple SQL injection vulnerabilities in index.php in SweetRice CMS before 0.6.7.1 allow remote attackers to execute arbitrary SQL commands via (1) the file_name parameter in an attachment action, (2) the post parameter in a show_comment action, (3) the sys-name parameter in an rssfeed action, or (4) the sys-name parameter in a view action.2015-01-037.5CVE-2010-5317
    MISC
    cts_projects&software -- classadSQL injection vulnerability in showads.php in CTS Projects & Software ClassAd 3.0 allows remote attackers to execute arbitrary SQL commands via the catid parameter.2015-01-027.5CVE-2014-9455
    MISC
    debian -- mime-supportrun-mailcap in the Debian mime-support package before 3.52-1+deb7u1 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.2015-01-067.5CVE-2014-7209
    XF
    BID
    MLIST
    SECUNIA
    deliciousdays -- cformsiiUnrestricted file upload vulnerability in lib_nonajax.php in the CformsII plugin 14.7 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension via the cf_uploadfile2[] parameter, then accessing the file via a direct request to the file in the default upload directory.2015-01-077.5CVE-2014-9473
    CONFIRM
    BUGTRAQ
    don_ho -- notepad++Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. NOTE: this issue was originally incorrectly mapped to CVE-2014-1004; see CVE-2014-1004 for more information.2015-01-0210.0CVE-2014-9456
    EXPLOIT-DB
    hex-rays -- idaHeap-based buffer overflow in the GDB debugger module in Hex-Rays IDA Pro before 6.6 cumulative fix 2014-12-24 allows remote GDB servers to have unspecified impact via unknown vectors.2015-01-0210.0CVE-2014-9458
    SECUNIA
    humhub -- humhubSQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks via a request that causes an error.2015-01-067.5CVE-2014-9528
    CONFIRM
    XF
    EXPLOIT-DB
    FULLDISC
    MISC
    infinitewp -- infinitewp_admin_panelSQL injection vulnerability in login.php in InfiniteWP Admin Panel before 2.4.3 allows remote attackers to execute arbitrary SQL commands via the email parameter.2015-01-057.5CVE-2014-9519
    MISC
    FULLDISC
    infinitewp -- infinitewp_admin_panelSQL injection vulnerability in execute.php in InfiniteWP Admin Panel before 2.4.4 allows remote attackers to execute arbitrary SQL commands via the historyID parameter.2015-01-057.5CVE-2014-9520
    MISC
    FULLDISC
    infinitewp -- infinitewp_admin_panelUnrestricted file upload vulnerability in uploadScript.php in InfiniteWP Admin Panel before 2.4.4, when the allWPFiles query parameter is set, allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the uploads directory, as demonstrated by the .php.swp filename.2015-01-057.5CVE-2014-9521
    MISC
    FULLDISC
    installatron -- gq_file_managerSQL injection vulnerability in incl/create.inc.php in Installatron GQ File Manager 0.2.5 allows remote attackers to execute arbitrary SQL commands via the create parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks by creating a file that generates an error. NOTE: this issue was originally incorrectly mapped to CVE-2014-1137; see CVE-2014-1137 for more information.2015-01-027.5CVE-2014-9445
    XF
    EXPLOIT-DB
    linux -- linux_kernelThe batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.2015-01-027.8CVE-2014-9428
    MLIST
    CONFIRM
    MLIST
    MLIST
    CONFIRM
    CONFIRM
    mediawiki -- mediawikiThe wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>.2015-01-047.5CVE-2014-9277
    CONFIRM
    MLIST
    MLIST
    DEBIAN
    SECTRACK
    microweber -- microweberSQL injection vulnerability in Category.php in Microweber CMS 0.95 before 20141209 allows remote attackers to execute arbitrary SQL commands via the category parameter when displaying a category, related to the $parent_id variable.2015-01-037.5CVE-2014-9464
    MISC
    CONFIRM
    mini-stream -- rm-mp3_converterBuffer overflow in Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long string in a WAX file.2015-01-027.5CVE-2014-9448
    EXPLOIT-DB
    EXPLOIT-DB
    OSVDB
    osclass -- osclassSQL injection vulnerability in the Search::setJsonAlert method in OSClass before 3.4.3 allows remote attackers to execute arbitrary SQL commands via the alert parameter in a search alert subscription action.2015-01-057.5CVE-2014-8083
    BID
    BUGTRAQ
    FULLDISC
    MISC
    MISC
    osclass -- osclassDirectory traversal vulnerability in oc-includes/osclass/controller/ajax.php in OSClass before 3.4.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ajaxfile parameter in a custom action.2015-01-057.5CVE-2014-8084
    BID
    BUGTRAQ
    FULLDISC
    MISC
    MISC
    php -- phpsapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.2015-01-027.5CVE-2014-9427
    CONFIRM
    MLIST
    MLIST
    MLIST
    CONFIRM
    phpmyrecipes_project -- phpmyrecipesSQL injection vulnerability in browse.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the category parameter.2015-01-027.5CVE-2014-9440
    XF
    EXPLOIT-DB
    MISC
    projectsend -- projectsendUnrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory.2015-01-077.5CVE-2014-9567
    XF
    EXPLOIT-DB
    EXPLOIT-DB
    MISC
    OSVDB
    sefrengo -- sefrengoMultiple SQL injection vulnerabilities in the administrative backend in Sefrengo before 1.6.1 allow remote administrators to execute arbitrary SQL commands via the (1) idcat or (2) idclient parameter to backend/main.php.2015-01-087.5CVE-2015-0919
    MISC
    FULLDISC
    MISC
    sonatype -- nexusDirectory traversal vulnerability in Sonatype Nexus OSS and Pro before 2.11.1-01 allows remote attackers to read or write to arbitrary files via unspecified vectors.2015-01-057.5CVE-2014-9389
    SECUNIA
    typo3 -- typo3The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page.2015-01-047.5CVE-2014-9509
    vdgsecurity -- vdg_senseMultiple stack-based buffer overflows in the DIVA web service API (/webservice) in VDG Security SENSE (formerly DIVA) 2.3.13 allow remote attackers to execute arbitrary code via the (1) user or (2) password parameter in an AuthenticateUser request.2015-01-027.5CVE-2014-9451
    MISC
    XF
    BID
    FULLDISC
    MISC
    xen -- xenUse-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown.2015-01-077.8CVE-2015-0361
    zabbix -- zabbixMultiple SQL injection vulnerabilities in chart_bar.php in the frontend in Zabbix before 1.8.22, 2.0.x before 2.0.14, and 2.2.x before 2.2.8 allow remote attackers to execute arbitrary SQL commands via the (1) itemid or (2) periods parameter.2015-01-027.5CVE-2014-9450
    SECUNIA
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    absolutengine -- absolut_engineMultiple SQL injection vulnerabilities in Absolut Engine 1.73 allow remote authenticated users to execute arbitrary SQL commands via the (1) sectionID parameter to admin/managersection.php, (2) userID parameter to admin/edituser.php, (3) username parameter to admin/admin.php, or (4) title parameter to admin/managerrelated.php.2015-01-026.5CVE-2014-9435
    BID
    MISC
    FULLDISC
    apache -- solrCross-site scripting (XSS) vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the fieldvaluecache object.2015-01-064.3CVE-2014-3628
    SECUNIA
    MLIST
    apache -- poiHSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.2015-01-065.0CVE-2014-9527
    CONFIRM
    SECUNIA
    CONFIRM
    banner_effect_header_project -- banner_effect_headerCross-site request forgery (CSRF) vulnerability in the Banner Effect Header plugin 1.2.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the banner_effect_email parameter in the BannerEffectOptions page to wp-admin/options-general.php.2015-01-086.8CVE-2015-0920
    XF
    XF
    MISC
    basic-cms -- sweetriceCross-site scripting (XSS) vulnerability in as/index.php in SweetRice CMS before 0.6.7.1 allows remote attackers to inject arbitrary web script or HTML via a top_height cookie.2015-01-034.3CVE-2010-5316
    MISC
    basic-cms -- sweetriceThe password-reset feature in as/index.php in SweetRice CMS before 0.6.7.1 allows remote attackers to modify the administrator's password by specifying the administrator's e-mail address in the email parameter.2015-01-034.3CVE-2010-5318
    MISC
    chialab_&_channelweb -- beditaCross-site scripting (XSS) vulnerability in controllers/home_controller.php in BEdita before 3.1 allows remote attackers to inject arbitrary web script or HTML via the searchstring parameter to news/index.2015-01-034.3CVE-2010-5314
    MISC
    chialab_&_channelweb -- beditaMultiple cross-site request forgery (CSRF) vulnerabilities in BEdita before 3.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create categories via a data array to news/saveCategories or (2) modify credentials via a data array to admin/saveUser.2015-01-036.8CVE-2010-5315
    MISC
    cisco -- secure_access_control_systemThe RBAC component in Cisco Secure Access Control System (ACS) allows remote authenticated users to obtain Network Device Administrator privileges for Create, Delete, Read, and Update operations via crafted HTTP requests, aka Bug ID CSCuq79034.2015-01-086.5CVE-2014-8027
    cisco -- secure_access_control_systemMultiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Secure Access Control System (ACS) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq79019.2015-01-084.3CVE-2014-8028
    cisco -- secure_access_control_systemOpen redirect vulnerability in the web interface in Cisco Secure Access Control System (ACS) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, aka Bug ID CSCuq74150.2015-01-085.8CVE-2014-8029
    cisco -- webex_meetings_serverCross-site scripting (XSS) vulnerability in sendPwMail.do in Cisco WebEx Meetings Server allows remote attackers to inject arbitrary web script or HTML via the email parameter, aka Bug ID CSCuj40381.2015-01-084.3CVE-2014-8030
    cisco -- webex_meetings_serverCross-site request forgery (CSRF) vulnerability in Cisco WebEx Meetings Server allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj40456.2015-01-086.8CVE-2014-8031
    cisco -- webex_meetings_serverThe OutlookAction LI in Cisco WebEx Meetings Server allows remote authenticated users to obtain sensitive encrypted-password information via unspecified vectors, aka Bug IDs CSCuj40453 and CSCuj40449.2015-01-084.0CVE-2014-8032
    cisco -- webex_meetings_serverThe play/modules component in Cisco WebEx Meetings Server allows remote attackers to obtain administrator access via crafted API requests, aka Bug ID CSCuj40421.2015-01-085.0CVE-2014-8033
    codiad -- codiadDirectory traversal vulnerability in components/filemanager/download.php in Codiad 2.4.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter. NOTE: this issue was originally incorrectly mapped to CVE-2014-1137; see CVE-2014-1137 for more information.2015-01-085.0CVE-2014-9581
    EXPLOIT-DB
    codiad -- codiadCross-site scripting (XSS) vulnerability in components/filemanager/dialog.php in Codiad 2.4.3 allows remote attackers to inject arbitrary web script or HTML via the short_name parameter in a rename action. NOTE: this issue was originally incorrectly mapped to CVE-2014-1137; see CVE-2014-1137 for more information.2015-01-084.3CVE-2014-9582
    EXPLOIT-DB
    concrete5 -- concrete5Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in single_pages/dashboard/users/groups/bulkupdate.php or (2) instance_id parameter in tools/dashboard/sitemap_drag_request.php.2015-01-054.3CVE-2014-9526
    XF
    BUGTRAQ
    FULLDISC
    MISC
    MISC
    d-link -- dcs-2103_hd_cube_network_cameraCross-site scripting (XSS) vulnerability in D-link IP camera DCS-2103 with firmware before 1.20 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING to vb.htm.2015-01-054.3CVE-2014-9517
    MISC
    MISC
    d-link -- dir-655Cross-site scripting (XSS) vulnerability in login.cgi in D-Link router DIR-655 (rev Bx) with firmware before 2.12b01 allows remote attackers to inject arbitrary web script or HTML via the html_response_page parameter.2015-01-054.3CVE-2014-9518
    BID
    CONFIRM
    SECUNIA
    e107 -- e107Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin action.2015-01-026.8CVE-2014-9459
    CONFIRM
    MISC
    FULLDISC
    efssoft -- easy_file_sharing_web_serverCross-site scripting (XSS) vulnerability in Easy File Sharing Web Server 6.8 allows remote attackers to inject arbitrary web script or HTML via the username field during registration, which is not properly handled by forum.ghp.2015-01-024.3CVE-2014-9439
    XF
    EXPLOIT-DB
    elfutils_project -- elfutilsDirectory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils 0.152 and 0.161 allows remote attackers to write to arbitrary files to the root directory via a / (slash) in a crafted archive, as demonstrated using the ar program.2015-01-026.4CVE-2014-9447
    MLIST
    BID
    MLIST
    SECUNIA
    emc -- documentum_wdkMultiple cross-site scripting (XSS) vulnerabilities in EMC Documentum Web Development Kit (WDK) before 6.8 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-01-064.3CVE-2014-4635
    BUGTRAQ
    emc -- documentum_wdkCross-site request forgery (CSRF) vulnerability in EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to hijack the authentication of arbitrary users for requests that perform Docbase operations.2015-01-066.8CVE-2014-4636
    BUGTRAQ
    emc -- documentum_wdkOpen redirect vulnerability in EMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter.2015-01-066.4CVE-2014-4637
    BUGTRAQ
    emc -- documentum_wdkEMC Documentum Web Development Kit (WDK) before 6.8 allows remote attackers to conduct frame-injection attacks and obtain sensitive information via unspecified vectors.2015-01-065.0CVE-2014-4638
    BUGTRAQ
    emc -- documentum_wdkEMC Documentum Web Development Kit (WDK) before 6.8 does not properly generate random numbers for a certain parameter related to Webtop components, which makes it easier for remote attackers to conduct phishing attacks via brute-force attempts to predict the parameter value.2015-01-065.0CVE-2014-4639
    BUGTRAQ
    exiv2 -- exiv2Buffer overflow in the RiffVideo::infoTagsHandler function in riffvideo.cpp in Exiv2 0.24 allows remote attackers to cause a denial of service (crash) via a long IKEY INFO tag value in an AVI file.2015-01-025.0CVE-2014-9449
    SECUNIA
    CONFIRM
    facebook_like_box_project -- facebook_like_boxMultiple cross-site request forgery (CSRF) vulnerabilities in the Facebook Like Box (cardoza-facebook-like-box) plugin before 2.8.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) frm_title, (3) frm_url, (4) frm_border_color, (5) frm_width, or (6) frm_height parameter in the slug_for_fb_like_box page to wp-admin/admin.php.2015-01-056.8CVE-2014-9524
    SECUNIA
    MISC
    frontend_uploader_project -- frontend_uploaderCross-site scripting (XSS) vulnerability in the Frontend Uploader plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the errors[fu-disallowed-mime-type][0][name] parameter to the default URI.2015-01-024.3CVE-2014-9444
    BID
    FULLDISC
    MISC
    ipcop -- ipcopCross-site scripting (XSS) vulnerability in cgi-bin/ipinfo.cgi in IPCop (aka IPCop Firewall) before 2.1.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING. NOTE: this can be used to bypass the cross-site request forgery (CSRF) protection mechanism by setting the Referer.2015-01-024.3CVE-2013-7417
    XF
    MISC
    MISC
    MISC
    ipcop -- ipcopcgi-bin/iptablesgui.cgi in IPCop (aka IPCop Firewall) before 2.1.5 allows remote authenticated users to execute arbitrary code via shell metacharacters in the TABLE parameter. NOTE: this can be exploited remotely by leveraging a separate cross-site scripting (XSS) vulnerability.2015-01-026.5CVE-2013-7418
    MISC
    MISC
    MISC
    justin_klein -- wp-vipergbMultiple cross-site request forgery (CSRF) vulnerabilities in the WP-ViperGB plugin before 1.3.11 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) vgb_page or (3) vgb_items_per_pg parameter in the wp-vipergb page to wp-admin/options-general.php.2015-01-026.8CVE-2014-9460
    CONFIRM
    XF
    XF
    MISC
    kajona -- kajonaCross-site scripting (XSS) vulnerability in the backend in Kajona before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via the action parameter to index.php.2015-01-084.3CVE-2015-0917
    CONFIRM
    CONFIRM
    MISC
    FULLDISC
    MISC
    kan-studio -- kandidat_cmsMultiple cross-site request forgery (CSRF) vulnerabilities in Kandidat CMS 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) modify settings via a validate action to admin/settings.php, (2) modify pages via the what parameter to admin/edit.php, or (3) modify articles via the edit parameter to admin/news.php.2015-01-036.8CVE-2010-5319
    MISC
    koha -- kohaMultiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl.2015-01-024.3CVE-2014-9446
    BID
    SECUNIA
    CONFIRM
    lightbox_photo_gallery_project -- lightbox_photo_galleryMultiple cross-site request forgery (CSRF) vulnerabilities in the Lightbox Photo Gallery plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) ll__opt[image2_url] or (3) ll__opt[image3_url] parameter in a ll_save_settings action to wp-admin/admin-ajax.php.2015-01-026.8CVE-2014-9441
    XF
    MISC
    mediawiki -- mediawikiCross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the authentication of users with edit permissions for requests that cross-site scripting (XSS) attacks via the wpInput parameter, which is not properly handled in the preview.2015-01-045.1CVE-2014-9276
    CONFIRM
    MLIST
    MLIST
    SECTRACK
    memht -- memht_portalMultiple cross-site request forgery (CSRF) vulnerabilities in MemHT Portal 4.0.1 allow remote attackers to hijack the authentication of administrators for requests that (1) modify settings via a configuration action to admin.php, (2) modify articles via an articles action to admin.php, or (3) modify credentials via a users action to admin.php.2015-01-036.8CVE-2010-5320
    MISC
    nyu -- opensso_integrationCross-site scripting (XSS) vulnerability in the logon page in NYU OpenSSO Integration 2.1 and earlier for Ex Libris Patron Directory Services (PDS) allows remote attackers to inject arbitrary web script or HTML via the url parameter.2015-01-024.3CVE-2014-7293
    MISC
    FULLDISC
    nyu -- opensso_integrationOpen redirect vulnerability in the logon page in NYU OpenSSO Integration 2.1 and earlier for Ex Libris Patron Directory Services (PDS) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.2015-01-025.8CVE-2014-7294
    MISC
    FULLDISC
    MISC
    oetiker+partner_ag -- rrdtoolFormat string vulnerability in the rrdtool module 1.4.7 for Python, as used in Zenoss, allows context-dependent attackers to cause a denial of service (crash) via format string specifiers to the rrdtool.graph function.2015-01-045.0CVE-2013-2131
    MISC
    MISC
    MISC
    MLIST
    MLIST
    MLIST
    open-xchange -- open-xchange_appsuiteCross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite before 7.2.2-rev31, 7.4.0 before 7.4.0-rev27, and 7.4.1 before 7.4.1-rev17 allows remote attackers to inject arbitrary web script or HTML via the header in an attached SVG file.2015-01-054.3CVE-2014-1679
    MISC
    XF
    BUGTRAQ
    SECUNIA
    open-xchange -- open-xchange_appsuiteCross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type.2015-01-074.3CVE-2014-8993
    SECTRACK
    BUGTRAQ
    SECUNIA
    MISC
    openssl -- opensslThe BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.2015-01-085.0CVE-2014-3570
    CONFIRM
    openssl -- opensslOpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.2015-01-085.0CVE-2014-3571
    CONFIRM
    CONFIRM
    openssl -- opensslThe ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.2015-01-085.0CVE-2014-3572
    CONFIRM
    openssl -- opensslOpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.2015-01-085.0CVE-2014-8275
    CONFIRM
    CONFIRM
    openssl -- opensslThe ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.2015-01-085.0CVE-2015-0204
    CONFIRM
    openssl -- opensslThe ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a Diffie-Hellman (DH) certificate without requiring a CertificateVerify message, which allows remote attackers to obtain access without knowledge of a private key via crafted TLS Handshake Protocol traffic to a server that recognizes a Certification Authority with DH support.2015-01-085.0CVE-2015-0205
    CONFIRM
    openssl -- opensslMemory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (memory consumption) by sending many duplicate records for the next epoch, leading to failure of replay detection.2015-01-085.0CVE-2015-0206
    CONFIRM
    openstack -- image_registry_and_delivery_service_(glance)The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.2015-01-075.5CVE-2014-9493
    CONFIRM
    MLIST
    osclass -- osclassUnrestricted file upload vulnerability in the CWebContact::doModel method in oc-includes/osclass/controller/contact.php in OSClass before 3.4.3 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory.2015-01-056.8CVE-2014-8085
    BID
    BUGTRAQ
    FULLDISC
    MISC
    MISC
    CONFIRM
    paloaltonetworks -- pan-osCross-site scripting (XSS) vulnerability in the web-based device management interface in Palo Alto Networks PAN-OS before 5.0.15, 5.1.x before 5.1.10, and 6.0.x before 6.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Ref ID 64563.2015-01-064.3CVE-2014-3764
    CONFIRM
    SECUNIA
    papoo -- cms_papoo_lightMultiple cross-site scripting (XSS) vulnerabilities in CMS Papoo Light 6.0.0 (Rev 4701) allow remote attackers to inject arbitrary web script or HTML via the (1) author field to guestbook.php or (2) username field to account.php.2015-01-054.3CVE-2014-9522
    BID
    BUGTRAQ
    EXPLOIT-DB
    MISC
    MISC
    OSVDB
    pmb_services -- pmbSQL injection vulnerability in classes/mono_display.class.php in PMB 4.1.3 and earlier allows remote authenticated users to execute arbitrary SQL commands via the id parameter to catalog.php.2015-01-026.5CVE-2014-9457
    EXPLOIT-DB
    projectsend -- projectsendCross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) r561 allows remote attackers to inject arbitrary web script or HTML via the Description field in a file upload. NOTE: this issue was originally incorrectly mapped to CVE-2014-1155; see CVE-2014-1155 for more information.2015-01-084.3CVE-2014-9580
    XF
    EXPLOIT-DB
    MISC
    quick_page/post_redirect_project -- quick_page/post_redirectCross-site request forgery (CSRF) vulnerability in the Quick Page/Post Redirect plugin before 5.0.5 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the quickppr_redirects[request][] parameter in the redirect-updates page to wp-admin/admin.php.2015-01-056.8CVE-2014-2598
    MISC
    XF
    EXPLOIT-DB
    SECUNIA
    FULLDISC
    MISC
    OSVDB
    OSVDB
    reality66 -- cart66_liteSQL injection vulnerability in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.4 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the q parameter in a promotionProductSearch action to wp-admin/admin-ajax.php.2015-01-026.5CVE-2014-9442
    MISC
    CONFIRM
    SECUNIA
    redcloth -- redcloth_libraryCross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.2015-01-074.3CVE-2012-6684
    MISC
    FULLDISC
    MISC
    MISC
    redhat -- libvirtThe qemu implementation of virConnectGetAllDomainStats in libvirt before 1.2.11 does not properly handle locks when a domain is skipped due to ACL restrictions, which allows a remote authenticated users to cause a denial of service (deadlock or segmentation fault and crash) via a request to access the users does not have privileges to access.2015-01-064.0CVE-2014-8131
    SUSE
    relevanssi -- relevanssiCross-site scripting (XSS) vulnerability in the Relevanssi plugin before 3.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-01-024.3CVE-2014-9443
    SECUNIA
    sap -- netweaver_business_client_for_htmlMultiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver Business Client (NWBC) for HTML 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) roundtrips parameter, aka SAP Security Note 2051285.2015-01-074.3CVE-2014-9569
    MISC
    SECUNIA
    sefrengo -- sefrengoCross-site scripting (XSS) vulnerability in the administrative backend in Sefrengo before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the searchterm parameter to backend/main.php.2015-01-084.3CVE-2015-0918
    MISC
    FULLDISC
    MISC
    simple_sticky_footer_project -- simple_sticky_footerMultiple cross-site request forgery (CSRF) vulnerabilities in the Simple Sticky Footer plugin before 1.3.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) simple_sf_width or (3) simple_sf_style parameter in the simple-simple-sticky-footer page to wp-admin/themes.php.2015-01-026.8CVE-2014-9454
    XF
    XF
    MISC
    simple_visitor_stat_project -- simple_visitor_statMultiple cross-site scripting (XSS) vulnerabilities in simple-visitor-stat.php in the Simple visitor stat plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP User-Agent or (2) HTTP Referer header.2015-01-024.3CVE-2014-9453
    XF
    MISC
    sliding_social_icons_project -- sliding_social_iconsMultiple cross-site request forgery (CSRF) vulnerabilities in the Sliding Social Icons plugin 1.61 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or (2) conduct cross-site scripting (XSS) attacks via the sc_social_slider_margin parameter in a wpbs_save_settings action in the wpbs_panel page to wp-admin/admin.php.2015-01-026.8CVE-2014-9437
    XF
    MISC
    smartcat -- our_team_showcaseMultiple cross-site request forgery (CSRF) vulnerabilities in the Our Team Showcase (our-team-enhanced) plugin before 1.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or (2) conduct cross-site scripting (XSS) attacks via the sc_our_team_member_count parameter in the sc_team_settings page to wp-admin/edit.php.2015-01-056.8CVE-2014-9523
    MISC
    social_microblogging_pro_project -- social_microblogging_proCross-site scripting (XSS) vulnerability in Social Microblogging PRO 1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI, related to the "Web Site" input in the Profile section.2015-01-054.3CVE-2014-9516
    EXPLOIT-DB
    OSVDB
    strongswan -- strongswanstrongSwan 4.5.x through 5.2.x before 5.2.1 allows remote attackers to cause a denial of service (invalid pointer dereference) via a crafted IKEv2 Key Exchange (KE) message with Diffie-Hellman (DH) group 1025.2015-01-075.0CVE-2014-9221
    CONFIRM
    SECUNIA
    SECUNIA
    sysaid -- sysaidAbsolute path traversal vulnerability in SysAid On-Premise before 14.4.2 allows remote attackers to read arbitrary files via a \\\\ (four backslashes) in the fileName parameter to getRdsLogFile.2015-01-025.0CVE-2014-9436
    XF
    EXPLOIT-DB
    FULLDISC
    MISC
    timed_popup_project -- timed_popupMultiple cross-site request forgery (CSRF) vulnerabilities in the Timed Popup (wp-timed-popup) plugin 1.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or (2) conduct cross-site scripting (XSS) attacks via the sc_popup_subtitle parameter in the wp-popup.php page to wp-admin/options-general.php.2015-01-056.8CVE-2014-9525
    XF
    XF
    MISC
    typo3 -- typo3The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set and using a homepage with links that only contain anchors, allows remote attackers to change URLs to arbitrary domains for those links via unknown vectors.2015-01-044.3CVE-2014-9508
    vbulletin -- vbulletinCross-site request forgery (CSRF) vulnerability in the Moderator Control Panel in vBulletin 4.2.2 allows remote attackers to hijack the authentication of administrators for requests that (1) ban a user via the username parameter in a dobanuser action to modcp/banning.php or (2) unban a user, (3) modify user profiles, edit a (4) post or (5) topic, or approve a (6) post or (7) topic via unspecified vectors.2015-01-026.8CVE-2014-9438
    MISC
    XF
    MISC
    vdgsecurity -- vdg_senseDirectory traversal vulnerability in VDG Security SENSE (formerly DIVA) 2.3.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI to images/.2015-01-025.0CVE-2014-9452
    MISC
    XF
    BID
    FULLDISC
    MISC
    vdgsecurity -- vdg_senseVDG Security SENSE (formerly DIVA) before 2.3.15 allows remote attackers to bypass authentication, and consequently read and modify arbitrary plugin settings, via an encoded : (colon) character in the Authorization HTTP header.2015-01-086.4CVE-2014-9575
    MISC
    FULLDISC
    MISC
    vdgsecurity -- vdg_senseVDG Security SENSE (formerly DIVA) 2.3.13 has a hardcoded password of (1) ArpaRomaWi for the root Postgres account and !DVService for the (2) postgres and (3) NTP Windows user accounts, which allows remote attackers to obtain access.2015-01-085.0CVE-2014-9576
    MISC
    FULLDISC
    MISC
    vdgsecurity -- vdg_senseVDG Security SENSE (formerly DIVA) 2.3.13 sends the user database when a user logs in, which allows remote authenticated users to obtain usernames and password hashes by logging in to TCP port 51410 and reading the response.2015-01-084.0CVE-2014-9577
    MISC
    FULLDISC
    MISC
    vdgsecurity -- vdg_senseVDG Security SENSE (formerly DIVA) 2.3.13 performs authentication with a password hash instead of a password, which allows remote attackers to gain login access by leveraging knowledge of password hash.2015-01-085.0CVE-2014-9578
    MISC
    FULLDISC
    MISC
    vdgsecurity -- vdg_senseVDG Security SENSE (formerly DIVA) 2.3.13 stores administrator credentials in cleartext, which allows attackers to obtain sensitive information by reading the plugin configuration files.2015-01-085.0CVE-2014-9579
    MISC
    FULLDISC
    MISC
    zohocorp -- manageengine_adselfservice_plusCross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.2015-01-074.3CVE-2014-3779
    XF
    MISC
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    absolutengine -- absolut_engineCross-site scripting (XSS) vulnerability in admin/managerrelated.php in the administrative backend in Absolut Engine 1.73 allows remote authenticated users to inject arbitrary web script or HTML via the title parameter.2015-01-023.5CVE-2014-9434
    BID
    MISC
    FULLDISC
    linuxcontainers -- cgmanagercmanager 0.32 does not properly enforce nesting when modifying cgroup properties, which allows local users to set cgroup values for all cgroups via unspecified vectors.2015-01-072.1CVE-2014-1425
    mantisbt -- mantisbtMantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.2015-01-043.5CVE-2014-9506
    CONFIRM
    DEBIAN
    MLIST
    mediawiki -- mediawikiMediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgContentHandlerUseDB is enabled, allows remote attackers to conduct cross-site scripting (XSS) attacks by setting the content model for a revision to JS.2015-01-042.6CVE-2014-9507
    reality66 -- cart66_liteDirectory traversal vulnerability in models/Cart66.php in the Cart66 Lite plugin before 1.5.4 for WordPress allows remote authenticated users to read arbitrary files via a .. (dot dot) in the member_download action to wp-admin/admin-ajax.php.2015-01-023.5CVE-2014-9461
    CONFIRM
    MISC
    CONFIRM
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


  • SB15-005: Vulnerability Summary for the Week of December 29, 2014
    Original release date: January 05, 2015

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    ajaxplorer -- ajaxplorerUnrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format parameter of a move operation.2014-12-277.5CVE-2013-6227
    MISC
    cray -- cray_linux_environmentapinit on Cray devices with CLE before 4.2.UP02 and 5.x before 5.1.UP00 does not use alpsauth data to validate the UID in a launch message, which allows local users to gain privileges via a modified aprun program, aka ID FN5912.2014-12-267.2CVE-2014-0748
    MISC
    easewe_software -- easewe_ftp_ocx_activex_controlThe EaseWeFtp.FtpLibrary ActiveX control in EaseWeFtp.ocx in Easewe FTP OCX 4.5.0.9 does not restrict access to certain methods, which allows remote attackers to execute arbitrary files via a pathname in the first argument to the (1) Execute or (2) Run method, (3) write to arbitrary files via a pathname in the argument to the CreateLocalFile method, (4) create arbitrary directories via a pathname in the argument to the CreateLocalFolder method, or (5) delete arbitrary files via a pathname in the argument to the DeleteLocalFile method.2014-12-317.5CVE-2011-5292
    MISC
    exponentcms -- exponent_cmsDirectory traversal vulnerability in install/popup.php in Exponent CMS before 2.2.0 RC1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.2014-12-297.5CVE-2013-3295
    MISC
    facebook -- hiphop_virtual_machineCRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.2014-12-287.5CVE-2014-2208
    CONFIRM
    facebook -- hiphop_virtual_machineInteger overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split function.2014-12-287.5CVE-2014-6228
    CONFIRM
    gogago -- gogago_youtube_video_converterBuffer overflow in the Download method in a certain ActiveX control in MDIEEx.dll in Gogago YouTube Video Converter 1.1.6 allows remote attackers to execute arbitrary code via a long argument.2015-01-019.3CVE-2011-5295
    MISC
    ipswitch -- tftp_serverDirectory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation.2014-12-277.8CVE-2011-4722
    XF
    OSVDB
    EXPLOIT-DB
    SECTRACK
    SECUNIA
    MISC
    minibb -- minibbbb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regular expression, which allows remote attackers to conduct SQl injection attacks via the code parameter in an unsubscribe action to index.php.2014-12-317.5CVE-2014-9254
    MISC
    SECUNIA
    nakahira -- cdnvoteMultiple SQL injection vulnerabilities in cdnvote-post.php in the cdnvote plugin before 0.4.2 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) cdnvote_post_id or (2) cdnvote_point parameter.2015-01-017.5CVE-2011-5308
    MISC
    CONFIRM
    CONFIRM
    openbsd -- libresslDouble free vulnerability in the ssl_parse_clienthello_use_srtp_ext function in d1_srtp.c in LibreSSL before 2.1.2 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a certain length-verification error during processing of a DTLS handshake.2014-12-287.5CVE-2014-9424
    CONFIRM
    MISC
    php -- phpDouble free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.2014-12-307.5CVE-2014-9425
    MLIST
    CONFIRM
    CONFIRM
    CONFIRM
    php -- phpThe apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors.2014-12-307.5CVE-2014-9426
    CONFIRM
    CONFIRM
    redaxscript -- redaxscriptMultiple SQL injection vulnerabilities in includes/password.php in Redaxscript 0.3.2 allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) password parameter to the password_reset program.2015-01-017.5CVE-2011-5313
    MISC
    redmine -- redmine_git_hosting_plugingit_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related to the get_info_refs function or (2) the reqfile argument to the file_exists function.2014-12-277.5CVE-2013-4663
    MISC
    schneider_electric -- proclimaBuffer overflow in an ActiveX control in Atx45.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8512. NOTE: this may be clarified later based on details provided by researchers.2014-12-2710.0CVE-2014-8511
    CONFIRM
    schneider_electric -- proclimaBuffer overflow in an ActiveX control in Atx45.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8511. NOTE: this may be clarified later based on details provided by researchers.2014-12-277.5CVE-2014-8512
    schneider_electric -- proclimaBuffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8514 and CVE-2014-9188. NOTE: this may be clarified later based on details provided by researchers.2014-12-277.5CVE-2014-8513
    schneider_electric -- proclimaBuffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-9188. NOTE: this may be clarified later based on details provided by researchers.2014-12-277.5CVE-2014-8514
    schneider_electric -- proclimaBuffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-8514. NOTE: this may be clarified later based on details provided by researchers.2014-12-279.0CVE-2014-9188
    social_slider_project -- social_sliderSQL injection vulnerability in social-slider-2/ajax.php in the Social Slider plugin before 7.4.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the rA array parameter.2014-12-317.5CVE-2011-5286
    MISC
    softaculous -- webuzoindex.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.2014-12-277.5CVE-2013-6041
    MISC
    soundexchange -- soundexchangeMultiple heap-based buffer overflows in Sound eXchange (SoX) 14.4.1 and earlier allow remote attackers to have unspecified impact via a crafted WAV file to the (1) start_read or (2) AdpcmReadBlock function.2014-12-317.5CVE-2014-8145
    BID
    MISC
    threediffy -- threedify_designerThe cmdSave method in the ThreeDify.ThreeDifyDesigner.1 ActiveX control in ActiveSolid.dll in ThreeDify Designer 5.0.2 allows remote attackers to write to arbitrary files via a pathname in the argument.2014-12-319.3CVE-2011-5293
    MISC
    threedify -- threedify_designerMultiple buffer overflows in the ThreeDify.ThreeDifyDesigner.1 ActiveX control in ActiveSolid.dll in ThreeDify Designer 5.0.2 allow remote attackers to execute arbitrary code via a long argument to the (1) cmdExport, (2) cmdImport, (3) cmdOpen, or (4) cmdSave method.2014-12-319.3CVE-2011-5288
    MISC
    umbraco -- umbraco_cmsThe update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.2014-12-277.5CVE-2013-4793
    MISC
    videolan -- vlc_media_playerMultiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.2014-12-267.5CVE-2010-1441
    MLIST
    videolan -- vlc_media_playerVideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.2014-12-267.5CVE-2010-1442
    MLIST
    videolan -- vlc_media_playerThe ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.2014-12-267.5CVE-2010-1444
    MLIST
    CONFIRM
    videolan -- vlc_media_playerHeap-based buffer overflow in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream in an RTMP session.2014-12-267.5CVE-2010-1445
    MLIST
    videolan -- vlc_media_playerInteger underflow in the real_get_rdt_chunk function in real.c, as used in modules/access/rtsp/real.c in VideoLAN VLC media player before 1.0.1 and stream/realrtsp/real.c in MPlayer before r29447, allows remote attackers to execute arbitrary code via a crafted length value in an RDT chunk header.2014-12-267.5CVE-2010-2062
    MISC
    FULLDISC
    MLIST
    CONFIRM
    videolan -- vlc_media_playerMultiple stack-based buffer overflows in VideoLAN VLC media player before 1.0.2 allow remote attackers to execute arbitrary code via (1) a crafted ASF file, related to the ASF_ObjectDumpDebug function in modules/demux/asf/libasf.c; (2) a crafted AVI file, related to the AVI_ChunkDumpDebug_level function in modules/demux/avi/libavi.c; or (3) a crafted MP4 file, related to the __MP4_BoxDumpStructure function in modules/demux/mp4/libmp4.c.2014-12-267.5CVE-2011-3623
    CONFIRM
    MLIST
    CONFIRM
    CONFIRM
    CONFIRM
    videowhisper -- videowhisper_live_streaming_integrationUnrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename.2014-12-2910.0CVE-2014-1905
    MISC
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    amcharts -- flashMultiple cross-site scripting (XSS) vulnerabilities in amCharts Flash 1 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ampie.swf; the message element in the chart_data parameter to (3) amcolumn.swf, (4) amline.swf, (5) amradar.swf, or (6) amxy.sw; or (7) the settings_file parameter to amstock.swf.2014-12-274.3CVE-2012-1303
    MISC
    ammap_project -- ammapMultiple cross-site scripting (XSS) vulnerabilities in amMap 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ammap.swf, or (3) the data_file parameter to amtimeline.swf.2014-12-274.3CVE-2012-1302
    MISC
    apache -- http_servermod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different arguments within different contexts, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging multiple Require directives, as demonstrated by a configuration that specifies authorization for one group to access a certain directory, and authorization for a second group to access a second directory.2014-12-294.3CVE-2014-8109
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    ashampoo_gmbh_&_co. -- ashampoo_3d_cad_professional_3The SaveData method in the Cygnicon.ViewControl.1 ActiveX control in CyViewer.ocx in Ashampoo 3D CAD Professional 3.x before 3.0.2 allows remote attackers to write to arbitrary files via a pathname in the first argument.2014-12-316.4CVE-2011-5291
    MISC
    bugfree -- bugfreeMultiple cross-site scripting (XSS) vulnerabilities in BugFree 2.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the ActionType parameter to Bug.php, the ReportMode parameter to (2) Report.php or (3) ReportLeft.php, or the PATH_INFO to (4) AdminProjectList.php, (5) AdminGroupList.php, or (6) AdminUserLogList.php.2014-12-314.3CVE-2011-5285
    MISC
    cambio_project -- cambioCross-site request forgery (CSRF) vulnerability in admin/index.php in Cambio 0.5a nightly r37 allows remote attackers to hijack the authentication of administrators for requests that modify credentials via a user save action.2015-01-016.8CVE-2011-5316
    MISC
    cherry-design -- wikipadCross-site scripting (XSS) vulnerability in pages.php in Wikipad 1.6.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.2015-01-014.3CVE-2011-5309
    MISC
    cherry-design -- wikipadDirectory traversal vulnerability in pages.php in Wikipad 1.6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter.2015-01-015.0CVE-2011-5310
    MISC
    cherry-design -- wikipadCross-site request forgery (CSRF) vulnerability in pages.php in Wikipad 1.6.0 allows remote attackers to hijack the authentication of administrators for requests that modify pages via the data[text] parameter.2015-01-016.8CVE-2011-5311
    MISC
    clausmuus -- spitfireCross-site scripting (XSS) vulnerability in Spitfire CMS 1.0.436 allows remote attackers to inject arbitrary web script or HTML via a cms_username cookie.2015-01-014.3CVE-2011-5303
    MISC
    db_backup_project -- db_backupDirectory traversal vulnerability in download.php in the DB Backup plugin 4.5 and earlier for Wordpress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.2014-12-315.0CVE-2014-9119
    MISC
    XF
    MLIST
    dflabs -- ptkCross-site request forgery (CSRF) vulnerability in lib/logout.php in DFLabs PTK 1.0.5 and earlier allows remote attackers to hijack the authentication of administrators or investigators for requests that trigger a logout.2014-12-276.8CVE-2012-1415
    EXPLOIT-DB
    diafan -- diafan.cmsMultiple cross-site request forgery (CSRF) vulnerabilities in diafan.CMS before 5.1 allow remote attackers to hijack the authentication of administrators for requests that (1) modify articles via a save_post action to admin/news/saveNEWS_ID/, (2) modify settings via a save_post action to admin/site/save2/, or (3) modify credentials via a save_post action to admin/usersite/save2/.2015-01-016.8CVE-2011-5318
    MISC
    diego_uscanga -- atube_catcherThe SaveDecrypted method in the ChilkatCrypt2.ChilkatOmaDrm.1 ActiveX control in ChilkatCrypt2.dll in aTube Catcher 2.3.570 allows remote attackers to write to arbitrary files via a pathname in the argument.2014-12-316.4CVE-2011-5289
    MISC
    doorkeeper_project -- doorkeeperCross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors.2014-12-316.8CVE-2014-8144
    CONFIRM
    XF
    MLIST
    emc -- rsa_bsafeEMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.6 and RSA BSAFE SSL-J before 6.1.4 do not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."2014-12-304.3CVE-2014-4630
    MISC
    BUGTRAQ
    emc -- appsyncUnquoted Windows search path vulnerability in EMC Replication Manager through 5.5.2 and AppSync before 2.1.0 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.2014-12-304.6CVE-2014-4634
    BUGTRAQ
    eucalyptus -- eucalyptusThe cloud controller (aka CLC) component in Eucalyptus 3.3.x and 3.4.x before 3.4.2, when the dns.recursive.enabled setting is used, allows remote attackers to cause a denial of service (traffic amplification) via spoofed DNS queries.2014-12-264.3CVE-2013-4769
    facebook -- hiphop_virtual_machineFacebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.2014-12-285.0CVE-2014-2209
    CONFIRM
    facebook -- hiphop_virtual_machineThe mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initialization vector.2014-12-285.0CVE-2014-5386
    CONFIRM
    facebook -- hiphop_virtual_machineThe HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string, and makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging truncation of a string containing an internal '\0' character.2014-12-285.0CVE-2014-6229
    CONFIRM
    gollos -- gollosMultiple cross-site scripting (XSS) vulnerabilities in Gollos 2.8 allow remote attackers to inject arbitrary web script or HTML via the returnurl parameter to (1) register.aspx, (2) publication/info.aspx, or (3) user/add.aspx, or (4) the q parameter to product/list.aspx.2015-01-014.3CVE-2011-5312
    MISC
    gslideshow_project -- gslideshowMultiple cross-site request forgery (CSRF) vulnerabilities in the gSlideShow plugin 0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) rss, (2) display_time or (3) transistion_time parameter in the gslideshow.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9391
    MISC
    hesk -- heskMultiple cross-site scripting (XSS) vulnerabilities in HESK before 2.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) hesk_settings[tmp_title] or (2) hesklang[ENCODING] parameter to inc/header.inc.php; the hesklang[attempt] parameter to (3) inc/assignment_search.inc.php, (4) inc/attachments.inc.php, (5) inc/common.inc.php, (6) inc/database.inc.php, (7) inc/prepare_ticket_search.inc.php, (8) inc/print_tickets.inc.php, (9) inc/show_admin_nav.inc.php, (10) inc/show_search_form.inc.php, or (11) inc/ticket_list.inc.php; or (12) the PATH_INFO to language/en/text.php.2014-12-314.3CVE-2011-5287
    MISC
    hillstone_software -- hs_tftp_serverHillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.2014-12-275.0CVE-2011-4720
    MISC
    ibm -- security_identity_managerCross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager 5.1 before 5.1.0.15 IF0056 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.2014-12-286.0CVE-2014-6168
    XF
    idrive_inc -- idrive_online_backupThe SaveToFile method in the UniBasicPack.UniTextBox ActiveX control in UniBasic100_EDA1811C.ocx in IDrive Online Backup 3.4.0 allows remote attackers to write to arbitrary files via a pathname in the first argument.2014-12-316.4CVE-2011-5290
    MISC
    jce-tech -- video_niche_scriptMultiple cross-site scripting (XSS) vulnerabilities in view.php in JCE-Tech PHP Video Script (aka Video Niche Script) 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) video or (2) title parameter.2014-12-314.3CVE-2014-8752
    BID
    MISC
    FULLDISC
    kofax -- kofax_e-transactions_sender_sendboxThe SaveMessage method in the LEADeMail.LEADSmtp.20 ActiveX control in LTCML14n.dll 14.0.0.34 in Kofax e-Transactions Sender Sendbox 2.5.0.933 allows remote attackers to write to arbitrary files via a pathname in the first argument.2015-01-016.4CVE-2011-5294
    MISC
    kubelabs -- phpdugMultiple cross-site scripting (XSS) vulnerabilities in PHPDug 2.0.0 allow remote attackers to inject arbitrary web script or HTML via (1) the story_url parameter to add_story.php, (2) the email parameter to editprofile.php, (3) the title parameter to adm/content_add.php, or (4) the username parameter to adm/admin_edit.php.2015-01-014.3CVE-2011-5301
    MISC
    kubelabs -- phpdugCross-site request forgery (CSRF) vulnerability in adm/admin_edit.php in PHPDug 2.0.0 allows remote attackers to hijack the authentication of administrators for requests that modify credentials.2015-01-016.8CVE-2011-5302
    MISC
    libssh -- libsshDouble free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet.2014-12-285.0CVE-2014-8132
    CONFIRM
    nginx -- nginxThe STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.2014-12-294.3CVE-2014-3556
    CONFIRM
    CONFIRM
    open-xchange -- open-xchange_appsuiteThe Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14, in certain user-id sharing scenarios, does not properly construct a SQL statement for next-year birthdays, which allows remote authenticated users to obtain sensitive birthday, displayname, firstname, and surname information via a birthdays action to api/contacts, aka bug 29315.2014-12-274.0CVE-2013-6241
    CONFIRM
    BUGTRAQ
    photosmash_project -- photosmashCross-site scripting (XSS) vulnerability in index.php in the PhotoSmash plugin 1.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.2015-01-014.3CVE-2011-5307
    MISC
    phpthumb_project -- phpthumbThe default configuration of phpThumb before 1.7.12 has a false value for the disable_debug option, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks via the src parameter.2014-12-274.3CVE-2013-6919
    CONFIRM
    MISC
    pictobrowser_project -- pictobrowserCross-site request forgery (CSRF) vulnerability in the PictoBrowser (pictobrowser-gallery) plugin 0.3.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the pictoBrowserFlickrUser parameter in the options-page.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9392
    MISC
    plogger -- ploggerPlogger 1.0 RC1 and earlier, when the Lucid theme is used, does not assign new values for certain codes, which makes it easier for remote attackers to bypass the CAPTCHA protection mechanism via a series of form submissions.2014-12-295.0CVE-2014-2224
    MISC
    pommo -- pommo-ardvarkMultiple cross-site scripting (XSS) vulnerabilities in poMMo Aardvark PR16.1 allow remote attackers to inject arbitrary web script or HTML via (1) the referer parameter to index.php, (2) the site_name parameter to admin/setup/config/general.php, (3) the group_name parameter to admin/subscribers/subscribers_groups.php, or (4) the field_name parameter to admin/setup/setup_fields.php.2015-01-014.3CVE-2011-5299
    MISC
    pommo -- pommo-ardvarkCross-site request forgery (CSRF) vulnerability in admin/setup/config/users.php in poMMo Aardvark PR16.1 allows remote attackers to hijack the authentication of administrators for requests that modify credentials via certain admin_ parameters.2015-01-016.8CVE-2011-5300
    MISC
    post_to_twitter_project -- post_to_twitterMultiple cross-site request forgery (CSRF) vulnerabilities in the Post to Twitter plugin 0.7 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) idptt_twitter_username or (2) idptt_tweet_prefix parameter to wp-admin/options-general.php.2014-12-316.8CVE-2014-9393
    MISC
    pwgrandom_project -- pwgrandomMultiple cross-site request forgery (CSRF) vulnerabilities in the PWGRandom plugin 1.11 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) pwgrandom_title or (2) pwgrandom_category parameter in the pwgrandom page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9394
    MISC
    redaxscript -- redaxscripttemplates/default/index.php in Redaxscript 0.3.2 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.2015-01-015.0CVE-2011-5314
    MISC
    s9y -- serendipityMultiple cross-site scripting (XSS) vulnerabilities in templates/2k11/admin/overview.inc.tpl in Serendipity before 2.0-rc2 allow remote attackers to inject arbitrary web script or HTML via a blog comment in the QUERY_STRING to serendipity/index.php.2014-12-314.3CVE-2014-9432
    CONFIRM
    BUGTRAQ
    MISC
    FULLDISC
    sensiolabs -- symfonyThe Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.2014-12-275.0CVE-2013-5958
    simpleflickr_project -- simpleflickrMultiple cross-site request forgery (CSRF) vulnerabilities in the SimpleFlickr plugin 3.0.3 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) simpleflickr_width, (2) simpleflickr_bgcolor, or (3) simpleflickr_xmldatapath parameter in the simpleFlickr.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9396
    MISC
    simplelife_project -- simplelifeMultiple cross-site request forgery (CSRF) vulnerabilities in the Simplelife plugin 1.2 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) simplehoverback, (2) simplehovertext, (3) flickrback, or (4) simple_flimit parameter in the simplelife.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9395
    MISC
    smoothwall -- smoothwallCross-site scripting (XSS) vulnerability in the web management interface in httpd/cgi-bin/ipinfo.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to inject arbitrary web script or HTML via the IP parameter in a Run action.2014-12-314.3CVE-2011-5283
    EXPLOIT-DB
    MISC
    OSVDB
    smoothwall -- smoothwallCross-site request forgery (CSRF) vulnerability in the web management interface in httpd/cgi-bin/shutdown.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to hijack the authentication of administrators for requests that perform a reboot via a request to cgi-bin/shutdown.cgi.2014-12-316.8CVE-2011-5284
    EXPLOIT-DB
    MISC
    OSVDB
    smoothwall -- smoothwallMultiple cross-site scripting (XSS) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to inject arbitrary web script or HTML via the (1) PROFILENAME parameter in a Save action to httpd/cgi-bin/pppsetup.cgi or (2) COMMENT parameter in an Add action to httpd/cgi-bin/ddns.cgi.2014-12-314.3CVE-2014-9429
    MISC
    smoothwall -- smoothwallCross-site scripting (XSS) vulnerability in httpd/cgi-bin/vpn.cgi/vpnconfig.dat in Smoothwall Express 3.0 SP3 allows remote attackers to inject arbitrary web script or HTML via the COMMENT parameter in an Add action.2014-12-314.3CVE-2014-9430
    MISC
    smoothwall -- smoothwallMultiple cross-site request forgery (CSRF) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to hijack the authentication of administrators for requests that change the (1) admin or (2) dial password via a request to httpd/cgi-bin/changepw.cgi.2014-12-316.8CVE-2014-9431
    MISC
    sodahead -- sodahead_pollsMultiple cross-site scripting (XSS) vulnerabilities in the Sodahead Polls plugin before 2.0.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) the poll_id parameter to customizer.php or (2) the customize parameter to poll.php.2015-01-014.3CVE-2011-5304
    MISC
    MISC
    softaculous -- webuzoThe login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.2014-12-275.0CVE-2013-6043
    MISC
    CONFIRM
    syndeocms -- syndeocmsCross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.2014-12-276.8CVE-2012-1203
    EXPLOIT-DB
    tribal -- tribiq_cmsThe (1) templatewrap/templatefoot.php, (2) cmsjs/plugin.js.php, and (3) cmsincludes/cms_plugin_api_link.inc.php scripts in Tribal Tribiq CMS before 5.2.7c allow remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.2014-12-294.3CVE-2011-2727
    MISC
    ttfreeware -- tigertoms_chat_roomMultiple cross-site scripting (XSS) vulnerabilities in TTChat 1.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the msg parameter to default.php or (2) the username parameter to chat_form.php.2015-01-014.3CVE-2011-5297
    MISC
    tuttophp -- happy_chatCross-site scripting (XSS) vulnerability in profilo.php in Happy Chat 1.0 allows remote attackers to inject arbitrary web script or HTML via the nick parameter.2015-01-014.3CVE-2011-5296
    MISC
    tweetscribe_project -- tweetscribeCross-site request forgery (CSRF) vulnerability in the TweetScribe plugin 1.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the tweetscribe_username parameter in a save action in the tweetscribe.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9399
    MISC
    twiki -- twikiMultiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences.2014-12-314.3CVE-2014-9325
    SECTRACK
    FULLDISC
    MISC
    twiki -- twikiIncomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in the scope parameter to do/view/TWiki/WebSearch.2014-12-314.3CVE-2014-9367
    SECTRACK
    FULLDISC
    MISC
    twimp-wp_project -- twimp-wpCross-site request forgery (CSRF) vulnerability in the twimp-wp plugin for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the message_format parameter in the twimp-wp.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9397
    MISC
    twitter_liveblog_project -- twitter_liveblogCross-site request forgery (CSRF) vulnerability in the Twitter LiveBlog plugin 1.1.2 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the mashtlb_twitter_username parameter in the twitter-liveblog.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9398
    MISC
    videolan -- vlc_media_playerThe parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format (XSPF) document.2014-12-265.0CVE-2010-1443
    MLIST
    CONFIRM
    videowhisper -- videowhisper_live_streaming_integrationThe error-handling feature in (1) bp.php, (2) videowhisper_streaming.php, and (3) ls/rtmp.inc.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.2014-12-295.0CVE-2014-1908
    MISC
    viralheat -- argyle_socialMultiple cross-site request forgery (CSRF) vulnerabilities in Argyle Social 2011-04-26 allow remote attackers to hijack the authentication of administrators for requests that (1) modify credentials via the role parameter to users/create/, (2) modify rules via the terms field in stream_filter_rule JSON data to settings-ajax/stream_filter_rules/create, or (3) modify efforts via the title field in effort JSON data to publish-ajax/efforts/create.2015-01-016.8CVE-2011-5298
    MISC
    whcms_project -- whcmsCross-site request forgery (CSRF) vulnerability in admin/index.php in whCMS 0.115 alpha allows remote attackers to hijack the authentication of administrators for requests that modify credentials via a user save action.2015-01-016.8CVE-2011-5315
    MISC
    wondercms -- wondercmsCross-site scripting (XSS) vulnerability in editText.php in WonderCMS before 0.4 allows remote attackers to inject arbitrary web script or HTML via the content parameter.2015-01-014.3CVE-2011-5317
    MISC
    wp_limit_posts_automatically_project -- wp_limit_posts_automaticallyCross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin 0.7 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the lpa_post_letters parameter in the wp-limit-posts-automatically.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9401
    MISC
    wp_unique_article_header_image_project -- wp_unique_article_header_imageMultiple cross-site request forgery (CSRF) vulnerabilities in the Wp Unique Article Header Image plugin 1.0 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) gt_default_header or (2) gt_homepage_header parameter in the wp-unique-header.php page to wp-admin/options-general.php.2014-12-316.8CVE-2014-9400
    MISC
    zaunz_gmbh -- cosmoshopMultiple cross-site scripting (XSS) vulnerabilities in CosmoShop ePRO 10.05.00 allow remote attackers to inject arbitrary web script or HTML via (1) the rcopy parameter to cgi-bin/admin/rubrikadmin.cgi, (2) the typ parameter to cgi-bin/admin/artikeladmin.cgi, or (3) the suchbegriff parameter to cgi-bin/admin/shophilfe_suche.cgi.2015-01-014.3CVE-2011-5305
    MISC
    zaunz_gmbh -- cosmoshopCross-site request forgery (CSRF) vulnerability in cgi-bin/admin/setup_edit.cgi in CosmoShop ePRO 10.05.00 allows remote attackers to hijack the authentication of administrators for requests that modify settings via a setup action.2015-01-016.8CVE-2011-5306
    MISC
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    avast! -- avast!_internet_securityInteger overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5.0 Korean Trial allows local users to cause a denial of service (memory corruption and panic) via a crafted IOCTL_ASWFW_COMM_PIDINFO_RESULTS DeviceIoControl request to \\.\aswFW.2014-12-272.1CVE-2010-5075
    MISC
    MISC
    MISC
    BID
    claroline -- clarolineMultiple cross-site scripting (XSS) vulnerabilities in Claroline 1.11.9 and earlier allow remote authenticated users to inject arbitrary web script or HTML via (1) the Search field in an inbox action to messaging/messagebox.php, (2) the "First name" field to auth/profile.php, or (3) the Speakers field in an rqAdd action to calendar/agenda.php.2014-12-263.5CVE-2013-4753
    MISC
    contenido -- contendioMultiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) idart, (2) lang, or (3) idcat parameter.2014-12-312.6CVE-2014-9433
    BUGTRAQ
    MISC
    SECUNIA
    FULLDISC
    ibm -- rational_appscan_sourceIBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.2014-12-282.1CVE-2014-6123
    XF
    ibm -- websphere_service_registry_and_repositoryIBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.2014-12-282.1CVE-2014-6160
    XF
    AIXAPAR
    owl -- intranet_knowledgebaseMultiple cross-site scripting (XSS) vulnerabilities in Owl Intranet Knowledgebase 1.10 allow remote authenticated users to inject arbitrary web script or HTML via (1) the Search field to browse.php or (2) the Title field to prefs.php.2014-12-263.5CVE-2013-4754
    MISC
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


CERT Technical Feed

US-CERT Alerts
Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
  • TA14-353A: Targeted Destructive Malware
    Original release date: December 19, 2014 | Last revised: December 25, 2014

    Systems Affected

    Microsoft Windows

    Overview

    US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.

    SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.

    Listening Implant: During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase "National Football League." Additionally, this implant listens for connections on TCP port 195 (for "sensvc.exe" and "msensvc.exe") and TCP port 444 (for "netcfg.dll"). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, "HTTP/1.1 GET /dns?\x00." The controller then responds with the string "200 www.yahoo.com!\x00" (for "sensvc.exe" and "msensvc.exe") or with the string "RESPONSE 200 OK!!" (for "netcfg.dll"). The controller sends the byte "!" (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.

    Lightweight Backdoor: This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.

    Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.

    Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.

    Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.

    Network Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.

    Technical and strategic mitigation recommendations are included in the Solution section below.

    US-CERT recommends reviewing the Security Tip Handling Destructive Malware #ST13-003.

    Description

    Cyber threat actors are using an SMB worm to conduct cyber exploitation activities.  This tool contains five components – a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.

    The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a C2 infrastructure.

    Impact

    Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems.

    Solution

    Users and administrators are recommended to take the following preventive measures to protect their computer networks:

    • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
    • Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
    • Review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.
    • Review Recommended Practices for Control Systems, and Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies (pdf).

    The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

    Import Hashes:

    SMB worm tool:

    Import hash: f6f48551d7723d87daeef2e840ae008f

    Characterization: File Hash Watchlist

    Notes: "SMB worm tool"

            Earliest PE compile Time: 20141001T072107Z

            Most Recent PE compile Time: 20141001T072107Z

     

    Import hash: 194ae075bf53aa4c83e175d4fa1b9d89

    Characterization: File Hash Watchlist

    Notes: "SMB worm tool"

             Earliest PE compile Time: 20141001T120954Z

             Most Recent PE compile Time: 20141001T142138Z

     

    Lightweight backdoor:

    Import hash: f57e6156907dc0f6f4c9e2c5a792df48

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110411T225224Z

             Latest PE compile time: 20110411T225224Z

     

    Import hash: 838e57492f632da79dcd5aa47b23f8a9

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110517T050015Z

             Latest PE compile time: 20110605T204508Z

     

    Import hash: 11c9374cea03c3b2ca190b9a0fd2816b

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110729T062417Z

             Latest PE compile time: 20110729T062958Z

     

    Import hash: 7fb0441a08690d4530d2275d4d7eb351

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120128T071327Z

             Latest PE compile time: 20120128T071327Z

     

    Import hash: 7759c7d2c6d49c8b0591a3a7270a44da

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120309T105837Z

             Latest PE compile time: 20120309T105837Z

     

    Import hash: 7e48d5ba6e6314c46550ad226f2b3c67

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120311T090329Z

             Latest PE compile time: 20120311T090329Z

     

    Import hash: 0a87c6f29f34a09acecce7f516cc7fdb

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120325T053138Z

             Latest PE compile time: 20130513T090422Z

     

    Import hash: 25fb1e131f282fa25a4b0dec6007a0ce

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20130802T054822Z

             Latest PE compile time: 20130802T054822Z

     

    Import hash: 9761dd113e7e6673b94ab4b3ad552086

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20130913T013016Z

             Latest PE compile time: 20130913T013016Z

     

    Import hash: c905a30badb458655009799b1274205c

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140205T090906Z

             Latest PE compile time: 20140205T090906Z

     

    Import hash: 40adcd738c5bdc5e1cc3ab9a48b3df39

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140320T152637Z

             Latest PE compile time: 20140402T023748Z

     

    Import hash: 68a26b8eaf2011f16a58e4554ea576a1

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140321T014949Z

             Latest PE compile time: 20140321T014949Z

     

    Import hash: 74982cd1f3be3d0acfb0e6df22dbcd67

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140506T020330Z

             Latest PE compile time: 20140506T020330Z

     

    Proxy tool:

    Import hash: 734740b16053ccc555686814a93dfbeb

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140611T064905Z

             Latest PE compile time: 20140611T064905Z

     

    Import hash: 3b9da603992d8001c1322474aac25f87

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140617T035143Z

             Latest PE compile time: 20140617T035143Z

     

    Import hash: e509881b34a86a4e2b24449cf386af6a

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time : 20140618T064527Z

             Latest PE compile time: 20140618T064527Z

     

    Import hash: 9ab7f2bf638c9d911c2c742a574db89e

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140724T011233Z

             Latest PE compile time: 20140724T011233Z

     

    Import hash: a565e8c853b8325ad98f1fac9c40fb88

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140724T065031Z

             Latest PE compile time: 20140902T135050Z

     

    Import hash: 0bb82def661dd013a1866f779b455cf3

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140819T024812Z

             Latest PE compile time: 20140819T024812Z

     

    Import hash: b8ffff8b57586d24e1e65cd0b0ad9173

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140902T172442Z

             Latest PE compile time: 20140902T172442Z

     

    Import hash: 4ef0ad7ad4fe3ef4fb3db02cd82bface

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20141024T134136Z

             Latest PE compile time: 20141024T134136Z

     

    Import hash: eb435e86604abced7c4a2b11c4637a52

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140526T010925Z

             Latest PE compile time: 20140526T010925Z

     

    Import hash: ed7a9c6d9fc664afe2de2dd165a9338c

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140611T064904Z

     

    Destructive hard drive tool:

    Import hash: 8dec36d7f5e6cbd5e06775771351c54e

    Characterization: File Hash Watchlist

    Notes: "Destructive hard drive tool"

             Earliest PE compile time: 20120507T151820Z

             Latest PE compile time: 20120507T151820Z

     

    Import hash: a385900a36cad1c6a2022f31e8aca9f7

    Characterization: File Hash Watchlist

    Notes: "Destructive target cleaning tool"

             Earliest PE compile time: 20130318T003315Z

             Latest PE compile time: 20130318T003315Z

     

    Import hash: 7bea4323807f7e8cf53776e24cbd71f1

    Characterization: File Hash Watchlist

    Notes: "Destructive target cleaning tool"

             Earliest PE compile time: 20130318T003319Z

             Latest PE compile time: 20130318T003319Z

     

    Name: d1c27ee7ce18675974edf42d4eea25c6.bin

    Size: 268579 bytes (268.6 KB)

    MD5: D1C27EE7CE18675974EDF42D4EEA25C6

    PE Compile Time: 2014-11-22 00:06:54

     

    The malware has the following characteristics:

    While the original filename of this file is unknown, it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops destructive malware: “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as an argument, and then terminated. The second instance of the dropper file installed itself as the “WinsSchMgmt” service with “-k” as a command line argument, started the service, and then terminated. The “WinsSchMgmt” service executed the file with “-k” as an argument, which started another instance of the file using “-s” as an argument. The “-s” instance dropped and executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to victim IP addresses.

     

    Name: net_ver.dat

    Size: 4572 bytes (4.6 KB)  (size will vary)

    MD5: 93BC819011B2B3DA8487F964F29EB934  (hash will vary)

     

    This is a log file created by the dropper, and appended to as the scans progress  It contains what appear to be hostnames, IP addresses, and the number 2.   Entries in the file have the structure “HOSTNAME | IP Address | 2”.

     

    Name: igfxtrayex.exe

    Size: 249856 bytes (249.9 KB)

    MD5: 760C35A80D758F032D02CF4DB12D3E55

    PE Compile Time: 2014-11-24 04:11:08

     

    This file is destructive malware: a disk wiper with network beacon capabilities. If “igfxtrayex.exe” is run with no parameters, it creates and starts a copy of itself with the “–i” argument. After 10 minutes, the “igfxtrayex.exe” makes three copies of itself and places them in the same directory from which it was executed. These copies are named according to the format “taskhostXX.exe” (where X is a randomly generated ASCII character). These copies are then executed, each with a different argument (one being “-m”, one being “-d” and the other “-w”). Network connection attempts are made to one of three hard-coded IP addresses in a random order to port 8080 or 8000. If a connection to the IP address cannot be made, it attempts to connect to another of the three IP addresses, until connections to all three IP addresses have been attempted. The following command-line string is then executed: “cmd.exe /c net stop MSExchangeIS /y”. A 120-minute (2 hour) sleep command is issued after which the computer is shut down and rebooted.

     

    Name: iissvr.exe

    Size: 114688 bytes (114.7 KB)

    MD5: E1864A55D5CCB76AF4BF7A0AE16279BA

    PE Compile Time: 2014-11-13 02:05:35

     

    This file, when executed, starts a listener on localhost port 80. It has 3 files contained in the resource section; all xor’d with 0x63.

     

    Name: usbdrv3_32bit.sys

    Size: 24280 bytes (24.3 KB)

    MD5: 6AEAC618E29980B69721158044C2E544

    PE Compile Time: 2009-08-21 06:05:32

     

    This SYS file is a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (32-bit). It is dropped from resource ID 0x81 of “igfxtrayex.exe”.

     

    Name: usbdrv3_64bit.sys

    Size: 28120 bytes (28.1 KB)

    MD5: 86E212B7FC20FC406C692400294073FF

    PE Compile Time: 2009-08-21 06:05:35

     

    This SYS file is a also a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (64-bit). It is dropped from resource ID 0x83 of “igfxtrayex.exe”.

     

    Name: igfxtpers.exe

    Size: 91888 bytes (91.9 KB)

    MD5: e904bf93403c0fb08b9683a9e858c73e

    PE Compile Time: 2014-07-07 08:01:09

     

    A summary of the C2 IP addresses:

    IP Address

    Country

    Port

    Filename

    203.131.222.102

    Thailand

    8080

    Diskpartmg16.exe
    igfxtrayex.exe
    igfxtpers.exe

    217.96.33.164

    Poland

    8000

    Diskpartmg16.exe
    igfxtrayex.exe

    88.53.215.64

    Italy

    8000

    Diskpartmg16.exe
    igfxtrayex.exe

    200.87.126.116

    Bolivia

    8000

    --

    58.185.154.99

    Singapore

    8080

    --

    212.31.102.100

    Cypress

    8080

    --

    208.105.226.235

    United States

    --

    igfxtpers.exe

     

    Snort signatures:

    SMB Worm Tool (not necessarily the tool itself):

    alert tcp any any -> any any (msg:"Wiper 1"; sid:42000001; rev:1; flow:established; content:"|be 64 ba f2 a8 64|"; depth:6; offset:16; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Wiper 2"; sid:42000002; rev:1; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Wiper 3"; sid:42000003; rev:1; flow:established; content:"|aa 64 ba f2 56|"; depth:50; classtype:bad-unknown;)

    alert ip any any -> any any (msg:"Wiper 4"; sid:42000004; rev:1; content:"|aa 74 ba f2 b9 75|"; depth:74; classtype:bad-unknown;)

    alert tcp any any -> any [8000,8080] (msg:"Wiper 5"; sid:42000005; rev:1; flow:established,to_server; dsize:42; byte_test:2,=,40,0,little; content:"|04 00 00 00|"; depth:4; offset:38; classtype:bad-unknown;)

     

    Listening Implant:

    alert tcp any any -> any any (msg:"Listening Implant 1"; sid:42000006; rev:1; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 2"; sid:42000007; rev:1; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; classtype:bad-unknown;)

    alert ip any any -> any any (msg:"Listening Implant 3"; sid:42000008; rev:1; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:bad-unknown;)

    alert ip any any -> any any (msg:"Listening Implant 4"; sid:42000009; rev:1; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; classtype:bad-unknown;)

    alert ip any any -> any any (msg:"Listening Implant 5"; sid:42000010; rev:1; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 6"; sid:42000011; rev:1; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 7"; sid:42000012; rev:1; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 8"; sid:42000013; rev:1; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 9"; sid:42000014; rev:1; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 10"; sid:42000015; rev:1; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 11"; sid:42000016; rev:1; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 12"; sid:42000017; rev:1; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; classtype:bad-unknown;)

     

    Lightweight Backdoor:

    alert tcp any 488 -> any any (msg:"Lightweight Backdoor 1"; sid:42000018; rev:1; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any 488 (msg:"Lightweight Backdoor 2"; sid:42000019; rev:1; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 3"; sid:42000020; rev:1; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 4"; sid:42000021; rev:1; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; classtype:bad-unknown;)

    alert tcp any 488 -> any any (msg:"Lightweight Backdoor 5"; sid:42000022; rev:1; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any 488 (msg:"Lightweight Backdoor 6"; sid:42000023; rev:1; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any [547,8080,133,117,189,159] -> any any (msg:"Lightweight Backdoor 7"; sid:42000024; rev:1; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 8"; sid:42000025; rev:1; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 9"; sid:42000026; rev:1; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 10"; sid:42000027; rev:1; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; content:"BC435@PRO62384923412!@3!"; nocase; classtype:bad-unknown;)

     

    Proxy Tool:

    alert tcp any any -> any any (msg:"Proxy Tool 1"; sid:42000028; rev:1; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Proxy Tool 2"; sid:42000029; rev:1; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Proxy Tool 3"; sid:42000030; rev:1; flow:established; content:"|82 f4 de d4 d3 c2 ca f5 c8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00|"; fast_pattern:only; classtype:bad-unknown;)

     

    Malware associated with the cyber threat actor:

    alert tcp any any -> any [8000,8080] (msg:"WIPER4";flow: established, to_server;dsize:42;content:"|28 00|";depth:2;content:"|04 00 00 00|";offset:38;depth:4;sid:123;)

     

    Host Based Indicators

    Below are potential YARA signatures to detect malware binaries on host machines:

     

    SMB Worm Tool:

    strings:

    $STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"

    $STR2 ="EVERYONE"

    $STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"

    $STR4 = "\\KB25468.dat" condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) ==0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = ''NetMgStart"

    $STR2 = ''Netmgmt.srg"

    condition:

    (uint16(0) == 0x5A4D) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = "prxTroy" ascii wide nocase

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1  62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}

    $STR2 = {SA 10 80?? 79 80 ?? 4E 88 10}

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Proxy Tool:

    strings:

    $STR1 = "pmsconfig.msi" wide

    $STR2 = "pmslog.msi" wide

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them

     

    Proxy Tool:

    strings:

    $STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 Dl  C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\System32\svchost.exe -k' xor A7

    condition:

    (uint16(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Proxy Tool:

    strings:

    $STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2

     

    Destructive Hard Drive Tool:

    strings:

    $str0= "MZ"

    $str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }

    $xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08

    F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }

    condition:

    $str0 at 0 and $xorInLoop and #str1 > 300

     

    Destructive Target Cleaning Tool:

    strings:

    $s1  = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}

    condition:

    (uintl6(0) == 0x5A4D and uintl6(uint32(0x3c)) == 0x4550) and all of them

     

    Destructive Target Cleaning Tool:

    strings:

    $secureWipe= { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 CO 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3}

    condition:

    $secureWipe

     

    Destructive Target Cleaning Tool:

    strings:

    $S1_CMD_Arg = ""/install'"' fullword

    $S2_CMD_Parse= ""\""%s'"'  /install \""%s\""'"' fullword

    $S3_CMD_Builder= ""\'"'%s\""  \""%s\'"' \""%s\'"' %s'"' fullword

    condition:

    all of them

     

    Destructive Target Cleaning Tool:

    strings:

    $BATCH_SCRIPT_LN1_0 = ""goto x"" fullword

    $BATCH_SCRIPT_LN1_1 = '"'del"" fullword

    $BATCH_SCRIPT_LN2_0 = ""if exist"" fullword

    $BATCH_SCRIPT_LN3_0 = "":x'"' fullword

    $BATCH_SCRIPT_LN4_0 = ""zz%d.bat"'' fullword

    condition:

    (#BATCH_SCRIPT_LNl_l == 2) and all of them"

     

    Destructive Target Cleaning Tool:

    strings:

    $MCU_DLL_ZLIB_COMPRESSED2=

    {5CECABAE813CC9BCD5A542F454910428343479806F71D5521E2AOD}

    condition:

    $MCU_DLL_ZLIB_COMPRESSED2"

     

    Destructive Target Cleaning Tool:

    strings:

    $MCU_INF_StartHexDec =

    {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A50 3A0D2A000E00A26El5104556766572636C7669642E657865}

    $MCU_INF_StartHexEnc =

    {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263ElF5413531FlE004543544C55}

    condition:

    $MCU_INF_StartHexEnc or

    $MCU_INF_StartHexDec

    Destructive Target Cleaning Tool:

    strings:

    $ = "SetFilePointer"

    $ = "SetEndOfFile"

    $ = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ffD5 56 ff 15?? ?? ??

    ?? 56}

    condition:

    (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them

     

    Destructive Target Cleaning Tool:

    strings:

    $license=

    {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}

    $PuTTY= {50007500540054005900}

    condition:

    (uint16(0) == 0x5A4D and uintl6(uint32(0x3c)) == 0x4550) and $license and not $PuTTY

     

    Malware used by cyber threat actor:

    strings:

    $heapCreateFunction_0 = {33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3}

    $heapCreateFunction =

    {558BECB82C120000E8????FFFF8D8568FFFFFF5350C78568FFFFFF94000000FF1????????085C0741A83BD78FFFFFF02751183BD6CFFFFFF0572086A0158E9020100008D85D4EDFFF68901000005068???????0FF15???????085C00F84D000000033DB8D8DD4EDFFFF389DD4EDFFFF74138A013C617C083C7A7F042C20880141381975ED8D85D4EDFFFF6A165068???????0E8????000083C40C85C075088D85D4EDFFFFEB498D8564FEFFFF68040100005053FF15???????0389D64FEFFFF8D8D64FEFFFF74138A013C617C083C7A7F042C20880141381975ED8D8564FEFFFF508D85D4EDFFFF50E8????????59593BC3743E6A2C50E8????????593BC3597430408BC83818740E80393B75048819EB0141381975F26A0A5350E8????000083C40C83F802741D83F803741883F80174138D45FC50E898FEFFFF807DFC06591BC083C0035BC9C3}

    $getMajorMinorLinker =

    {568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}

    $openServiceManager =

    {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}

    condition:

    all of them

     

    Malware used by cyber threat actor:

    strings:

    $str1 = "_quit"

    $str2 = "_exe"

    $str3 = "_put"

    $str4 = "_got"

    $str5 = "_get"

    $str6 ="_del"

    $str7 = "_dir"

    $str8 = { C7 44 24 18 1F F7}

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0  or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Malware used by cyber threat actor:

    strings:

    $STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Recommended Security Practices

    Because of the highly destructive functionality of the malware, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to organizations may vary depending on the type and number of systems impacted.

    Tactical Mitigations

    • Implement the indicators of compromise within your systems for detection and mitigation purposes.
    • Encourage users to transfer critical files to network shares, to allow for central backed up.
    • Execute daily backups of all critical systems.
    • Periodically execute an “offline” backup of critical files to removable media.
    • Establish emergency communications plans should network resources become unavailable.
    • Isolate any critical networks (including operations networks) from business systems.
    • Identify critical systems and evaluate the need for having on-hand spares to quickly restore service.
    • Ensure antivirus is up to date.
    • Disable credential caching for all desktop devices with particular importance on critical systems such as servers and restrict the number of cached credential for all portable devices to no more than three if possible. This can be accomplished through a Group Policy Object (GPO).
    • Disable AutoRun and Autoplay for any removable media device.
    • Prevent or limit the use of all removable media devices on systems to limit the spread or introduction of malicious software and possible exfiltration data, except where there is a valid business case for use. This business case must be approved by the organization Chief IT Security Officer, with policy/guidance on how such media should be used.
    • Consider restricting account privileges. It is our recommendation that all daily operations should be executed using standard user accounts unless administrative privileges are required for that specific function. Configure all standard user accounts to prevent the execution and installation of any unknown or unauthorized software. Both standard and administrative accounts should have access only to services required for nominal daily duties, enforcing the concept of separation of duties. Lastly, disable Web and email capabilities on administrative accounts. Compromise of admin accounts is one vector that allows malicious activity to become truly persistent in a network environment.
    • Ensure that password policy rules are enforced and Admin password values are changed periodically.
    • Consider prohibiting hosts within the production environment or DMZ from sharing an Active Directory enterprise with hosts on other networks. Each environment should have separate forests within Active Directory, with no trust relationships allowed between the forests if at all possible. If necessary, the trust relationships should be one-way with the low integrity environment trusting the higher integrity environment.
    • Consider deployment of a coaching page with click through acceptance; these are traditionally deployed in an environment to log the acceptance of network acceptable use policy or to notify users of monitoring. Coaching pages also provide some measure of protection from automated malicious activity. This occurs because automated malware is normally incapable of physically clicking an acceptance radial button. Automated malware is traditionally hardcoded to execute, then retrieve commands or additional executables from the Internet. If the malware is unable to initiate an active connection, the full train of infection is potentially halted. The danger still exists that the physical user will authorize access, but through the use of coaching pages, infections can be limited or at least the rate of infection reduced.
    • Monitor logs -- Maintain and actively monitor a centralized logging solution that keeps track of all anomalous and potentially malicious activity.
    • Ensure that all network operating systems, web browsers, and other related network hardware and software remain updated with all current patches and fixes.

    Strategic Mitigations

    • Organizations should review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.
    • Always keep your patch levels up to date, especially on computers that host public services accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Build host systems, especially critical systems such as servers, with only essential applications and components required to perform the intended function. Any unused applications or functions should be removed or disabled, if possible, to limit the attack surface of the host.
    • Implement network segmentation through V-LANs to limit the spread of malware.
    • Consider the deployment of Software Restriction Policy set to only allow the execution of approved software (application whitelisting)
    • Recommend the whitelisting of legitimate executable directories to prevent the execution of potentially malicious binaries.
    • Consider the use of two-factor authentication methods for accessing privileged root level accounts or systems.
    • Consider deploying a two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access.
    • Deny direct Internet access, except through the use of proxies for Enterprise servers and workstations. Perform regular content filtering at the proxies or external firewall points of presence. Also consider the deployment of an explicit versus transparent proxy policy.
    • Implement a Secure Socket Layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity.
    • Isolate network services, such as email and Web application servers by utilizing a secure multi-tenant virtualization technology. This will limit the damage sustained from a compromise or attack of a single network component.
    • Implement best practice guidance and policy to restrict the use of non-Foundation assets for processing or accessing Foundation-controlled data or systems (e.g., working from home, or using a personal device while at the office). It is difficult to enforce corporate policies, detect intrusions, and conduct forensic analysis or remediate compromises on non-corporate owned devices.
    • Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
    • Place control system networks behind firewalls, and isolate or air gap them from the business network.
    • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
    • Industrial Control System (ICS)-CERT and US-CERT remind organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

    References

    Revision History

    • December 19, 2014: Initial Release
    • December 24, 2014: Updates to information in the Solutions section.

    This product is provided subject to this Notification and this Privacy & Use policy.


  • TA14-329A: Regin Malware
    Original release date: November 25, 2014

    Systems Affected

    Microsoft Windows NT, 2000, XP, Vista, and 7

    Overview

    On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.

    Description

    Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.  

    Impact

    Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets. [1]

    Solution

    Users and administrators are recommended to take the following preventive measures to protect their computer networks:

    • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information). [2]
    • Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).

    The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

    MD5s: [1]

    Stage 1 files, 32 bit:

    06665b96e293b23acc80451abb413e50

    187044596bc1328efa0ed636d8aa4a5c

    1c024e599ac055312a4ab75b3950040a

    2c8b9d2885543d7ade3cae98225e263b

    4b6b86c7fec1c574706cecedf44abded

    6662c390b2bbbd291ec7987388fc75d7

    b269894f434657db2b15949641a67532

    b29ca4f22ae7b7b25f79c1d4a421139d

    b505d65721bb2453d5039a389113b566

    26297dc3cd0b688de3b846983c5385e5

    ba7bb65634ce1e30c1e5415be3d1db1d

    bfbe8c3ee78750c3a520480700e440f8

    d240f06e98c8d3e647cbf4d442d79475

    ffb0b9b5b610191051a7bdf0806e1e47

    Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

    01c2f321b6bfdb9473c079b0797567ba

    47d0e8f9d7a6429920329207a32ecc2e

    744c07e886497f7b68f6f7fe57b7ab54

    db405ad775ac887a337b02ea8b07fddc

    Stage 1, 64-bit system infection:

    bddf5afbea2d0eed77f2ad4e9a4f044d

    c053a0a3f1edcbbfc9b51bc640e808ce

    e63422e458afdfe111bd0b87c1e9772c

    Stage 2, 32 bit:

    18d4898d82fcb290dfed2a9f70d66833

    b9e4f9d32ce59e7c4daf6b237c330e25

    Stage 2, 64 bit:

    d446b1ed24dad48311f287f3c65aeb80

    Stage 3, 32 bit:

    8486ec3112e322f9f468bdea3005d7b5

    da03648948475b2d0e3e2345d7a9bbbb

    Stage 4, 32 bit:

    1e4076caa08e41a5befc52efd74819ea

    68297fde98e9c0c29cecc0ebf38bde95

    6cf5dc32e1f6959e7354e85101ec219a

    885dcd517faf9fac655b8da66315462d

    a1d727340158ec0af81a845abd3963c1

    Stage 4, 64 bit:

    de3547375fbf5f4cb4b14d53f413c503

    Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk. Hashes are provided for research purposes only.

    Registry branches used to store malware stages 2 and 3:

    \REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{39399744-44FC-AD65-474B-E4DDF-8C7FB97}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{3F90B1B4-58E2-251E-6FFE-4D38C5631A04}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA58}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}

    IP IOCs [3]:

    61.67.114.73

    202.71.144.113

    203.199.89.80

    194.183.237.145

    References

    Revision History

    • November 25, 2014: Initial Release

    This product is provided subject to this Notification and this Privacy & Use policy.


  • TA14-323A: Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability
    Original release date: November 19, 2014 | Last revised: November 25, 2014

    Systems Affected

    • Microsoft Windows Vista, 7, 8, and 8.1
    • Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2

    Overview

    A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1]

    Description

    The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

    At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.

    Impact

    A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]

    Solution

    An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1, 3

    References

    Revision History

    • November 19, 2014: Initial Draft
    • November 25, 2014: Revised formatting

    This product is provided subject to this Notification and this Privacy & Use policy.


Valid XHTML 1.0 Transitional CSS ist valide!