>> ARCHIVE: 2016-05

An independent vulnerability laboratory researcher discovered an application-side input validation web vulnerability in the official Avast Business and Shop online service web-application.

The vulnerability laboratory core research team discovered an application-side mail encoding web vulnerability in the official Bashi v1.6 iOS mobile application.

An independent vulnerability laboratory researcher discovered multiple client-side web vulnerabilities in the official Avast Shop online service web-application.

Whitepaper that discusses how Cisco IP Communicator only uses MAC addresses for authentication allowing you to spoof other callers.

The Infobae website suffers from multiple cross site scripting vulnerabilities. The author has received no response from them.

MediaLink router MWN-WAPR300N suffers from multiple session related issues such as not being able to logout and sessions do not time out. Insecure transport is another issue.

XenAPI for XenForo version 1.4.1 suffers from a remote SQL injection vulnerability.

AfterLogic WebMail Pro ASP.NET versions prior to 6.2.7 suffer from an administrator account takeover via an XXE injection vulnerability.

PowerFolder version 10.4.321 suffers from a remote code execution vulnerability. Proof of concept exploit included.

This Metasploit module exploits a pre-auth file upload to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. /etc/persistent/rc.poststart will be…