Technical Advisories

Technical advisories identified by the 7E team.

CVE-2013-6880 XSS in FlashCanvas Proxy.php

Advisory Information Title:¬†FlashCanvas proxy.php XSS Vulnerability Date published: November¬†2013 Ref: CVE-2013-6880 Advisory Summary Script does not adequately verify the Referer header before requesting (via curl) the remote URL specified in the ‘url’ GET parameter and rendering it Vendor FlashCanvas.net <http://flashcanvas.net/> Affected Software FlashCanvas 1.5 and possibly older. FlashCanvas is also used in other software frameworks […]

Read More

CVE-2013-5669 Thecus Pain Text Admin Password

Advisory Information Title: Thecus NAS Server N8800 Firmware 5.03.01 plain text administrative password Date published: August 2013 Ref: CVE-2013-5669 CWE-319 Advisory Summary The Network Attached Storage (NAS) Administration Web Page for Thecus NAS Server N8800 transmits passwords in cleartext, which allows remote attackers to sniff the administrative password. Vendor Thecus Affected Software NAS Server N8800 […]

Read More

CVE-2013-5668 Thecus Domain Administrator Password Disclosure

Advisory Information Title: Thecus NAS Server N8800 Firmware 5.03.01 Date published: August 2013 Ref: CVE-2013-5668 CWE-317 Advisory Summary The Domain Administrator Password within the ADS/NT Support page is disclosed due to clear text storage of sensitive information within the GUI. Vendor Thecus Affected Software NAS Server N8800 Firmware 5.03.01 Description of Issue The Domain Administrator […]

Read More

CVE-2013-5667 Thecus OS Command Injection

Advisory Information Title: Thecus NAS Server N8800 Firmware 5.03.01 get_userid OS Command Injection Date published: August 2013 Ref: CVE-2013-5667 CWE-78 Advisory Summary A lack of input validation allows an attacker to execute OS commands directly on the operating system. Vendor Thecus Affected Software NAS Server N8800 Firmware 5.03.01 Description of Issue The application accepts user […]

Read More