Oracle E-Business Suite CVE-2017-3279 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3277 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3287 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3285 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3443 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3326 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3328 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3284 Remote Security Vulnerability
 
RETIRED: Oracle Java SE CVE-2016-2183 Remote Security Vulnerability
 
Oracle Commerce Platform CVE-2017-3296 Remote Security Vulnerability
 
Oracle E-Business Suite CVE-2017-3286 Local Security Vulnerability
 
Oracle MySQL Server CVE-2017-3243 Remote Security Vulnerability
 
Oracle Outside In Technology CVE-2017-3295 Remote Security Vulnerability
 
Oracle Java SE CVE-2017-3272 Remote Security Vulnerability
 
Oracle Java SE CVE-2017-3289 Remote Security Vulnerability
 
Oracle GlassFish Server CVE-2017-3250 Remote Security Vulnerability
 
Oracle Java SE and JRockit CVE-2016-5547 Remote Security Vulnerability
 

Enlarge

Smart cameras marketed under the Samsung brand name are vulnerable to attacks that allow hackers to gain full control, a status that allows the viewing of what are supposed to be private video feeds, researchers said.

The remote code-execution vulnerability has been confirmed in the Samsung SmartCam SNH-1011, but the researchers said they suspect other models in the same product line are also susceptible. The flaw allows attackers to inject commands into a Web interface built into the devices. The bug resides in PHP code responsible for updating a video monitoring system known as iWatch. It stems from the failure to properly filter malicious input included in the name of uploaded files. As a result, attackers who know the IP address of a vulnerable camera can exploit the vulnerability to inject commands that are executed with unfettered root privileges.

"The iWatch Install.php vulnerability can be exploited by crafting a special filename which is then stored within a tar command passed to a php system() call," the researchers wrote in a blog post published to the Exploitee.rs website. "Because the webserver runs as root, the filename is user supplied, and the input is used without sanitization, we are able to inject our own commands within the achieve root remote command execution."

Read 5 remaining paragraphs | Comments

 
WordPress Prior to 4.7.1 Cross Site Request Forgery Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status