|Affected Products:||Applications using GDCM versions < 2.6.2 and the ImageRegionReader :: ReadIntoBuffer API call|
|Class:||Integer Overflow or Wraparound (CWE-190)|
|Discovered by:||Stelios Tsampas|
Grassroots DICOM (GDCM) is a C++ library for processing DICOM medical images. It provides routines to view and manipulate a wide range of image formats and can be accessed through many popular programming languages like Python, C#, Java and PHP. Various applications that make use of GDCM
are listed here and here.
|Oracle Tracking #:||S0388414 (CPUApr2014)|
|Affected Products:||Oracle Fusion Middleware (versions 18.104.22.168 and 22.214.171.124)|
|Class:||Information Exposure (CWE-200), Privacy Violation (CWE-359)|
|Discovered by:||Alex Zaharis|
|Researched by:||Alex Zaharis, Patroklos Argyroudis|
The Oracle WebCenter portal component in Oracle Fusion Middleware (versions 126.96.36.199 and 188.8.131.52) is vulnerable to an information exposure vulnerability. A malicious user may utilize this vulnerability to gain unauthenticated access to the list of valid usernames of the system, the users’ personal
information and files linked to the users’ profiles.
|Affected Products:||libpurple (all versions), libpurple clients with DBUS support (incl. all versions of pidgin), pidgin-otr (all versions)|
|Class:||Information Exposure (CWE-200), Privacy Violation (CWE-359), Information Exposure Through Sent Data (CWE-201)|
|Discovered by:||Dimitris Glynos|
libpurple-based applications broadcast the plaintext of OTR (off-the-record) conversations over DBUS.
This makes the plaintext available to other (possibly unrelated) applications executing under the same
user. Also, due to a design flaw in libpurple, the user’s choice of not logging OTR plaintext on Pidgin is not communicated over to the third party applications listening on DBUS. This may lead to unintentional (on disk) logging of private messages.
|Affected Products:||Netvolution v2.5.8 (ASP). Other versions may also be vulnerable.|
|Class:||Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)|
|Discovered by:||Patroklos Argyroudis|
|Researched and Exploited by:||Dimitris Glynos|