TechMedia – Page 81986

[cakephp/cakephp] CakePHPallows remote attackers to read arbitrary files via XML data containing external entity references

The Xml class in CakePHP 2.1.x before 2.1.5 and 2.2.x before 2.2.1 allows remote attackers to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
References

https://nvd.nist.gov/v…

[sup] Sup Code Injection vulnerability

Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment.
References

https://nvd.nist.gov/vuln/detail/CVE-2013-4478
https://github.com/sup-heli…

[fat_free_crm] Fat Free CRM vulnerable to Exposure of Sensitive Information

Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224.
References

…

[fat_free_crm] Fat Free CRM has fixed token value

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.
References

…

[fat_free_crm] Fat Free CRM contains Cross-site Request Forgery vulnerablilities

Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controlle…

[fat_free_crm] Fat Free CRM allows remote attackers to obtain sensitive information via a direct request

Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.
References

https://nvd.nist.gov/vuln/detail/CVE-2013-72…

[fat_free_crm] Fat Free CRM vulnerable to SQL Injection

Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.
References
…

[fat_free_crm] Fat Free CRM subject to Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) c…

[sup] Sup Code Injection vulnerability

lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment.
References

https://nvd.nist.gov/vuln/detail/CVE-2013…

[org.jboss.resteasy:resteasy-client] JacksonJsonpInterceptor susceptible to cross-site script inclusion (XSSI) attack

JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.
References

https://nvd.nist.gov/vuln/detail/CVE-2016-6348
https://bugzilla.redhat.com/show_bug.cgi?id=1372129
https://github.com/a…