BenTasker.co.uk

Home
Blog
Whitepapers
Documentation
Shop
Feeds
Photography

Home / Blog / Security

Latest Posts

Google, Cloudflare and GDPR - my quandry
Volvo S60: Intercooler Replacement
Volvo S60: Lower Control arm and Balljoint Replacement
Changes to BenTasker.co.uk
An Open Letter on Medicinal Cannabis in the UK

Security

A guide to designing Account Security Mechanisms	26 March 2017
Don't Use Web2Tor/Tor2Web (especially Onion.cab)	04 March 2017
The State of Mobile Banking (in the UK)	21 June 2016
The DVLA is routinely sending sensitive details via email	28 December 2014
Understanding Password Storage	22 June 2014
My Own Little HeartBleed Headache	19 April 2014
Why You Shouldn't be using SHA1 or MD5 to Store Passwords	07 June 2013
Darkleech Apache attacks on the rise, but is it really that hard to detect?	02 May 2013
Republished: Tips for fighting password theft	16 May 2012
Republished: Why you should never share Login Details	16 May 2012

Page 1 of 3

Start
Prev
1
2
3
Next
End

Recent CVEs

CVE-2010-0432 (ofbiz)
CVE-2012-1621 (ofbiz)
CVE-2013-6876 (s3dvt)
CVE-2014-0158 (openjpeg, opensuse)
CVE-2014-0883 (power_hardware_management_console)
CVE-2014-1226 (s3dvt)
CVE-2014-1398 (entity_api, fedora)
CVE-2014-1399 (entity_api, fedora)
CVE-2014-1400 (entity_api, fedora)
CVE-2014-1686 (mediawiki)

Return to listing

CVE-2010-0432 (ofbiz)

Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus.

CVE-2012-1621 (ofbiz)

Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information.

CVE-2013-6876 (s3dvt)

The (1) pty_init_terminal and (2) pipe_init_terminal functions in main.c in s3dvt 0.2.2 and earlier allows local users to gain privileges by leveraging setuid permissions and usage of bash 4.3 and earlier. NOTE: this vulnerability was fixed with commit ad732f00b411b092c66a04c359da0f16ec3b387, but the version number was not changed.

CVE-2014-0158 (openjpeg, opensuse)

Heap-based buffer overflow in the JPEG2000 image tile decoder in OpenJPEG before 1.5.2 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file because of incorrect j2k_decode, j2k_read_eoc, and tcd_decode_tile interaction, a related issue to CVE-2013-6045. NOTE: this is not a duplicate of CVE-2013-1447, because the scope of CVE-2013-1447 was specifically defined in http://openwall.com/lists/oss-security/2013/12/04/6 as only "null pointer dereferences, division by zero, and anything that would just fit as DoS."

CVE-2014-0883 (power_hardware_management_console)

Cross-site scripting (XSS) vulnerability in IBM Power Hardware Management Console (HMC) 7R7.1.0, 7R7.2.0, 7R7.3.0 through 7R7.3.5, 7R7.7.0 through SP3, and 7R7.8.0 before SP1 allows remote attackers to inject arbitrary web script or HTML via the user name on the logon screen. IBM X-Force ID: 91163.

CVE-2014-1226 (s3dvt)

The pipe_init_terminal function in main.c in s3dvt allows local users to gain privileges by leveraging setuid permissions and usage of bash 4.3 and earlier. NOTE: This vulnerability exists because of an incomplete fix for CVE-2013-6876.

CVE-2014-1398 (entity_api, fedora)

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors.

CVE-2014-1399 (entity_api, fedora)

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors.

CVE-2014-1400 (entity_api, fedora)

The entity_access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions and read unpublished comments via unspecified vectors.

CVE-2014-1686 (mediawiki)

MediaWiki 1.18.0 allows remote attackers to obtain the installation path via vectors related to thumbnail creation.

Latest Posts

Google, Cloudflare and GDPR - my quandry
Volvo S60: Intercooler Replacement
Volvo S60: Lower Control arm and Balljoint Replacement
Changes to BenTasker.co.uk
An Open Letter on Medicinal Cannabis in the UK

License Details
Privacy Policy
Cookies
Stored Data
Sitemap

Donations BTC: 14hJYqCNLi7yJH8QkUqB2VEg3jx4pXBN5X / https://paypal.me/BTasker

Based on a template by JoomSpirit, customised by B Tasker

JoomSpirit

About this template