The government has adopted a cyber-security declaration 2017 asking organizations to develop actionable cyber security road maps to be approved and monitored by the top management. The declaration, signed by honorable State Minister for ICT Zunaid Ahmed Palak, was released on Thursday. It has been prepared and adopted at the...
Read more
The CIRT team of Bangladesh Computer Council is increasingly creating awareness of the need to seriously address the daunting challenges of protecting their information networks, especially those related to national security and critical infrastructures, from any attacker. Recent developments have shown that there is more to this endeavor than answering...
Read more
Description CVE-2017-7269: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with “If: <http://” in a PROPFIND request, as exploited in the wild in July...
Read more
Description: Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.10.1 allows local users to gain privileges or cause a denial of service (double free) by setting the HDLC line discipline. Impact: Local attackers may exploit this issue to gain elevated privileges. Mitigation: Updates are available. Please check the respective...
Read more
Description CVE-2017-3881: Cisco is warning of a new critical IOS / IOS XE vulnerability that affects more than 300 of its switch models. A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause...
Read more
Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017. Impact: This vulnerability allows for...
Read more
Description: Cross-site scripting (XSS) via media file metadata. Control characters can trick redirect URL validation Unintended files can be deleted by administrators using the plugin deletion functionality Cross-site scripting (XSS) via video URL in YouTube embeds. Cross-site scripting (XSS) via taxonomy term names. Cross-site request forgery (CSRF) in Press This...
Read more
Description: In Roundcube 1.2.2 and earlier, user-controlled input flows unsanitized into the fifth argument of a call to PHP’s built-in function mail() which is documented as security critical. The problem is that the invocation of the mail() function will cause PHP to execute the sendmail program. The fifth argument allows...
Read more
CVE-2016-0028: Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML e-mail message, aka “Microsoft...
Read more
Description: CVE-2016-1531: Exim before 4.86.2, when installed as setuid root, allows local users to gain privileges via the perl_startup argument. Impact: When Exim installation has been compiled with Perl support and contains a perl_startup configuration variable it can be exploited by malicious local attackers to gain root privileges. Mitigation: Vendor...
Read more
