CVE-2016-5762 – Micro Focus GroupWise Cross Site Scripting / Overflows
https://notcve.org/view.php?id=CVE-2016-5762
Integer overflow in the Post Office Agent in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 might allow remote attackers to execute arbitrary code via a long (1) username or (2) password, which triggers a heap-based buffer overflow. Desbordamiento de entero en la función Post Office Agent en Novell GroupWise en versiones anteriores a 2014 R2 Service Pack 1 Hot Patch 1 podría permitir a atacantes remotos ejecutar código arbitrario a través de (1) un nombre de usuario largo o (2) una contraseña larga, lo que desencadena un desbordamiento de bufer basado en memoria dinámica Micro Focus GroupWise version 2014 R2 SP1 and below suffer from buffer overflow, cross site scripting, and integer overflow vulnerabilities. • http://packetstormsecurity.com/files/138503/Micro-Focus-GroupWise-Cross-Site-Scripting-Overflows.html http://seclists.org/fulldisclosure/2016/Aug/123 http://www.securityfocus.com/archive/1/539296/100/0/threaded http://www.securityfocus.com/bid/92642 https://www.novell.com/support/kb/doc.php?id=7017975 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160825-0_Micro_Focus_GroupWise_Multiple_vulnerabilities_v10.txt • CWE-190: Integer Overflow or Wraparound •
CVE-2016-5760 – Micro Focus GroupWise Cross Site Scripting / Overflows
https://notcve.org/view.php?id=CVE-2016-5760
Multiple cross-site scripting (XSS) vulnerabilities in the administrator console in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allow remote attackers to inject arbitrary web script or HTML via the (1) token parameter to gwadmin-console/install/login.jsp or (2) PATH_INFO to gwadmin-console/index.jsp. Múltiples vulnerabilidades XSS en la consola de administrador en Novell GroupWise en versiones anteriores a 2014 R2 Service Pack 1 Hot Patch 1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de (1) parámetro de token a gwadmin-console/install/login.jsp o (2) PATH_INFO a gwadmin-console/index.jsp. Micro Focus GroupWise version 2014 R2 SP1 and below suffer from buffer overflow, cross site scripting, and integer overflow vulnerabilities. • http://packetstormsecurity.com/files/138503/Micro-Focus-GroupWise-Cross-Site-Scripting-Overflows.html http://seclists.org/fulldisclosure/2016/Aug/123 http://www.securityfocus.com/archive/1/539296/100/0/threaded http://www.securityfocus.com/bid/92646 https://www.novell.com/support/kb/doc.php?id=7017973 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160825-0_Micro_Focus_GroupWise_Multiple_vulnerabilities_v10.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-1611 – Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-1611
Novell Filr 1.2 before Hot Patch 6 and 2.0 before Hot Patch 2 uses world-writable permissions for /etc/profile.d/vainit.sh, which allows local users to gain privileges by replacing this file's content with arbitrary shell commands. Novell Filr 1.2 en versiones anteriores a Hot Patch 6 y 2.0 en versiones anteriores a Hot Patch 2 usa permisos de escritura universal para /etc/profile.d/vainit.sh, lo que permite a usuarios locales obtener privilegios reemplazando este contenido del archivo con comandos shell arbitrarios. Multiple Micro Focus Filr appliances suffer from cross site request forgery, cross site scripting, command injection, insecure design, missing cookie flag, authentication bypass, poor permission, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/40161 http://seclists.org/bugtraq/2016/Jul/119 http://www.securityfocus.com/bid/92113 https://www.novell.com/support/kb/doc.php?id=7017689 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-1608 – Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-1608
vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter. vaconfig/time en Novell Filr en versiones anteriores a 1.2 Security Update 3 y 2.0 en versiones anteriores a Security Update 2 permite a usuarios remotos autenticados ejecutar comandos arbitrarios a través de metacaracteres shell en el parámetro ntpServer. Multiple Micro Focus Filr appliances suffer from cross site request forgery, cross site scripting, command injection, insecure design, missing cookie flag, authentication bypass, poor permission, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/40161 http://seclists.org/bugtraq/2016/Jul/119 http://www.securityfocus.com/bid/92113 https://download.novell.com/Download?buildid=3V-3ArYN85I~ https://download.novell.com/Download?buildid=BOTiHcBFfv0~ https://www.novell.com/support/kb/doc.php?id=7017789 • CWE-284: Improper Access Control •
CVE-2016-1610 – Micro Focus Filr 2 2.0.0.421/1.2 1.2.0.846 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2016-1610
Directory traversal vulnerability in the email-template feature in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote attackers to bypass intended access restrictions and write to arbitrary files via a .. (dot dot) in a blob name. Vulnerabilidad de salto de directorio en la característica email-template en Novell Filr en versiones anteriores a 1.2 Security Update 3 y 2.0 en versiones anteriores a Security Update 2 permite a atacantes remotos eludir restricciones destinadas al acceso y escribir a archivos arbitrarios a través de .. (punto punto) en un nombre del blob. Multiple Micro Focus Filr appliances suffer from cross site request forgery, cross site scripting, command injection, insecure design, missing cookie flag, authentication bypass, poor permission, and path traversal vulnerabilities. • https://www.exploit-db.com/exploits/40161 http://seclists.org/bugtraq/2016/Jul/119 http://www.securityfocus.com/bid/92113 https://download.novell.com/Download?buildid=3V-3ArYN85I~ https://download.novell.com/Download?buildid=BOTiHcBFfv0~ https://www.novell.com/support/kb/doc.php?id=7017788 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •