News & Events

News in category "Advisories"

Advisories

Jirafeau Version 3.3.0 – Multiple Vulnerabilities

Jirafeau is an open source file sharing web application, distributed under an AGPL version 3 license. It is a fork of the project Jyraphe and allows users to share files for a defined period and protect downloads via a password. The project’s official website is gitlab.com/mojo42/Jirafeau. The latest version of the application is 3.3.0, released on September 8, 2017. Ten vulnerabilities were identified within the Jirafeau web application – five cross-site scripting vulnerabilities (two stored and three reflected) as well as five cross-site request forgery vulnerabilities.

Application Security, Cross-Site Request Forgery, Cross-Site Scripting

Advisories

SolarWinds Log & Event Manager – Arbitrary Command Injection

The Bishop Fox assessment team discovered an arbitrary command injection vulnerability within the SolarWinds’ Log & Event Manager (LEM) management console (CMC). The CMC is a restricted environment providing functionality for upgrading or maintaining LEM appliances. This vulnerability allows an authenticated user to bypass restrictions imposed by the CMC and execute arbitrary commands on the vulnerable system as the root user.

Command Injection, SolarWinds

Advisories

SolarWinds Log & Event Manager – Improper Access Control

An improper access control vulnerability was discovered in the SolarWinds’ Log & Event Manager (LEM) management console (CMC). The CMC is a restricted environment providing functionality for upgrading or maintaining LEM appliances. This vulnerability allows an authenticated user to bypass restrictions imposed by the CMC and browse the underlying server’s filesystem, as well as read the contents of arbitrary files contained within.

Improper Access Control, SolarWinds

Advisories

LastPass Site Password-Stealing Clickjacking Vulnerability

LastPass, a popular password management service with extensions for Firefox, Chrome, and Internet Explorer, suffers from a clickjacking vulnerability. It can be exploited on sites without proper X-Frame-Options headers to steal passwords. The password autofill dialogue can be overlaid with a deceptive webpage that tricks users into copying and then pasting passwords into an attacker’s site.

Clickjacking, LastPass