Re: [FD] CVE request: remote code execution in Android CTS

2014-10-20 Thread Jann Horn
On Sun, Oct 19, 2014 at 07:28:33PM +1000, Lord Tuskington wrote: CTS parses api-coverage.xsl without providing the FEATURE_SECURE_PROCESSING option. See lines 60-67 of cts/tools/cts-api-coverage/src/com/android/cts/apicoverage/HtmlReport.java: InputStream xsl =

[FD] CVE-2014-7292 Newtelligence dasBlog Open Redirect Vulnerability

2014-10-20 Thread Jing Wang
Exploit Title: Newtelligence dasBlog Open Redirect Vulnerability Product: dasBlog Vendor: Newtelligence Vulnerable Versions: 2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125) 2.1(2.1.8102.813) Tested Version: 2.3 (2.3.9074.18820) Advisory Publication: OCT 15, 2014 Latest Update: OCT 15, 2014 Vulnerability

[FD] Mozilla mozilla.org Two Sub-Domains ( Cross Reference) XSS Vulnerability ( All URLs Under the Two Domains)

2014-10-20 Thread Jing Wang
Domains: http://lxr.mozilla.org/ http://mxr.mozilla.org/ (The two domains above are almost the same) Websites information: lxr.mozilla.org, mxr.mozilla.org are cross references designed to display the Mozilla source code. The sources displayed are those that are currently checked in to the

[FD] AST-2014-011: Asterisk Susceptibility to POODLE Vulnerability

2014-10-20 Thread Asterisk Security Team
Asterisk Project Security Advisory - AST-2014-011 ProductAsterisk SummaryAsterisk Susceptibility to POODLE Vulnerability Nature of Advisory Unauthorized Data Disclosure