I ‘m proud to announce that “MITRE CVE Numbering Authority” has assigned me eleven (11) CVE numbers for vulnerabilities that I’ve discovered in last days. In details:
DFLabs PTK <= 1.0.5:
- CVE-2012-1415 for Multiple Vulnerabilities (Steal Authentication Credentials)
Fork CMS <= 3.2.5:
- CVE-2012-1306 for “Delete Admins or Users” and “Delete Web Pages” issues.
- CVE-2012-1307 for “poor logic to manage sessions” form_token issue.
- CVE-2012-1304 for XSS into private/en/blog/settings and private/en/users/index issues.
- CVE-2012-1305 for XSS into private/en/pages/settings issue.
D-Link DSL-2640B (ADSL Router):
- CVE-2012-1308 for CSRF Vulnerability
- CVE-2012-1309 for Authentication Bypass
ContaoCMS (fka TYPOlight) <= 2.11:
- CVE-2012-1297 for CSRF (Delete Admin- Delete Article)
SyndeoCMS <= 3.0:
- CVE-2012-1203 for CSRF Vulnerability
SocialCMS <= 1.0.2:
- CVE-2012-1416 for CSRF Vulnerabilities
PlumeCMS <= 1.2.4:
- CVE-2012-1414 for CSRF Vulnerability
Kaspersky Lab published my new Advisory regarding a new vulnerability which affects all versions of Webfolio CMS.
For read my Original Advisory:
Secunia has published my new security Adsvisory regarding a new vulnerability found in latest release (and lower) of Contao CMS(fka TYPOlight). This vulnerability allows an attacker to delete administrator/users, articles, news, newsletter andmodify many other parameters.
To read Secunia’s Advisory:
To learn more about my Original Advisory:
Today Secunia published a my security Adsvisory regarding a new vulnerability found in Webfolio CMS which allows to add a new administrator account, modify published web pages and change many other parameters of latest release (and below) of Webfolio CMS.
To read Secunia’s Advisory:
For know more about my original Advisory:
Today I’ve discovered a new CSRF vulnerability which affects WebfolioCMS 1.1.4 (and lower) and which allows to modify any parameter. In my Advisory I’ve demonstrated how to add a new administrator account and how to modify a published web page.
Download my Original Advisory
Some other pubblication related to this vulnerability:
OSVDB (famous Vulnerability DB sponsored by Nessus) has published my Advisory related to SyndeoCMS
For more details about OSVDB 79410 Advsory:
My original Advisory:
Yesterday IBM X-Force published my Advisory regarding a new CSRF vulneability that I’ve found in SyndeoCMS http://ivanobinetti.blogspot.com/2012/02/syndeocms-30-csrf-vulnerability.html
This vulnerability allows an attacker to change administrator password and gain access to the system.
IBM classified this vulnerability as “Highly Exploitable”.
For more details about IBM X-Force publication:
Few days ago I discovered a new CSRF vulnerability (http://ivanobinetti.blogspot.com/2012/02/plumecms-124-csrf-0day-vulnerability.html which affects all versions – included latest (1.2.4) – of Pluse CMS.
Today IBM X-Force published my Advisory and classified the “Exploitability:” of this vulnerability as “High”.
Fore more details:
Today IBM X-Force published two of my advisories related to vulnerabilities discoverd into D-Link DSL-2640B ADSL Router / Access Point.
If you would like to read more about them: