[Full-disclosure] CVE-2014-1214 - Remote Code Execution in Projoom NovaSFH Plugin

Vulnerability title: Remote Code Execution in Projoom NovaSFH Plugin CVE: CVE-2014-1214 Vendor: Projoom Product: NovaSFH Plugin Version: 3.0.3 Reported by: Yuri Kramarz Details: The PHP executable which is responsible for handling file upload functionality allows arbitrary files to be uploaded to

Re: [Full-disclosure] [CVE-2014-1860] PHP object insertion / possible RCE in Contao CMS = 3.2.4

Hello again, today a little bird known as i0n1c twitted something about me [1], claiming that I was wrong, and that CVE-2014-1860 could actually be exploited, because there is S: which allows encoded NUL bytes [2], and that's true in part. So, instead of using a string like this:

[Full-disclosure] Information on recently-fixed Oracle VM VirtualBox vulnerabilities

Hi there, Recently I found a few vulnerabilities in Oracle VM VirtualBox, the open-source virtualization product. These have already been reported to the project, fixed and disclosed in the form of the recent January 2014 Oracle Critical Patch Update (at

[Full-disclosure] Visa (Europe) XSS Vulnerability

Visa (Europe) Website Vulnerability == Published Report: 07/02/2014 Credits: Advanced Information Security Corporation, USA Severity: High/Critical (OWASP TOP 10) Type: Web Application / Cross-Site Scripting Attack. Author: Nicholas Lemonias. (Information Security

Re: [Full-disclosure] [CVE-2014-1860] PHP object insertion / possible RCE in Contao CMS = 3.2.4

I haven't read the whole thread, so I apologize in advance for commenting on it. But I think it's important to mention that not a vulnerability and not exploitable are entirely different concepts. Since conclusively proving that a vulnerability is 100% not exploitable for all code paths in all

[Full-disclosure] gpEasy v4.3.x CMS - Multiple Web Vulnerabilities

Document Title: === gpEasy v4.3.x CMS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1189 Release Date: = 2014-02-06 Vulnerability Laboratory ID (VL-ID):

[Full-disclosure] Facebook Bug Bounty #12 - Client Side Exception Web Vulnerability

Document Title: === Facebook Bug Bounty #12 - Client Side Exception Web Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1190 Facebook Security ID: 186072579 Release Date: = 2014-02-07 Vulnerability

[Full-disclosure] New vulnerabilities in Google Maps plugin for Joomla

Hello list! Last year I wrote about multiple vulnerabilities in Google Maps plugin. After my informing the developer fixed them, but this year I found new vulnerabilities. These are Denial of Service and Insufficient Anti-automation vulnerabilities in Google Maps plugin for Joomla.

[Full-disclosure] [SECURITY] [DSA 2856-1] libcommons-fileupload-java security update

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2856-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 07, 2014

[Full-disclosure] Bank of the West security contact?

Anyone have security contact at Bank of the West? -- Kristian Erik Hermansen https://www.linkedin.com/in/kristianhermansen https://profiles.google.com/kristian.hermansen ___ Full-Disclosure - We believe in it. Charter: