Avisos Tecnicos INTECO (España)

Syndicate content
Avisos y alertas de INCIBE es
Updated: 2 hours 46 min ago

CVE-2014-8142

Fri, 12/19/2014 - 21:00
*** Pendiente de traducción *** Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019. 2014-12-19T23:00:00Z
Categories: Alertas

CVE-2014-9408

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it easier for remote attackers to guess the key via a brute-force attack. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9407

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.0.5 allow remote attackers to hijack the authentication of administrators for requests that (1) delete data via a request to agency-delete.php, (2) tracker-delete.php, or (3) userlog-delete.php in admin/ or (4) unlink accounts via a request to admin-user-unlink.php. (5) advertiser-user-unlink.php, or (6) affiliate-user-unlink.php in admin/. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9403

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel with the same name as an existing channel but without the leading # character, related to a "use-after-delete" error. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9381

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Integer signedness error in the dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause a denial of service (crash) via a crafted password, which triggers a large memory allocation. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9380

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 8.1 allows remote attackers to cause a denial of service (out-of-bounds read) via a packet containing only a CVS_LOGIN signature. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9379

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** The radius_get_attribute function in dissectors/ec_radius.c in Ettercap 8.1 performs an incorrect cast, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which triggers a stack-based buffer overflow. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9378

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Ettercap 8.1 does not validate certain return values, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted (1) name to the parse_line function in mdns_spoof/mdns_spoof.c or (2) base64 encoded password to the dissector_imap function in dissectors/ec_imap.c. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9377

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Heap-based buffer overflow in the nbns_spoof function in plug-ins/nbns_spoof/nbns_spoof.c in Ettercap 8.1 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a large netbios packet. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9376

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Integer underflow in Ettercap 8.1 allows remote attackers to cause a denial of service (out-of-bounds write) and possibly execute arbitrary code via a small (1) size variable value in the dissector_dhcp function in dissectors/ec_dhcp.c, (2) length value to the dissector_gg function in dissectors/ec_gg.c, or (3) string length to the get_decode_len function in ec_utils.c or a request without a (4) username or (5) password to the dissector_TN3270 function in dissectors/ec_TN3270.c. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9368

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Cross-site request forgery (CSRF) vulnerability in the twitterDash plugin 2.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the username_twitterDash parameter in the twitterDash.php page to wp-admin/options-general.php. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9355

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9341

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Multiple cross-site request forgery (CSRF) vulnerabilities in the yURL ReTwitt plugin 1.4 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) yurl_login or (2) yurl_anchor parameter in the yurl page to wp-admin/options-general.php. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9340

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Multiple cross-site request forgery (CSRF) vulnerabilities in the wpCommentTwit plugin 0.5 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) username or (2) password parameter in the wpCommentTwit.php page to wp-admin/options-general.php. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9339

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Multiple cross-site request forgery (CSRF) vulnerabilities in the SPNbabble plugin 1.4.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) username or (2) password parameter in the spnbabble.php page to wp-admin/options-general.php. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9338

Thu, 12/18/2014 - 21:00
*** Pendiente de traducción *** Multiple cross-site request forgery (CSRF) vulnerabilities in the O2Tweet plugin 0.0.4 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) o2t_username or (2) o2t_tags parameter to wp-admin/options-general.php. 2014-12-18T23:00:00Z
Categories: Alertas

CVE-2014-9406

Wed, 12/17/2014 - 21:00
*** Pendiente de traducción *** ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access via a request to home_loggedout.php. 2014-12-17T23:00:00Z
Categories: Alertas

CVE-2014-8901

Wed, 12/17/2014 - 21:00
*** Pendiente de traducción *** IBM DB2 9.5 through FP10, 9.7 through FP10, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP5 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted XML query. 2014-12-17T23:00:00Z
Categories: Alertas

CVE-2014-8890

Wed, 12/17/2014 - 21:00
*** Pendiente de traducción *** IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gain privileges by leveraging the combination of a servlet's deployment descriptor security constraints and ServletSecurity annotations. 2014-12-17T23:00:00Z
Categories: Alertas

CVE-2014-8120

Wed, 12/17/2014 - 21:00
*** Pendiente de traducción *** The agent in Thermostat before 1.0.6, when using unspecified configurations, allows local users to obtain the JMX management URLs of all local Java virtual machines and gain privileges via unknown vectors. 2014-12-17T23:00:00Z
Categories: Alertas