VARIoT IoT vulnerabilities database

Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK & Compiler before 13.0.0.111 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0517, CVE-2014-0518, and CVE-2014-0519. This vulnerability CVE-2014-0517 , CVE-2014-0518 ,and CVE-2014-0519 Is a different vulnerability.An attacker may be able to bypass access restrictions. This may aid in further attacks. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-plugins/adobe-flash-11.2.20= 2.359" References ========== [ 1 ] CVE-2014-0510 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0510 [ 2 ] CVE-2014-0516 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0516 [ 3 ] CVE-2014-0517 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0517 [ 4 ] CVE-2014-0518 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0518 [ 5 ] CVE-2014-0519 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0519 [ 6 ] CVE-2014-0520 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0520 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0496-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0496.html Issue date: 2014-05-14 CVE Names: CVE-2014-0510 CVE-2014-0516 CVE-2014-0517 CVE-2014-0518 CVE-2014-0519 CVE-2014-0520 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-14, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0516) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.359. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1081615 - CVE-2014-0510 flash-plugin: use-after-free flaw leads to arbitrary code execution 1097369 - CVE-2014-0517 CVE-2014-0518 CVE-2014-0519 CVE-2014-0520 flash-plugin: security protection bypass (APSB14-14) 1097372 - CVE-2014-0516 flash-plugin: same origin policy bypass (APSB14-14) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.359-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.359-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.359-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.359-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.359-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.359-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.359-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.359-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.359-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.359-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0510.html https://www.redhat.com/security/data/cve/CVE-2014-0516.html https://www.redhat.com/security/data/cve/CVE-2014-0517.html https://www.redhat.com/security/data/cve/CVE-2014-0518.html https://www.redhat.com/security/data/cve/CVE-2014-0519.html https://www.redhat.com/security/data/cve/CVE-2014-0520.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-14.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTc7YiXlSAg2UNWIIRAssWAJ9aF/xWa3i5nn7IJzgoKVfxkA5AUQCgo+In Qm8sAIfnwqTa5TXOxeHxYWY= =F88V -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

The firmware before 3.66E in IBM BladeCenter Advanced Management Module (AMM), the firmware before 1.43 in IBM Integrated Management Module (IMM), and the firmware before 4.15 in IBM Integrated Management Module II (IMM2) contains cleartext IPMI credentials, which allows attackers to execute arbitrary IPMI commands, and consequently establish a blade remote-control session, by leveraging access to (1) the chassis internal network or (2) the Ethernet-over-USB interface. Multiple IBM Products are prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. The vulnerability stems from the fact that the program stores plaintext IPMI certificates. An attacker can exploit this vulnerability to execute arbitrary IPMI commands and establish a remote control session of the blade

D-Link DWC-1000 'thispage' has a directory traversal vulnerability, because the input submitted to platform.cgi via the \"thispage\" POST parameter is not fully filtered before being used to read the file, allowing remote attackers to exploit the vulnerability through directory traversal and The NULL byte of the URL encoding reads the contents of any file in the system. D-Link DWC-1000 is an enterprise router product of D-Link. D-Link DWC-1000 4.2.0.6_WW and earlier versions have a directory traversal vulnerability. An attacker could use this vulnerability to gain access to arbitrary files. D-Link DWC-1000 is prone to a directory-traversal vulnerability. Information harvested may aid in launching further attacks

Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Functions package in Yokogawa CENTUM CS 1000, CENTUM CS 3000 Entry Class R3.09.50 and earlier, CENTUM VP R5.03.00 and earlier, CENTUM VP Entry Class R5.03.00 and earlier, Exaopc R3.71.02 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier allows remote attackers to execute arbitrary code via a crafted packet. plural YOKOGAWA Product extended test function package BKESimmgr.exe Contains a stack-based buffer overflow vulnerability.A third party may be able to execute arbitrary code via a crafted packet. The Yokogawa CENTUM CS3000 is a production control system. Yokogawa's multiple product simulator management process has a stack buffer overflow vulnerability due to the Yokogawa CENTUM CS3000 BKESimmgr.exe service failing to properly use memcpy to handle user-submitted special requests, allowing remote attackers to exploit vulnerabilities for buffer overflow attacks, making applications The context executes arbitrary code. Multiple Yokogawa products are prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. Successful exploits may allow an attacker to execute arbitrary code with system privileges. Failed attempts will likely cause a denial-of-service condition. Yokogawa CENTUM CS, etc. are all products of Japan's Yokogawa Electric (Yokogawa) company. Exaopc is an OPC data access server. Version 71.02 and earlier, B/M9000CS R5.05.01 and earlier, B/M9000 VP R7.03.0 and earlier

Unspecified vulnerability on HP 8/20q switches, SN6000 switches, and 8Gb Simple SAN Connection Kit with firmware before 8.0.14.08.00 allows remote authenticated users to obtain sensitive information via unknown vectors. HP H-series Fibre Channel Switches is a Fibre Channel switch device. Successfully exploiting this issue may allow an attacker to obtain sensitive information that may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04277407 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04277407 Version: 1 HPSBST03038 rev.1 - HP H-series Fibre Channel Switches, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-05-09 Last Updated: 2014-05-09 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with certain HP H-series Fibre Channel Switches. This vulnerability could be exploited remotely to disclose information. References: CVE-2014-2603, SSRT101555 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Follow the steps below to obtain the firmware update. Download the updated firmware from the following HP website: Go to the HP Support Center home page at http://www.hp.com/go/hpsc In left navigation panel under DOWNLOAD OPTIONS , click Drivers, Software & Firmware Under All HP products, click Storage Under Storage, click Storage Networking. Under Storage Networking, click H-series Switches. Under H-series Switches, click H-series SAN Switches. Under H-series SAN Switches, click your switch product. Under your switch product, click your switch model from the list of impacted products Under operating system, click Cross operating system (BIOS, Firmware, Diagnostics, etc.) In the Description column of the table under Firmware, click Firmware for the HP H-series Fibre Channel Switches for version v8.0.14.08.00 or newer/ Click Download to obtain the firmware HISTORY Version:1 (rev.1) - 9 May 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlNtCfoACgkQ4B86/C0qfVnYygCdEi4Z+Ni/od5CAxa/+2TR0wTj mioAoJ7jTVn91GSnYF+Q1x76vWzzPfn6 =qBPv -----END PGP SIGNATURE-----

SQL injection vulnerability in the LiveData service in CSWorks before 2.5.5233.0 allows remote attackers to execute arbitrary SQL commands via vectors related to pathnames contained in web API requests. Authentication is not required to exploit this vulnerability. The specific flaw exists within the data source templating. CSWorks does not properly sanitize or validate the data used to construct read and write paths which can lead to SQL injection. An attacker may be able to leverage this vulnerability to achieve remote code execution. CSWorks is a software architecture for building WEB-based HMI, SCADA and M2M industrial automation solutions. CSWorks is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, to access or modify data, or to exploit vulnerabilities in the underlying database. CSWorks 2.5.5050.0 and prior are vulnerable

D-Link DIR-652 is a router product of D-Link. Many D-Link routers have the following security vulnerabilities: 1. Password leakage vulnerability 2. Cross-site scripting vulnerability 3. Information disclosure vulnerability. Attackers can use these vulnerabilities to execute HTML and arbitrary script code on the user's browser in the context of the affected device, steal cookie-based authentication, or gain access to sensitive information. The following models are affected: D-Link DIR-652, DIR-835, DIR-855L, DGL-5500, DHP-1565. Other attacks are also possible. The following five D-Link model routers suffer from several vulnerabilities including Clear Text Storage of Passwords, Cross Site Scripting and Sensitive Information Disclosure. DIR-652 D-Link Wireless N Gigabit Home Router DIR-835 D-Link Network DIR-835L Wireless N 750M Dual-band 802.11n 4Port Gigabit Router DIR-855L - D-Link Wireless N900 Dual Band Gigabit Router DGL-5500 D-Link AC1300 Gaming Router DHP-1565 D-Link Wireless N PowerLine Gigabit Router Affected firmware - FW 1.02b18/1.12b02 or older Access - Remote Complexity - Low Authentication - None Impact - Full loss of confidentiality ------------------------------------------------------------------------------------------------------------- Clear Text Password - CWE - CWE-316: Cleartext Storage of Sensitive Information Authentication can be bypassed to gain access to the file tools_admin.asp, which stores the devices admin password in plain text, by adding a "/" to the end of the URL. Proof of Concept for the DGL-5500, DIR-855L and the DIR-835: curl -s http://<IP>/tools_admin.asp/ |awk '/hidden/ && /admin_password_tmp/ && /value/ {print $5}' PoC for the DHP-1565 and DIR-652, the generic 'user' must be added. curl -s http://<IP>/tools_admin.asp/ -u user:|awk '/hidden/ && /admin_password_tmp/ && /value/ {print $5}' ------------------------------------------------------------------------------------------------------------- Cross Site Scripting - CWE - CWE-79: Improper Neutralization of User Input / Return For the file "apply.cgi" ("apply_sec.cgi" on the DGL-5500) the POST param "action" suffers from a XSS vulnerability due to improper neutralization of user input / return output. PoC for DIR-855L, DIR-835, DHP-1565 http://<IP>/apply.cgi POST graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D HTTP/1.1 For the DGL-5500 http://<IP>/apply_sec.cgi POST graph_code=X&session_id=123456&login_n=user&login_name=8&action=%3Cbody%3E%3Chtml%3E%3Ch2%3E%3CEMBED%20src%3D%22%3Ctd%20dir%3D%22rtl%22class%3D%22skytext%22width%3D%2277%25%22%3E%3Cmarquee%20%20%20scrollAmount%3D5%20scrollDelay%3D10%20direction%3D%22right%22style%3D%22color%3Ared%3Bfont-weight%3Abold%3B%22%3ESquirrel%20Injection%22%3C%2fh2%3E%3C%2fmarquee%3E%20%3C%2fbody%3E%3C%2fhtml%3E%3C%2ftd%3E%3E&log_pass=&html_response_page=login_pic.asp&tmp_log_pass=&gcode_base64=MTg0MzU%3D HTTP/1.1 ------------------------------------------------------------------------------------------------------------- Sensitive Information Disclosure - CWE - CWE-200: Information Exposure The D-Link models DGL-5500, DIR-855L, DIR-835 suffer from a vulnerability which an unauthenticated person can gain access the sensitive files: http://<IP>:8080/hnap.cgi and /HNAP1/ via: curl -s curl -s http://<IP>:8080/HNAP1/ On the DIR-652 and DHP-1565, a user needs authentication first to gain access to these files. But more importantly, an unauthenticated user can browse directly to http://<IP>/cgi/ssi/ which will offer a download of the device's ELF MBS MIPS file. The file contains most of the devices internal working structure and sensitive information. These particular routers use a MSB EM_MIPS Processor and it does contain executable components. The file can be accessed through at least one known cgi file, however there maybe others. Although no known publicly working example exist to my knowledge, unpatched devices are susceptible to injection of malicious code and most likely susceptible to a payload which could deploy a self-replicating worm. ------------------------------------------------------------------------------------------------------------- These items were reported to D-Link on April 20th, and to US Cert on April 21. D-Link does have patches available for all affected models, and it is highly recommended to update the device's firmware as soon as possible. Vendor Links: http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10025 http://securityadvisories.dlink.com/security/ Research Contact - Kyle Lovett May 21, 2014

Foscam IP camera 11.37.2.49 and other versions, when using the Foscam DynDNS option, generates credentials based on predictable camera subdomain names, which allows remote attackers to spoof or hijack arbitrary cameras and conduct other attacks by modifying arbitrary camera records in the Foscam DNS server. FOSCAM IP-Cameras is a webcam device. An information disclosure vulnerability exists in Foscam IP Camera version 11.37.2.49. When using the Foscam DynDNS option, the program uses the camera subdomain as the username and password. An attacker can exploit this issue to gain access to sensitive information and perform certain unauthorized actions; this may lead to further attacks

Multiple SQL injection vulnerabilities in the administration login page in D-Link DAP-1350 (Rev. A1) with firmware 1.14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password. D-Link DAP-1350 (Rev. The D-Link DAP-1350 is a router device. The D-Link DAP-1350 login page failed to properly filter user-submitted input, allowing remote attackers to exploit exploits to submit specially crafted SQL queries to bypass authentication. D-Link DAP-1350 is prone to an SQL-injection vulnerability. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Version prior to D-Link DAP-1350 1.14 (HW version A1). D-Link DAP-1350 is a wireless access device product of D-Link

The iControl API in F5 BIG-IP LTM, APM, ASM, GTM, Link Controller, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, BIG-IP AAM 11.4.0 through 11.5.1, BIG-IP AFM and PEM 11.3.0 through 11.5.1, BIG-IP Analytics 11.0.0 through 11.5.1, BIG-IP Edge Gateway, WebAccelerator, WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, Enterprise Manager 2.1.0 through 2.3.0 and 3.0.0 through 3.1.1, and BIG-IQ Cloud, Device, and Security 4.0.0 through 4.3.0 allows remote administrators to execute arbitrary commands via shell metacharacters in the hostname element in a SOAP request. plural F5 BIG-IP Series and BIG-IQ Family product iControl API Contains a vulnerability that allows arbitrary command execution. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. http://cwe.mitre.org/data/definitions/77.htmlBy a remote administrator SOAP An arbitrary command may be executed via a shell metacharacter in the hostname element of the request. F5 BIG-IP is a device product for application delivery services manufactured by F5 Network, which is mainly used for load balancing, business acceleration optimization and other purposes. A remote command injection vulnerability exists in multiple F5 BIG-IP products. Because the product fails to effectively filter the data provided through the iControl connection, this allows an attacker with a valid administrator account to exploit the vulnerability to access arbitrary commands on the affected system by accessing iControl. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. LTM is a local traffic manager; APM is a solution that provides secure unified access to business-critical applications and networks

Cisco WebEx Recording Format (WRF) player and Advanced Recording Format (ARF) player T27 LD before SP32 EP16, T28 before T28.12, and T29 before T29.2 allow remote attackers to cause a denial of service (application crash) via a crafted (1) .wrf or (2) .arf file that triggers a buffer over-read, aka Bug ID CSCuh52768. Cisco WebEx WRF and ARF Players are prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCuh52768

Buffer overflow in Cisco Advanced Recording Format (ARF) player T27 LD before SP32 EP16, T28 before T28.12, and T29 before T29.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .arf file that triggers improper LZW decompression, aka Bug ID CSCuj87565. Cisco Advanced Recording Format (ARF) Player Contains a buffer overflow vulnerability. An attacker could exploit this issue to crash the affected player causing denial-of-service conditions or execute arbitrary code in context of the user. This issue is being tracked by Cisco Bug ID CSCuj87565

Heap-based buffer overflow in Cisco WebEx Recording Format (WRF) player T27 LD before SP32 EP16, T28 before T28.12, and T29 before T29.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted audio channel in a .wrf file, aka Bug ID CSCuc39458. Cisco WebEx Recording Format (WRF) Player Contains a heap-based buffer overflow vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions

Buffer overflow in Cisco Advanced Recording Format (ARF) player T27 LD before SP32 EP16, T28 before T28.12, and T29 before T29.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .arf file, aka Bug IDs CSCul87216 and CSCuj07603. An attacker could exploit this issue to crash the affected player causing denial-of-service conditions or execute arbitrary code in context of the user. This issue is being tracked by Cisco Bug IDs CSCul87216, CSCuj07603

Buffer overflow in Cisco Advanced Recording Format (ARF) player T27 LD before SP32 EP16, T28 before T28.12, and T29 before T29.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .arf file, aka Bug IDs CSCui72223, CSCul01163, and CSCul01166. An attacker could exploit this issue to crash the affected player causing denial-of-service conditions or execute arbitrary code in context of the user. This issue is being tracked by Cisco Bug IDs CSCui72223, CSCul01163, CSCul0116

Mail in Apple iOS before 7.1.2 advertises the availability of data protection for attachments but stores cleartext attachments under mobile/Library/Mail/, which makes it easier for physically proximate attackers to obtain sensitive information by mounting the data partition. Apple iOS is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect CoreGraphics, Lockdown, Lock Screen, Mail, Safari, Settings, and Siri. Attackers can exploit these issues to execute arbitrary code, cause denial-of-service conditions, gain unauthorized access, obtain sensitive information, bypass security restrictions, and perform other attacks. These issues affect iOS Prior to 7.1.2. Information obtained may aid in further attacks. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list. A maliciously crafted URL could have led to sending an incorrect postMessage origin. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2014-09-17-1 iOS 8 iOS 8 is now available and addresses the following: 802.1X Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker can obtain WiFi credentials Description: An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods. This issue was addressed by disabling LEAP by default. CVE-ID CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim Lamotte of Universiteit Hasselt Accounts Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to identify the Apple ID of the user Description: An issue existed in the access control logic for accounts. A sandboxed application could get information about the currently-active iCloud account, including the name of the account. This issue was addressed by restricting access to certain account types from unauthorized applications. CVE-ID CVE-2014-4423 : Adam Weaver Certificate Trust Policy Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Update to the certificate trust policy Description: The certificate trust policy was updated. The complete list of certificates may be viewed at http://support.apple.com/kb/HT5012. Accessibility Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: The device may not lock the screen when using AssistiveTouch Description: A logic issue existed in AssistiveTouch's handling of events, which resulted in the screen not locking. This issue was addressed through improved handling of the lock timer. CVE-ID CVE-2014-4368 : Hendrik Bettermann Accounts Framework Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with access to an iOS device may access sensitive user information from logs Description: Sensitive user information was logged. This issue was addressed by logging less information. CVE-ID CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group Address Book Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to an iOS device may read the address book Description: The address book was encrypted with a key protected only by the hardware UID. This issue was addressed by encrypting the address book with a key protected by the hardware UID and the user's passcode. CVE-ID CVE-2014-4352 : Jonathan Zdziarski App Installation Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local attacker may be able to escalate privileges and install unverified applications Description: A race condition existed in App Installation. An attacker with the capability of writing to /tmp may have been able to install an unverified app. This issue was addressed by staging files for installation in another directory. CVE-ID CVE-2014-4386 : evad3rs App Installation Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local attacker may be able to escalate privileges and install unverified applications Description: A path traversal issue existed in App Installation. A local attacker could have retargeted code signature validation to a bundle different from the one being installed and cause installation of an unverified app. This issue was addressed by detecting and preventing path traversal when determining which code signature to verify. CVE-ID CVE-2014-4384 : evad3rs Assets Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may be able to cause an iOS device to think that it is up to date even when it is not Description: A validation issue existed in the handling of update check responses. Spoofed dates from Last-Modified response headers set to future dates were used for If-Modified-Since checks in subsequent update requests. This issue was addressed by validation of the Last-Modified header. CVE-ID CVE-2014-4383 : Raul Siles of DinoSec Bluetooth Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Bluetooth is unexpectedly enabled by default after upgrading iOS Description: Bluetooth was enabled automatically after upgrading iOS. This was addressed by only turning on Bluetooth for major or minor version updates. CVE-ID CVE-2014-4354 : Maneet Singh, Sean Bluestein CoreGraphics Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program CoreGraphics Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or an information disclosure Description: An out of bounds memory read existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with the iSIGHT Partners GVP Program Data Detectors Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Tapping on a FaceTime link in Mail would trigger a FaceTime audio call without prompting Description: Mail did not consult the user before launching facetime-audio:// URLs. This issue was addressed with the addition of a confirmation prompt. CVE-ID CVE-2013-6835 : Guillaume Ross Foundation Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application using NSXMLParser may be misused to disclose information Description: An XML External Entity issue existed in NSXMLParser's handling of XML. This issue was addressed by not loading external entities across origins. CVE-ID CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/) Home & Lock Screen Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A background app can determine which app is frontmost Description: The private API for determining the frontmost app did not have sufficient access control. This issue was addressed through additional access control. CVE-ID CVE-2014-4361 : Andreas Kurtz of NESO Security Labs and Markus TroBbach of Heilbronn University iMessage Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Attachments may persist after the parent iMessage or MMS is deleted Description: A race condition existed in how attachments were deleted. This issue was addressed by conducting additional checks on whether an attachment has been deleted. CVE-ID CVE-2014-4353 : Silviu Schiau IOAcceleratorFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An application may cause an unexpected system termination Description: A null pointer dereference existed in the handling of IOAcceleratorFamily API arguments. This issue was addressed through improved validation of IOAcceleratorFamily API arguments. CVE-ID CVE-2014-4369 : Catherine aka winocm IOAcceleratorFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: The device may unexpectedly restart Description: A NULL pointer dereference was present in the IntelAccelerator driver. The issue was addressed by improved error handling. CVE-ID CVE-2014-4373 : cunzhang from Adlab of Venustech IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to read kernel pointers, which can be used to bypass kernel address space layout randomization Description: An out-of-bounds read issue existed in the handling of an IOHIDFamily function. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4379 : Ian Beer of Google Project Zero IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A heap buffer overflow existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4404 : Ian Beer of Google Project Zero IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of key-mapping properties. This issue was addressed through improved validation of IOHIDFamily key-mapping properties. CVE-ID CVE-2014-4405 : Ian Beer of Google Project Zero IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds write issue existed in the IOHIDFamily kernel extension. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4380 : cunzhang from Adlab of Venustech IOKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to read uninitialized data from kernel memory Description: An uninitialized memory access issue existed in the handling of IOKit functions. This issue was addressed through improved memory initialization CVE-ID CVE-2014-4407 : @PanguTeam IOKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4418 : Ian Beer of Google Project Zero IOKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4388 : @PanguTeam IOKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 : Marc Heuse Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-ID CVE-2014-4375 : an anonymous researcher Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel Description: An out-of-bounds read issue existed in rt_setgate. This may lead to memory disclosure or memory corruption. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4408 Kernel Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Some kernel hardening measures may be bypassed Description: The random number generator used for kernel hardening measures early in the boot process was not cryptographically secure. Some of its output was inferable from user space, allowing bypass of the hardening measures. This issue was addressed by using a cryptographically secure algorithm. CVE-ID CVE-2014-4422 : Tarjei Mandt of Azimuth Security Libnotify Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An out-of-bounds write issue existed in Libnotify. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4381 : Ian Beer of Google Project Zero Lockdown Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A device can be manipulated into incorrectly presenting the home screen when the device is activation locked Description: An issue existed with unlocking behavior that caused a device to proceed to the home screen even if it should still be in an activation locked state. This was addressed by changing the information a device verifies during an unlock request. CVE-ID CVE-2014-1360 Mail Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Login credentials can be sent in plaintext even if the server has advertised the LOGINDISABLED IMAP capability Description: Mail sent the LOGIN command to servers even if they had advertised the LOGINDISABLED IMAP capability. This issue is mostly a concern when connecting to servers that are configured to accept non- encrypted connections and that advertise LOGINDISABLED. This issue was addressed by respecting the LOGINDISABLED IMAP capability. CVE-ID CVE-2014-4366 : Mark Crispin Mail Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A person with physical access to an iOS device may potentially read email attachments Description: A logic issue existed in Mail's use of Data Protection on email attachments. This issue was addressed by properly setting the Data Protection class for email attachments. CVE-ID CVE-2014-1348 : Andreas Kurtz of NESO Security Labs Profiles Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Voice Dial is unexpectedly enabled after upgrading iOS Description: Voice Dial was enabled automatically after upgrading iOS. This issue was addressed through improved state management. CVE-ID CVE-2014-4367 : Sven Heinemann Safari Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: User credentials may be disclosed to an unintended site via autofill Description: Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame. This issue was addressed through improved origin tracking. CVE-ID CVE-2013-5227 : Niklas Malmgren of Klarna AB Safari Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may intercept user credentials Description: Saved passwords were autofilled on http sites, on https sites with broken trust, and in iframes. This issue was addressed by restricting password autofill to the main frame of https sites with valid certificate chains. CVE-ID CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford University working with Eric Chen and Collin Jackson of Carnegie Mellon University Sandbox Profiles Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Apple ID information is accessible by third-party apps Description: An information disclosure issue existed in the third- party app sandbox. This issue was addressed by improving the third- party sandbox profile. CVE-ID CVE-2014-4362 : Andreas Kurtz of NESO Security Labs and Markus TroBbach of Heilbronn University Settings Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Text message previews may appear at the lock screen even when this feature is disabled Description: An issue existed in the previewing of text message notifications at the lock screen. As a result, the contents of received messages would be shown at the lock screen even when previews were disabled in Settings. The issue was addressed through improved observance of this setting. CVE-ID CVE-2014-4356 : Mattia Schirinzi from San Pietro Vernotico (BR), Italy syslog Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A local user may be able to change permissions on arbitrary files Description: syslogd followed symbolic links while changing permissions on files. This issue was addressed through improved handling of symbolic links. CVE-ID CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech Information Security Center (GTISC) Weather Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Location information was sent unencrypted Description: An information disclosure issue existed in an API used to determine local weather. This issue was addressed by changing APIs. WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious website may be able to track users even when private browsing is enabled Description: A web application could store HTML 5 application cache data during normal browsing and then read the data during private browsing. This was addressed by disabling access to the application cache when in private browsing mode. CVE-ID CVE-2014-4409 : Yosuke Hasegawa (NetAgent Co., Led.) WebKit Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6663 : Atte Kettunen of OUSPG CVE-2014-1384 : Apple CVE-2014-1385 : Apple CVE-2014-1387 : Google Chrome Security Team CVE-2014-1388 : Apple CVE-2014-1389 : Apple CVE-2014-4410 : Eric Seidel of Google CVE-2014-4411 : Google Chrome Security Team CVE-2014-4412 : Apple CVE-2014-4413 : Apple CVE-2014-4414 : Apple CVE-2014-4415 : Apple WiFi Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A device may be passively tracked by its WiFi MAC address Description: An information disclosure existed because a stable MAC address was being used to scan for WiFi networks. This issue was addressed by randomizing the MAC address for passive WiFi scans. Note: iOS 8 contains changes to some diagnostic capabilities. For details, please consult http://support.apple.com/kb/HT6331 iOS 8 now permits devices to untrust all previously trusted computers. Instructions can be found at http://support.apple.com/kb/HT5868 Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "8". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUGNl6AAoJEBcWfLTuOo7tD0oP/2QjJQxEaVKH5GhKX7HTLB9e W2oU7kHqds6p9HQg3iw9SXs/c03EH2++Tf5+Kul8V94QZB2jD4T28MUctAjrvSX7 rHRTPFJn8dm6Dr/zReon3q6ph8PlnDGySJLON/RwrSwHpWcd8wA4uCC6gTPur3T9 tNfPrkT+b4iO4QsSLQaK6bJqTFmWruqEFwdXmtOY8qYOsEANMr9HPdm9WwEcdQaZ tZZpa1FU4jIdfHZw18a3rzQ1LW4OO9fWbihKRgY8xq+Q8+Cs/EnY9hCIN0jl0OHm TMvKojeO4CCBAKpwUQOVERkI4Oc7Ux6GefT84ttYu095KzmZVjq9yWmi0FcBAVMV s32YL/alCNm86uNvxvkAvWJ3ZeZymuoTZHoNX5YNGIhuunRZONK94ay1RtYMdWPl iesWma7tn9g/xMWRaDKfRy2vtUuetBVxiaAr3AqvMp+mx0lmmLOO8x1SxeKe+QUy HO1O1DVAWPv2JIEf7mstDBHfQKYBRcgM3P4DJAgkrgH42ZNWb06ZyQhpAvFLVncD g2/Q0cwUlPOvdNKxoUD3IVVwPZeIefw3vqrSHXSQPpIMkJJFrBbIB8v6nnkheebg h5bPWfIxP0wuBjWz8SjOlPaSjxNxpmHK3H0tLU1q6TneBlmte405ytT4zSI7bvOY ZZCDpw0BRMEXUyXqTns7 =hlmW -----END PGP SIGNATURE-----

Cisco Adaptive Security Appliance (ASA) Software allows remote authenticated users to read files by sending a crafted URL to the HTTP server, as demonstrated by reading the running configuration, aka Bug ID CSCun78551. An attacker can exploit exploit this issue to gain access to files stored on the device file system, which may lead to further attacks. This issue is tracked by Cisco BugId CSCun78551

Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco Broadcast Access Center for Telco and Wireless (aka BAC-TW) allows remote attackers to hijack the authentication of arbitrary users for requests that make BAC-TW changes, aka Bug IDs CSCuo23804 and CSCuo26389. Vendors have confirmed this vulnerability Bug IDs CSCuo23804 and CSCuo26389 It is released as.A third party is hijacking the authentication of any user, BAC-TW Is subject to change. Cisco Broadband Access Center (BAC) is a decentralized, strippable, signer device hypervisor that implements automated user traffic management through the provision of user services. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCuo23804 and CSCuo26389. A remote attacker could exploit this vulnerability to modify BAC-TW

Cross-site scripting (XSS) vulnerability in the web framework in Cisco Broadcast Access Center for Telco and Wireless (aka BAC-TW) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun91113. Vendors have confirmed this vulnerability CSCun91113 It is released as.By any third party through unspecified parameters Web Script or HTML May be inserted. Cisco Broadband Access Center (BAC) is a decentralized, strippable, signer device hypervisor that implements automated user traffic management through the provision of user services. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCun91113

CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. This vulnerability CVE-2014-0113 Vulnerability due to insufficient fix for.Through a crafted request by a third party, ClassLoader The " operation " And the session state may change. Apache Struts is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. Apache Struts versions 2.0.0 through 2.3.16.2 are vulnerable