Threat/Vulnerability report week of August 22nd(Rules users)

Security annoucements of interest to the AtomiCorp community, such as vulnerabilities in third party applications.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Threat/Vulnerability report week of August 22nd(Rules users)

Unread post by mikeshinn »

We're switching to a monthly report if all reported vulnerabilities have been addressed by our products in a way that did not require any updates by our users. If a vulnerability is published that requires action, we will publish a report on that day.

-----------------------------------------------------------

This report is an analysis of all published vulnerabilities in any product, weaknesses in technologies, exploits Internet wide, current internet threats associated with platforms and products our customer use, and if any action is required to protect their assets from these these vulnerabilities, weaknesses and exploits depending on the Atomicorp product they are using.

Please see this forum post for an explanation of the categories used in this report.

CVEs are sometimes created after a vulnerability is published (sometimes far after it has been made public). When CVEs are referenced, it is because a CVE was created today, not because an issue was resolved today, and it is included here for reference.

ASL users

Summary: No action necessary.

Already protected against/Known Method/No update required

SWEET32 - CVE-2016-2183 (ASL already disables the effected ciphers)
WordPress Mail Master 1.0 Local File Inclusion
WordPress Bonkersbeat / Method / Awake Arbitrary File Download
Jaws CMS 1.1.1 Cross Site Request Forgery
phpCollab CMS 2.5 Cross Site Request Forgery
ISPconfig 3.0.5.4 p6 Cross Site Scripting
WordPress 4.5.3 Core Ajax Handlers Path Traversal
Lepton CMS 2.2.0 / 2.2.1 PHP Code Injection
Lepton CMS 2.2.0 / 2.2.1 Directory Traversal
WordPress Magic Fields 1 Cross Site Scripting
WordPress Magic Fields 2 Cross Site Scripting
WordPress Link Library 5.9.12.29 Cross Site Scripting
WordPress Ajax Load More 2.11.1 Local File Inclusion
WordPress Theme Directory 2.0.16 Shell Upload
WordPress Tevolution 2.3.1 Shell Upload
WordPress Google Maps 2.1.2 Cross Site Scripting
WordPress Photo Gallery 1.8.5 Cross Site Request Forgery
WordPress Email Users 4.8.3 Cross Site Request Forgery
WordPress Peter's Login Redirect 2.9.0 XSS / CSRF
WordPress Photo Gallery 1.8.5 Cross Site Scripting
Stash CMS 1.0.3 SQL Injection
nopCommerce 3.70 Cross Site Scripting
OpenCart 2.0.3.1 Cross Site Scripting
Joomla AceFTP Arbitrary File Download
Nagios Incident Manager 2.0.0 XSS / SQL Injection / Code Execution
Nagios Network Analyzer 2.2.0 Command Injection / SQL Injection
Nagios Log Server 1.4.1 XSS / Authentication Bypass
WordPress Advanced Custom Fields: Table Field 1.1.12 XSS
Zabbix 3.0.3 SQL Injection
QuickerBB 0.7.0 Cross Site Scripting
Joomla Registration Pro 3.2.12 SQL Injection
Nuke Evolution 2.0.9d Cross Site Scripting
Nagios Network Analyzer 2.2.1 Cross Site Request Forgery
Nagios Network Analyzer 2.2.1 Cross Site Scripting
WordPress Add From Server 6.2 Cross Site Request Forgery
vBulletin 5.2.2 / 4.2.3 / 3.8.9 Server Side Request Forgery
phpCollab CMS 2.5 SQL Injection
WordPress Ecwid Ecommerce Shopping Cart 4.4 / 4.4.3 PHP Object Injection
WordPress Welcome Announcement 1.0.5 Cross Site Scripting
WordPress Selected Text Sharer 1.0 CSRF / XSS
WordPress Store Locator Plus 4.5.09 Cross Site Scripting
Subrion CMS 4.0.5 SQL Injection
Typesettercms 5.0.1 Cross Site Request Forgery
WordPress Count Per Day 3.5.4 Cross Site Scripting
WordPress FormBuilder 1.05 Cross Site Scripting
K2 Joomla! Extension Cross Site Scripting
WordPress Events Made Easy Cross Site Scripting
WordPress Count Per Day 3.5.4 Persistent Cross Site Scripting
WordPress Yoast SEO Cross Site Scripting
Joomla Video Flow 1.1.5 SQL Injection
WordPress Landing Pages 2.2.4 Cross Site Scripting
WordPress Activity Log 2.3.2 Cross Site Scripting
Atutor 2.2.1 Path Traversal
WordPress Activity Log 2.3.2 Cross Site Scripting
WordPress WangGuard 1.7.1 Cross Site Scripting
WordPress Uji Countdown 2.0.6 Cross Site Scripting
WikWiki 2.1 Cross Site Scripting
Joomla BreezingForms 1.8.x Arbitrary File Upload
Guppy CMS 5.01.03 Cross Site Scripting
WordPress ALO EasyMail Newsletter 2.9.2 Cross Site Request Forgery
Car CMS 3.00.30 Cross Site Scripting
WordPress WP Live Chat Support 6.2.03 Cross Site Scripting
WordPress Easy Testimonials 1.36.1 Cross Site Scripting
WordPress Booking Calendar 6.2.1 Cross Site Scripting
WordPress Insert PHP 1.3 Code Execution
WordPress Booking Calendar 6.2 SQL Injection
WordPress Contact Bank 2.1.21 Cross Site Scripting
Joomla Extra Search 2.2.8 SQL Injection
Ecwid Ecommerce Shopping Cart WordPress Plugin unauthenticated PHP Object injection vulnerability
PHP Power Browse 1.2 Path Traversal
ntop 2.5 Cross Site Request Forgery / Command Execution
net2ftp 1.0 Cross Site Scripting
WordPress Insert PHP 1.3 Code Execution (users can not insert PHP code regardless of role)
Apache OpenMeetings 3.1.0 Cross Site Scripting
Navis WebAccess SQL Injection
tcPBX Remote File Disclosure
Karenderia Multiple Restaurant System 3.2 Cross Site Scripting
WordPress Theme Directory 2.0.16 Shell Upload
ZMS CMS 3.2 Cross Site Scripting
WordPress Ultimate Product Catalog 3.9.8 SQL Injection

Not already protected against/New Method/Update Available

None.

Not already protected against/Doesnt protect against/Solution

None.

Potential Vulnerability/Solution

None.

Rules only users

Summary:

SWEET32 - CVE-2016-2183 TLS/SSL vulnerability

Already protected against/Known Method/No update required


WordPress Mail Master 1.0 Local File Inclusion
WordPress Bonkersbeat / Method / Awake Arbitrary File Download
Jaws CMS 1.1.1 Cross Site Request Forgery
phpCollab CMS 2.5 Cross Site Request Forgery
ISPconfig 3.0.5.4 p6 Cross Site Scripting
WordPress 4.5.3 Core Ajax Handlers Path Traversal
Lepton CMS 2.2.0 / 2.2.1 PHP Code Injection
Lepton CMS 2.2.0 / 2.2.1 Directory Traversal
WordPress Magic Fields 1 Cross Site Scripting
WordPress Magic Fields 2 Cross Site Scripting
WordPress Link Library 5.9.12.29 Cross Site Scripting
WordPress Ajax Load More 2.11.1 Local File Inclusion
WordPress Theme Directory 2.0.16 Shell Upload
WordPress Tevolution 2.3.1 Shell Upload
WordPress Google Maps 2.1.2 Cross Site Scripting
WordPress Photo Gallery 1.8.5 Cross Site Request Forgery
WordPress Email Users 4.8.3 Cross Site Request Forgery
WordPress Peter's Login Redirect 2.9.0 XSS / CSRF
WordPress Photo Gallery 1.8.5 Cross Site Scripting
Stash CMS 1.0.3 SQL Injection
nopCommerce 3.70 Cross Site Scripting
OpenCart 2.0.3.1 Cross Site Scripting
Joomla AceFTP Arbitrary File Download
Nagios Incident Manager 2.0.0 XSS / SQL Injection / Code Execution
Nagios Network Analyzer 2.2.0 Command Injection / SQL Injection
Nagios Log Server 1.4.1 XSS / Authentication Bypass
WordPress Advanced Custom Fields: Table Field 1.1.12 XSS
Zabbix 3.0.3 SQL Injection
QuickerBB 0.7.0 Cross Site Scripting
Joomla Registration Pro 3.2.12 SQL Injection
Nuke Evolution 2.0.9d Cross Site Scripting
Nagios Network Analyzer 2.2.1 Cross Site Request Forgery
Nagios Network Analyzer 2.2.1 Cross Site Scripting
WordPress Add From Server 6.2 Cross Site Request Forgery
vBulletin 5.2.2 / 4.2.3 / 3.8.9 Server Side Request Forgery
phpCollab CMS 2.5 SQL Injection
WordPress Ecwid Ecommerce Shopping Cart 4.4 / 4.4.3 PHP Object Injection
WordPress Welcome Announcement 1.0.5 Cross Site Scripting
WordPress Selected Text Sharer 1.0 CSRF / XSS
WordPress Store Locator Plus 4.5.09 Cross Site Scripting
Subrion CMS 4.0.5 SQL Injection
Typesettercms 5.0.1 Cross Site Request Forgery
WordPress Count Per Day 3.5.4 Cross Site Scripting
WordPress FormBuilder 1.05 Cross Site Scripting
K2 Joomla! Extension Cross Site Scripting
WordPress Events Made Easy Cross Site Scripting
WordPress Count Per Day 3.5.4 Persistent Cross Site Scripting
WordPress Yoast SEO Cross Site Scripting
Joomla Video Flow 1.1.5 SQL Injection
WordPress Landing Pages 2.2.4 Cross Site Scripting
WordPress Activity Log 2.3.2 Cross Site Scripting
Atutor 2.2.1 Path Traversal
WordPress Activity Log 2.3.2 Cross Site Scripting
WordPress WangGuard 1.7.1 Cross Site Scripting
WordPress Uji Countdown 2.0.6 Cross Site Scripting
WikWiki 2.1 Cross Site Scripting
Joomla BreezingForms 1.8.x Arbitrary File Upload
Guppy CMS 5.01.03 Cross Site Scripting
WordPress ALO EasyMail Newsletter 2.9.2 Cross Site Request Forgery
Car CMS 3.00.30 Cross Site Scripting
WordPress WP Live Chat Support 6.2.03 Cross Site Scripting
WordPress Easy Testimonials 1.36.1 Cross Site Scripting
WordPress Booking Calendar 6.2.1 Cross Site Scripting
WordPress Insert PHP 1.3 Code Execution
WordPress Booking Calendar 6.2 SQL Injection
WordPress Contact Bank 2.1.21 Cross Site Scripting
Joomla Extra Search 2.2.8 SQL Injection
Ecwid Ecommerce Shopping Cart WordPress Plugin unauthenticated PHP Object injection vulnerability
PHP Power Browse 1.2 Path Traversal
ntop 2.5 Cross Site Request Forgery / Command Execution
net2ftp 1.0 Cross Site Scripting
WordPress Insert PHP 1.3 Code Execution (users can not insert PHP code regardless of role)
Apache OpenMeetings 3.1.0 Cross Site Scripting
Navis WebAccess SQL Injection
tcPBX Remote File Disclosure
Karenderia Multiple Restaurant System 3.2 Cross Site Scripting
WordPress Theme Directory 2.0.16 Shell Upload
ZMS CMS 3.2 Cross Site Scripting
WordPress Ultimate Product Catalog 3.9.8 SQL Injection
Not already protected against/New Method/Update Available

None.

Not already protected against/Doesnt protect against/Solution

Modsecurity can not protect against system level vulnerabilities such as:

SWEET32 - CVE-2016-2183 (Disable DES/3DES ciphers in your webservers and openvn to protect against this vulnerability.)

Potential Vulnerability/Solution

None.
Post Reply