CVE-2015-2556
published 2015-10-14CVE-2015-2556: The InfoPath Forms Services component in Microsoft SharePoint Server 2007 SP3 and 2010 SP2 misparses DTDs, which allows remote attackers to read arbitrary…
medium4.3CVSS 3.1
AVNACMAuNCPINAN
The InfoPath Forms Services component in Microsoft SharePoint Server 2007 SP3 and 2010 SP2 misparses DTDs, which allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka "Microsoft SharePoint Information Disclosure Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | sharepoint_server | — | — |
| microsoft | sharepoint_server | — | — |
No detection rules found.
No public exploits indexed.
Talos
Microsoft Patch Tuesday - October 2015
blogs_talos·2015-10-13·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday - October 2015
## Microsoft Patch Tuesday - October 2015
Microsoft's Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is fairly light with a total of 6 bulletins released addressing 33 vulnerabilities. Half of the bulletins are rated "Critical" and address vulnerabilities in Internet Explorer, JScript/VBScript, and the Windows Shell. The other half of the bulletins are rated "Important" and address vulnerabilities in Edge, Office, and the Windows Kernel.
## Bulletins Rated Critical MS15-106, MS15-108, are MS15-109 are rated Critical in this month's release.
MS15-106 is this month's Internet Explorer security bulletin for versions 7 through 11. In total, 14 vulnerabil
Talos
Microsoft Patch Tuesday - October 2015
blogs_talos·2015-10-13·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday - October 2015
Microsoft's Patch Tuesday has arrived. Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release is fairly light with a total of 6 bulletins released addressing 33 vulnerabilities. Half of the bulletins are rated "Critical" and address vulnerabilities in Internet Explorer, JScript/VBScript, and the Windows Shell. The other half of the bulletins are rated "Important" and address vulnerabilities in Edge, Office, and the Windows Kernel.
### Bulletins Rated Critical MS15-106, MS15-108, are MS15-109 are rated Critical in this month's release.
MS15-106 is this month's Internet Explorer security bulletin for versions 7 through 11. In total, 14 vulnerabilities were addressed with most of them bei
Bugzilla
CVE-2015-5181 A-MQ Console: script injection into queue name
bugzilla·2015-07-30·CVSS 5.4
CVE-2015-5181 [MEDIUM] CVE-2015-5181 A-MQ Console: script injection into queue name
CVE-2015-5181 A-MQ Console: script injection into queue name
It was found that A-MQ console would accept a string containing javascript as the name of a new message queue. Execution of the UI would subsequently execute the script. An attacker could use this flaw to access sensitive information or perform other attacks.
Discussion:
Acknowledgements:
Red Hat would like to thank Naftali Rosenbaum of Comsec Consulting for reporting this issue.
---
This issue has been addressed in the following products:
Red Hat JBoss A-MQ 6.2.1
Via RHSA-2015:2557 https://rhn.redhat.com/errata/RHSA-2015-2557.html
---
This issue has been addressed in the following products:
Red Hat JBoss Fuse 6.2.1
Via RHSA-2015:2556 https://rhn.redhat.com/errata/RHSA-2015-2556.html
2015-10-14
Published