Multiple vulnerabilities were identified in Aruba AP, IAP and AMP devices. The vulnerabilities were discovered during a black box security assessment and therefore the vulnerability list should not be considered exhaustive. Several of the high severity vulnerabilities listed in this report are related to the Aruba proprietary PAPI protocol and allow remote compromise of affected devices.
3a3494bcdbe8f6b8c31c2a7fca58aaa5c1af0d80362f0ec65e759ae54b68b2acThis Metasploit module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. Tested on Linux, BSD, and OS X. You'll want to choose your payload carefully due to portability concerns. Use cmd/unix/generic if need be.
b4c6b0e7acc235fa1688e82fff7eedb021357977c009bfb8d3faf0171a733bf1This Metasploit module exploits a remote code execution feature of the Ruby on Rails framework. This feature is exposed if the config.web_console.whitelisted_ips setting includes untrusted IP ranges and the web-console gem is enabled.
5ca760de5b992f66e42849ecba672747e9368e98103288a44aa0f05280828b67HP Security Bulletin HPSBMU03584 1 - A vulnerability in Apache Commons Collections (ACC) for handling Java object deserialization and other vulnerabilities have been addressed by HPE Network Node Manager I (NNMi). These vulnerabilities could be remotely exploited resulting in arbitrary code execution, authentication bypass, Cross-Site Scripting (XSS), disclosure of information, or unauthorized access. Revision 1 of this advisory.
6932fc27d76b223b26811fd1c8109ff2788f5efa3128f0e68d7559f74346f341Debian Linux Security Advisory 3570-1 - Blake Burkhart discovered an arbitrary code execution flaw in Mercurial, a distributed version control system, when using the convert extension on Git repositories with specially crafted names. This flaw in particular affects automated code conversion services that allow arbitrary repository names.
5ee35477cc8c27ba9e76dbf6cf3f79be71dfe919bab4cfba87ba09a641932adeApple Security Advisory 2016-05-03-1 - Xcode 7.3.1 is now available and addresses a heap-based buffer overflow vulnerability.
de7ad5b8d22c9f8865c6a0c295ca9fbf8e157d1ed947788a5de45f67ca0e0e1eFaraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.
8e785b00507681b7c2585044c035db5d62dd4e8fd2d90d57728b3e238f817d7a
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed