Shakacon VII - Honolulu, Hawaii
Sun, Surf, and C Shells
CALL FOR PAPERS
Who: Shakacon Crew
Advisory: Reflecting XSS vulnerabitlies, unrestricted file upload and
underlaying CSRF in Landsknecht Adminsystems CMS v. 4.0.1 (DEV, beta
Advisory ID: SROEADV-2015-14
Author: Steffen Rösemann
Affected Software: Landsknecht Adminsystems CMS v. 4.0.1 (DEV, beta version)
Since my last post, I have learned from Andrew Nacin (the lead developer of
WordPress and security team member that I was corresponding with) that my
emails weren't ignored, they were lost to an aggressive spam filter.
Despite this, he has admitted fault for not following up on the bug report.
NetGear WNDR Authentication Bypass / Information Disclosure
Peter Adkins peter.adkins () kernelpicnic.net
Local network; unauthenticated access.
Remote network; unauthenticated access*.
Tracking and identifiers:
CVE - Mitre contacted; not yet allocated.
*CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Security
Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Security
Vulnerable Versions: Version 6
Tested Version: Version 6
Advisory Publication: Feb
*CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Security
Exploit Title: vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities
Product: vBulletin Forum
Vulnerable Versions: 5.1.3 5.0.5 4.2.2 3.8.7 3.6.7 3.6.0 3.5.4
Tested Version: 5.1.3
On Tue, Feb 10, 2015 at 4:50 PM, Scott Arciszewski sc...@arciszewski.me wrote:
Ticket opened: 2014-06-25
On Thu, Feb 12, 2015, at 02:10 AM, Scott Arciszewski wrote:
The security risk of the security vulnerability in the facebook
framework is estimated as critical. (CVSS 9.1)
Care to run that calculation by us?
If this does work, you'd be able to enumerate
The vulnerability is related to the insufficient filtration in HTMLawed.
Existing filter can be bypassed and paste into the HTML tag img onerror
event, that leads to stored XSS.
I notified the developers of existing vulnerabilities and they closed it in
Does anyone know if Microsoft have patched this yet?
On Wed Feb 04 2015 at 09:05:26 David Leo email@example.com wrote:
Microsoft was notified on Oct 13, 2014.
Joey thank you very much for your words.
On 2015/2/3 4:53, Joey Fowler wrote:
nice is an
Even though deleting everything is kind of a big deal, it still does not
get you anywhere near that CVSS score.
Here's my very generous calculator inputs:
Sent through the Full Disclosure mailing list
Mail list logo