---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Lyris ListManager Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36926 VERIFY ADVISORY: http://secunia.com/advisories/36926/ DESCRIPTION: Some weaknesses and some vulnerabilities have been reported in Lyris ListManager, which can be exploited by malicious people to disclose system information and conduct cross-site scripting or cross-site request forgery attacks. 1) Some vulnerabilities can be exploited by malicious people to disclose system information and conduct cross-site scripting or cross-site request forgery attacks. For more information: SA36823 2) Input passed to the "how_many_back" and to the "msgdlg_targeturl" parameters in scripts/message/message_dialog.tml, and to the "wait", "url", and "submessage" parameters in scripts/message/message.tml is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not visit other web sites while being logged-in to ListManager. PROVIDED AND/OR DISCOVERED BY: Richard Brain and Adrian Pastor, ProCheckUp Ltd ORIGINAL ADVISORY: http://www.procheckup.com/vulnerability_manager/documents/document_1254179990_572/New_Listmanager_paper_v2.pdf OTHER REFERENCES: SA36823: http://secunia.com/advisories/36823/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------