Three High severity vulnerabilities of the last week

Three high severity vulnerabilities have been discovered in the last week: Execution of arbitrary code in Avast Antivirus, Compromise a system via Unpatched WinRAR and Compromise the system in vtiger.

1. Execution of arbitrary code in Avast Antivirus

Danger: Critical

The number of vulnerabilities: 1

Vector of operation: Remote

Impact: System Compromise

Affected Product: Avast Antivirus

Vulnerable version: Avast Antivirus 2015.10.3.2223, possibly earlier versions

Description:

The vulnerability allows a remote user to compromise a system.

The vulnerability is caused due to an unspecified error in the parser SSL-traffic. This can be exploited to compromise the system.

Link: https://twitter.com/taviso/status/647408764505579520

2. Compromise system with WinRAR

Danger: High

The number of vulnerabilities: 1

Vector operation: Remote

Impact: System Compromise

Affected Product: WinRAR 5.21

Vulnerable Version: WinRAR 5.21, possibly earlier versions

Description:

The vulnerability could allow a remote system compromise pozovatelyu.

The vulnerability exists due to insufficient input validation of HTML-code to the SFX script when the package archive. This can be exploited via a specially crafted SFX-file to execute arbitrary code on the target system.

Note: Successful exploitation requires that a victim to open a malicious archive.

Exploit: WinRAR SFX v5.21 – Remote Code Execution Vulnerability

http://seclists.org/fulldisclosure/2015/Sep/106

3. Compromising the system to vtiger

Danger: High

The number of vulnerabilities: 1

CVE ID: CEE-2015-6000

Vector operation: Remote

Impact: System Compromise

Affected Product: vtiger 6.3.x

Affected versions: vtiger 6.3 and earlier versions

Description:

The vulnerability allows a remote user to compromise a system.

The vulnerability exists due to insufficient input validation in the classroom Settings_Vtiger_CompanyDetailsSave_Action (). A remote authenticated user can use a specially crafted file to execute arbitrary code on the target system.

Manufacturer URL: http://vtiger.com