A missing boundary check in the TLS Heartbeat extension in OpenSSL can be abused by remote attackers to read up to 64 kb of memory from the server.



This memory disclosure vulnerability can be used by remote unauthenticated attackers to obtain sensitive information from the affected server, including private keys and session cookies.



WARNING: This is an early release module. This is not the final version of this module. It is a pre-released version in order to deliver a module as quickly as possible to our customers that may be useful in some situations. Since this module is not the final version it may contain bugs or have limited functionality and may not have complete or accurate documentation.

The vulnerability is a buffer overflow in Schneider Electric OPC factory Suite which bundle the vulnerable component Schneider Electric Modbus Serial Driver (ModbusDrv.exe).

This module exploits a vulnerability in tcpip.sys by sending a big number of router advertisement messages to the target causing a stop responding behavior.

Oracle Database Server is prone to a remote vulnerability that allows attackers to poison the data handled by the remote 'TNS Listener' component of the application.

This module tries to verify if the vulnerability is present in the 'TNS Listener' component of the database server, without deploying an agent. If a database instance name is supplied, it will be used to check for the vulnerability against the TNS listener of the target, but this could affect future client connections, as long as the module is running. If no database instance name is supplied, the module will try to register a random name.

The specific flaw exists within crs.exe which listens by default on a random TCP port. When parsing opcodes 214, 215, 216, 219, 257, and 263, the process blindly copies user supplied data into a fixed-length stack buffer.

This update resolves an issue related to the use of Impact's WebDAV server by this module.

The Pagent service component of Panda Security for Business is prone to a path traversal vulnerability when handling MESSAGE_FROM_REMOTE packets.

This vulnerability can be exploited by remote unauthenticated attackers to drop arbitrary files in the vulnerable machine in order to gain remote code execution with SYSTEM privileges.

The RTSP protocol authentication in the Zavio F3105 IP camera is disabled by default. This configuration error allows remote attackers to access the live video stream without being asked for credentials.

This update improves the reliability and AV Evasion of Agents generated with modules: . Package and Register Agent . Send Agent by E-Mail . Serve Agent in Web Server

The mongo::mongoFind method in MongoDB makes use of uninitialized memory. A remote attacker can fill that memory address with controlled data and then call the vulnerable function in order to execute arbitrary code on the affected server.



This update adds the CVE number.