| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 Sep 2010 13:40:17 -0600 From: marian.ventuneac@...il.com To: bugtraq@...urityfocus.com Subject: MVSA-10-006 / CVE-2010-0153 - IBM Proventia Network Mail Security System - Cross-Site Request Forgery vulnerabilities Security Advisory: MVSA-10-006 / CVE-2010-0153 Vendor: IBM Products: Proventia Network Mail Security System Vulnerabilities: Cross-Site Request Forgery (XSRF) Risk: High Attack Vector: From Remote Authentication: Required Reference: http://www.ventuneac.net/security-advisories/MVSA-10-006 Description Web-based Local Management Interface (LMI) of IBM Proventia Network Mail Security System appliance (firmware 1.6 and 2.5) is vulnerable to XSRF attacks. When exploited by an attacker, the identified vulnerabilities could lead to compromising the security of the appliance, including unauthorized alteration of appliance's settings, DoS attacks, etc. Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) IBM Proventia Network Mail Security System - virtual appliance (firmware 2.5) Mitigation Vendor recommends upgrading to PNMSS firmware 2.5.0.2 or later. Alternatively, please contact IBM for technical support. Disclosure Timeline 2009, November 07: Vulnerabilities discovered and documented 2009, November 08: Notification sent to IBM 2009, November 09: IBM acknowledges receiving the report 2010, March: IBM releases PNMSS Firmware 2.5.0.2 correcting the reported issues 2010, September 12: MVSA-10-006 advisory published. Credits Dr. Marian Ventuneac http://ventuneac.net
Powered by blists - more mailing lists