The Ambassador

The Ambassador is both warrior and diplomat. He listens to the words of those who deserve influence and guides those in his care as he guides himself. He acts not selfishly but for the betterment of all.

Sierra Library Services Platform Multiple Vulnerability Disclosure

Posted by Romano, Christian on Aug 29

Product: Sierra Library Services Platform
Vendor: Innovative Interfaces Inc
Vulnerable Version: 1.2_3
Tested Version: 1.2_3
Vendor Notification: June 19, 2014
Public Disclosure: August 26, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-5136
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: CAaNES (Computational Analysis and Network
Enterprise Solutions)

Advisory...


Re: SaaS Marketing platform Hubspot export vulnerability

Posted by security on Aug 28

We at HubSpot take the concerns of the security community seriously, and continuously work to improve our posture in
this ever-changing field. We do have predefined roles in the application which allow our customers to segment users
permissions based on their role. These horizontal permissions are quite common among SaaS vendors.

The export functionality mentioned does have existing auditing capability in the back end. For exports, we have...


[SECURITY] [DSA 3014-1] squid3 security update

Posted by Salvatore Bonaccorso on Aug 28

-------------------------------------------------------------------------
Debian Security Advisory DSA-3014-1 security () debian org
http://www.debian.org/security/ Salvatore Bonaccorso
August 28, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : squid3
CVE ID : CVE-2014-3609
Debian Bug :...


SEC Consult SA-20140828-0 :: F5 BIG-IP Reflected Cross-Site Scripting

Posted by SEC Consult Vulnerability Lab on Aug 28

SEC Consult Vulnerability Lab Security Advisory < 20140828-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: F5 BIG-IP
vulnerable version: <= 11.5.1
fixed version: > 11.6.0
impact: Medium
CVE number: CVE-2014-4023
homepage: https://f5.com/
found: 2014-07-07
by: Stefan...


Aerohive Hive Manager and Hive OS Multiple Vulnerabilities

Posted by Disclosure on Aug 28

( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=....


[The ManageOwnage Series, part II]: User credential disclosure in ManageEngine DeviceExpert

Posted by Pedro Ribeiro on Aug 28

Hi,

You can read the usernames and MD5 hashed passwords of all the users
in the Device Expert application by sending an unauthenticated
request.
I am releasing this as a 0 day as ManageEngine have responded that
they do not consider this a priority and won't fix it in the near
future unless a customer requests it. See details below.

==========================================================================

"DeviceExpert is a...


[SECURITY] [DSA 3013-1] s3ql security update

Posted by Florian Weimer on Aug 28

-------------------------------------------------------------------------
Debian Security Advisory DSA-3013-1 security () debian org
http://www.debian.org/security/ Florian Weiemr
August 27, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : s3ql
CVE ID : CVE-2014-0485

Nikolaus Rath...


Last CFP: ICETC2014 - IEEE - Poland (Deadline: Aug. 30)

Posted by jackie on Aug 27

ICETC2014: International Conference on Education Technologies and
Computers

Technically co-sponsored by IEEE Poland Section
Lodz University of Technology, Lodz, Poland
September 22-24, 2014
http://goo.gl/axpR5f

The International Conference on Education Technologies and Computers
(ICETC2014) will be held at Lodz University of Technology, Lodz, Poland
on September 22-24, 2014. The event will be held over three days, with
presentations...


[SECURITY] [DSA 3012-1] eglibc security update

Posted by Florian Weimer on Aug 27

-------------------------------------------------------------------------
Debian Security Advisory DSA-3012-1 security () debian org
http://www.debian.org/security/ Florian Weimer
August 27, 2014 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : eglibc
CVE ID : CVE-2014-5119

Tavis Ormandy...


SaaS Marketing platform Hubspot export vulnerability

Posted by ehoward on Aug 27

Hubspot is a widely used SaaS marketing platform to email all your customers, collect data about them and attract new
customers. It's is common practice to keep customer lists in Hubspot to send newsletters or other email communication.
Hubspot has hardcoded roles that grant users access to various areas of the application.

Most user activity is tracked and can be audited, EXCEPT exporting.

A marketing level user can easily export a...