Apr 2, 2013
Xibo Directory Traversal Vulnerability (DS-2013-003)
Security researcher Mahendra has discovered a directory traversal issue in the Xibo application. The vulnerability exists because the application does not properly handle malicious input from users and may allow an attacker to gain access to sensitive files outside of the web root directory. READ MORE
Feb 25, 2013
Websense TRITON Unified Security Center Multiple Vulnerabilities (DS-2013-002)
As a part of ongoing research, Detica has identified a number of significant vulnerabilities in Websense TRITON Unified Security Center that could be used to undermine the confidentiality, integrity and availability of the application. READ MORE
Feb 7, 2013
Microsoft System Center Operations Manager (SCOM) Cross-Site Scripting (DS-2013-001)
Security researcher Andy Yang discovered a cross-site scripting vulnerability in both Microsoft System Center Operations Manager 2007 and Microsoft System Center Operations Manager 2007 R2. The vulnerability exists because the web console does not properly handle dangerous JavaScript elements contained within a specially crafted request. This vulnerability allows an attacker to inject malicious code and other active content into web pages. READ MORE
Nov 28, 2012
Oracle BI Publisher Multiple Vulnerabilities (SS-2012-008)
Security researcher Andy Yang has identified two significant application vulnerabilities in Oracle BI Publisher 10.1.3.4.2, 11.1.1.5.0, 11.1.1.6.0 and 11.1.1.6.2, including XML external entity dereferencing and cross-site scripting. READ MORE
Oct 31, 2012
Intramaps Multiple Vulnerabilities (SS-2012-007)
Stratsec identified a number of security vulnerabilities including SQL injection, XQuery injection, Cross-site scripting (XSS),Cross-site request forgery (XSRF), Information disclosure and Remote file inclusion in Intramaps 7.0.128; Rev 318. READ MORE
Sep 19, 2012
Microsoft System Center Configuration Manager (SCCM) Cross-Site Scripting (SS-2012-006)
Security researcher Andy Yang discovered a cross-site scripting vulnerability in both Microsoft Systems Management Server 2003 SP3 and System Center Configuration Manager 2007 SP2. The vulnerability exists because the web console does not properly handle dangerous JavaScript elements contained within a specially crafted request. This vulnerability allows an attacker to inject malicious code and other active content into web pages. READ MORE
May 24, 2012
ActiveCollab Multiple Vulnerabilities (SS-2012-005)
Stratsec security researchers Andrew Horton, Steven Seeley and Pedram Hayati have identified a number of high risk security vulnerabilities including remote code execution, remote command execution, SQL injection, authentication bypass, XQuery injection, username enumeration and cross-site scripting (reflective and persistent) in ActiveCollab 2.3.4 and its modules. The latest fully patched version of the application was used at the time of discovery. READ MORE
Mar 19, 2012
Joomla CMS Blind SQL Injection (SS-2012-004)
Joomla is a free and open source content management system (CMS) for developing,
publishing and maintaining websites and web applications. stratsec researcher Sow Ching Shiong has identified a blind SQL Injection vulnerability in the Joomla CMS. This issue was confirmed to be present in the default configuration of the current 2.5.1 release. The issue potentially permits access to the backend database and thus may allow complete compromise of CMS contents and unauthorised access to CMS functionality. READ MORE
Mar 1, 2012
IBM Personal Communications I-Series Access WorkStation 5.9 Profile Buffer Overflow (SS-2012-003)
The IBM Personal Communications I-Series application WorkStation is vulnerable to a stack-based buffer overflow which was discovered by Rocco Calvi.
The vulnerability exists within a file parsing function of the application, where data is copied to a location in memory which exceeds the size of the reserved destination area. This target buffer is located on the runtime program stack. This vulnerability exists in PCOMM versions 5.9.0 to 5.9.7 and 6.0.0 to 6.0.3. READ MORE
Feb 23, 2012
Microsoft SharePoint 2010 Cross-Site Scripting (SS-2012-002)
Security researcher Rocco Calvi discovered a cross-site scripting vulnerability in the latest version of Microsoft SharePoint Foundation 2010 and Microsoft Office SharePoint Server 2010. The vulnerability exists because Microsoft SharePoint does not properly handle dangerous JavaScript elements contained within a specially crafted URL. This vulnerability allows an attacker to inject malicious code and other active content into web pages which other users could be leveraged into visiting. This type of vulnerability can result in information disclosure or elevation of privileges if the user clicks on the specially crafted URL. An attacker could use malicious JavaScript to issue SharePoint commands in the context of the authenticated victim user on the targeted SharePoint site. READ MORE