Aggregator

A vulnerability was found in Alfresco Enterprise 4.1.6. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Page View Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2014-2939. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Alfresco Enterprise 4.1.6. This affects an unknown part of the file /share/page/task-edit. The manipulation of the argument taskId as part of GET Request leads to cross site scripting. This vulnerability is uniquely identified as CVE-2014-2939. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in OpenSSL 0.9.8/1.0.0/1.0.1. It has been classified as critical. Affected is an unknown function of the component Handshake Handler. The manipulation leads to cryptographic issues. This vulnerability is traded as CVE-2014-0224. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in MediaWiki up to 1.22.6/1.21.9. This affects an unknown part of the file mediawiki/includes/actions/InfoAction.php. The manipulation of the argument sortKey leads to cross site scripting. This vulnerability is uniquely identified as CVE-2014-2853. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Alfresco Enterprise 4.1.6. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component XHTML File Upload Handler. The manipulation leads to HTML injection. This vulnerability is known as CVE-2014-2939. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Juniper Junos up to 13.3 and classified as problematic. This vulnerability affects unknown code of the file index.php of the component J-Web. The manipulation leads to cross site scripting (Persistent). This vulnerability was named CVE-2014-2711. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Juniper Junos up to 12.2. This affects an unknown part of the file index.php of the component J-Web. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2014-2712. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Postfix Admin 2.3.6. Affected by this issue is some unknown functionality of the file functions.inc.php. The manipulation of the argument show_alias leads to sql injection. This vulnerability is handled as CVE-2014-2655. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Synology DiskStation Manager 4.3-3810 update 1. It has been classified as critical. This affects an unknown part of the component VPN Module. The manipulation leads to credentials management. This vulnerability is uniquely identified as CVE-2014-2264. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in WatchGuard XTM up to 11.8.1 and classified as problematic. This issue affects some unknown processing of the file /firewall/policy/. The manipulation of the argument pol_name with the input "><body onload=alert(document.cookie)> leads to cross site scripting. The identification of this vulnerability is CVE-2014-0338. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Drupal 7.14 and classified as problematic. This issue affects some unknown processing of the file eventcalander/. The manipulation leads to cross site scripting (Reflected). The identification of this vulnerability is CVE-2014-1607. The attack may be initiated remotely. Furthermore, there is an exploit available. The real existence of this vulnerability is still doubted at the moment.

目前比较知名的相关模型包括：构建安全成熟度模型（BSSIM）、软件保障成熟度模型（OWASP SAMM）、软件安全能力成熟度模型（中国信息安全测评中心 SSCMM）、CMMI+SAFE（卡内基梅隆大学开发，作为 CMMI-DEV 的扩展）、NIST CSF框架等。 在这些模型中，活跃度比较高的是BSSIM，一些在安全领域做得好的企业，常用于评估或改进软件安全能力的框架，企业可以自评确定当前的安全水平及规划提升路径（网上早已流传自评表）。亦可找第三方公司进行评估，证明软件安全的能力以帮助业务提升竞争力。 更多内容，可以访问： 1、SDL 100问 SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ SDL是否适合互联网公司？ 如何计算安全评审的覆盖率？ 研发安全管理用哪些工具？ 线上系统变更，不安全提测怎么办？ ATT＆CK与SDL能否混搭使用？ SDL 59/100问：关于第三方组件安全扫描系统的运营，可以定哪些指标？ 2、SDL创新实践 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、软件供应链安全 软件供应商面临的攻防实战风险 软件供应商实战对抗十大安全举措 软件供应商攻防常规战之SDL 软件供应链投毒事件应急响应 浅谈企业级供应链投毒应急安全能力建设 5、安全运营实践 基于实践的安全事件简述 安全事件运营SOP：钓鱼邮件 安全事件运营SOP：网络攻击 安全事件运营SOP：蜜罐告警 安全事件运营SOP：webshell事件 安全事件运营SOP：接收漏洞事件 应急响应：redis挖矿（防御篇） 应急响应：redis挖矿（攻击篇） 应急响应：redis挖矿（完结篇） 应急能力提升：实战应急困境与突破 应急能力提升：挖矿权限维持攻击模拟 应急能力提升：内网横向移动攻击模拟 应急能力提升：实战应急响应经验

目前比较知名的相关模型包括：构建安全成熟度模型（BSSIM）、软件保障成熟度模型（OWASP SAMM）、软件安全能力成熟度模型（中国信息安全测评中心 SSCMM）、CMMI+SAFE（卡内基梅隆大学开发，作为 CMMI-DEV 的扩展）、NIST CSF框架等。 在这些模型中，活跃度比较高的是BSSIM，一些在安全领域做得好的企业，常用于评估或改进软件安全能力的框架，企业可以自评确定当前的安全水平及规划提升路径（网上早已流传自评表）。亦可找第三方公司进行评估，证明软件安全的能力以帮助业务提升竞争力。 更多内容，可以访问： 1、SDL 100问 SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ SDL是否适合互联网公司？ 如何计算安全评审的覆盖率？ 研发安全管理用哪些工具？ 线上系统变更，不安全提测怎么办？ ATT＆CK与SDL能否混搭使用？ SDL 59/100问：关于第三方组件安全扫描系统的运营，可以定哪些指标？ 2、SDL创新实践 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、软件供应链安全 软件供应商面临的攻防实战风险 软件供应商实战对抗十大安全举措 软件供应商攻防常规战之SDL 软件供应链投毒事件应急响应 浅谈企业级供应链投毒应急安全能力建设 5、安全运营实践 基于实践的安全事件简述 安全事件运营SOP：钓鱼邮件 安全事件运营SOP：网络攻击 安全事件运营SOP：蜜罐告警 安全事件运营SOP：webshell事件 安全事件运营SOP：接收漏洞事件 应急响应：redis挖矿（防御篇） 应急响应：redis挖矿（攻击篇） 应急响应：redis挖矿（完结篇） 应急能力提升：实战应急困境与突破 应急能力提升：挖矿权限维持攻击模拟 应急能力提升：内网横向移动攻击模拟 应急能力提升：实战应急响应经验