US-CERT - SB18-239: Vulnerability Summary for the Week of August 20, 2018

Original release date: August 27, 2018

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

The NCCIC Weekly Vulnerability Summary Bulletin is created using information from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

 

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no high vulnerabilities recorded this week.
Back to top

 

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no medium vulnerabilities recorded this week.
Back to top

 

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
There were no low vulnerabilities recorded this week.
Back to top

 

Severity Not Yet Assigned

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
accupos -- accupos
 
AccuPOS 2017.8 is installed with the insecure "Authenticated Users: Modify" permission for files within the installation path. This may allow local attackers to compromise the integrity of critical resource and executable files. 2018-08-23 not yet calculated CVE-2018-15809
MISC
actiontec -- t2200h_t2200h-31.128l.03_devices fileshare.cmd on Telus Actiontec T2200H T2200H-31.128L.03 devices allows OS Command Injection via shell metacharacters in the smbdUserid or smbdPasswd field. 2018-08-19 not yet calculated CVE-2018-15553
MISC
advanced_package_tool -- advanced_package_tool
 
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail. 2018-08-20 not yet calculated CVE-2018-0501
MISC
MISC
MISC
UBUNTU
amazon -- aws_cli_version
 
The Amazon Web Services (AWS) CLI version 1.15.85 (and possibly earlier versions) does not require the  owners flag when describing images, which makes it easier for remote attackers to trigger the loading of an undesired AMI by setting similar image properties (i.e., name), as exploited in the wild during August 2018 with a Monero miner AMI instead of the expected Ubuntu AMI. 2018-08-24 not yet calculated CVE-2018-15869
MISC
ansible -- ansible_tower
 
Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An attacker could exploit this by tricking already authenticated users into visiting a malicious site and hijacking the authtoken cookie. 2018-08-22 not yet calculated CVE-2018-10884
BID
CONFIRM
apache -- cayenne
 
This affects Apache Cayenne 4.1.M1, 3.2.M1, 4.0.M2 to 4.0.M5, 4.0.B1, 4.0.B2, 4.0.RC1, 3.1, 3.1.1, 3.1.2. CayenneModeler is a desktop GUI tool shipped with Apache Cayenne and intended for editing Cayenne ORM models stored as XML files. If an attacker tricks a user of CayenneModeler into opening a malicious XML file, the attacker will be able to instruct the XML parser built into CayenneModeler to transfer files from a local machine to a remote machine controlled by the attacker. The cause of the issue is XML parser processing XML External Entity (XXE) declarations included in XML. The vulnerability is addressed in Cayenne by disabling XXE processing in all operations that require XML parsing. 2018-08-22 not yet calculated CVE-2018-11758
MLIST
apache -- sentry
 
An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry before 2.0.1. This can allow an attacker unauthorized access to the partitioned data of a Sentry protected table and can allow an attacker to remove data from a Sentry protected table. 2018-08-23 not yet calculated CVE-2018-8028
MISC
apache -- struts
 
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace. 2018-08-22 not yet calculated CVE-2018-11776
CONFIRM
BID
SECTRACK
CONFIRM
MISC
CONFIRM
bd -- alaris_plus_medical_syringe_pumps
 
Becton, Dickinson and Company (BD) Alaris Plus medical syringe pumps (models Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA) versions 2.3.6 and prior are affected by an improper authentication vulnerability where the software does not perform authentication for functionality that requires a provable user identity, where it may allow a remote attacker to gain unauthorized access to various Alaris Syringe pumps and impact the intended operation of the pump when it is connected to a terminal server via the serial port. 2018-08-23 not yet calculated CVE-2018-14786
CONFIRM
MISC

beijing_ruoshen_technology -- xiuno_bbs

The editor in Xiuno BBS 4.0.4 allows stored XSS. 2018-08-19 not yet calculated CVE-2018-15559
MISC
belkin -- wemo_insight_smart_plug Stack-based Buffer Overflow vulnerability in libUPnPHndlr.so in Belkin Wemo Insight Smart Plug allows remote attackers to bypass local security protection via a crafted HTTP post packet. 2018-08-21 not yet calculated CVE-2018-6692
CONFIRM
bloop -- airmail An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that OpenURL is the default URL handler. A navigation request is processed by the default URL handler only if the currentEvent is NX_LMOUSEUP or NX_OMOUSEUP. An attacker may abuse HTML elements with an EventHandler for a chance to validate navigation requests for URLs that are processed during the NX_LMOUSEUP event triggered by clicking an email. 2018-08-21 not yet calculated CVE-2018-15670
MISC
bloop -- airmail An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. The "send" command in the airmail:// URL scheme allows an external application to send arbitrary emails from an active account. URL parameters for the "send" command with the "attachment_" prefix designate attachment parameters. If the value of an attachment parameter corresponds to an accessible file path, the file is attached to the outbound message. In addition, relative file paths are acceptable attachment parameter values. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the "send" command, thus leading to automatic transmission of an email with designated attachments from the target account to a target address. 2018-08-21 not yet calculated CVE-2018-15668
MISC
bloop -- airmail An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. Its primary WebView instance implements "webView:decidePolicyForNavigationAction:request:frame:decisionListener:" such that requests from HTMLIFrameElements are blacklisted. However, other sub-classes of HTMLFrameOwnerElements are not forbidden by the policy. An attacker may abuse HTML plug-in elements within an email to trigger frame navigation requests that bypass this filter. 2018-08-21 not yet calculated CVE-2018-15669
MISC
bloop -- airmail
 
An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It registers and uses the airmail:// URL scheme. The "send" command in the URL scheme allows an external application to send arbitrary emails from an active account without authentication. The handler has no restriction on who can use its functionality. The handler can be invoked using any method that invokes the URL handler such as a hyperlink in an email. The user is not prompted when the handler processes the "send" command, thus leading to automatic transmission of an attacker crafted email from the target account. 2018-08-21 not yet calculated CVE-2018-15667
MISC
cms_computers -- cmsuno CMSUno before 1.5.3 has XSS via the title field. 2018-08-19 not yet calculated CVE-2018-15567
MISC
cobbler -- cobbler Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler-api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931. 2018-08-20 not yet calculated CVE-2018-1000226
CONFIRM
MISC
cobbler -- cobbler
 
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to be exploitable via "network connectivity". Sending unauthenticated JavaScript payload to the Cobbler XMLRPC API (/cobbler-api). 2018-08-20 not yet calculated CVE-2018-1000225
CONFIRM
MISC
cobbler -- cobbler
 
A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation. 2018-08-22 not yet calculated CVE-2016-9605
CONFIRM
containous -- traefik
 
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable. 2018-08-20 not yet calculated CVE-2018-15598
MISC
MISC
MISC
MISC
couchbase -- server
 
An issue was discovered in Couchbase Server. Authenticated users can send arbitrary Erlang code to the 'diag/eval' endpoint of the REST API (available by default on TCP/8091 and/or TCP/18091). The executed code in the underlying operating system will run with the privileges of the user running Couchbase server. 2018-08-24 not yet calculated CVE-2018-15728
BUGTRAQ
curl -- curl
 
curl 7.x before 7.10.7 sends CONNECT proxy credentials to the remote server. 2018-08-23 not yet calculated CVE-2003-1605
BID
MISC
d-link -- dir-615_routers Cross-site scripting (XSS) vulnerability on D-Link DIR-615 routers 20.07 allows attackers to inject JavaScript into the router's admin UPnP page via the description field in an AddPortMapping UPnP SOAP request. 2018-08-25 not yet calculated CVE-2018-15875
MISC
d-link -- dir-615_routers Cross-site scripting (XSS) vulnerability on D-Link DIR-615 routers 20.07 allows an attacker to inject JavaScript into the "Status -> Active Client Table" page via the hostname field in a DHCP request. 2018-08-25 not yet calculated CVE-2018-15874
MISC
d-link -- eyeon_baby_monitor D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has a remote code execution vulnerability. A UDP "Discover" service, which provides multiple functions such as changing the passwords and getting basic information, was installed on the device. A remote attacker can send a crafted UDP request to finderd to perform stack overflow and execute arbitrary code with root privilege on the device. 2018-08-24 not yet calculated CVE-2017-11563
FULLDISC
MISC
d-link -- eyeon_baby_monitor The D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has multiple command injection vulnerabilities in the web service framework. An attacker can forge malicious HTTP requests to execute commands; authentication is required before executing the attack. 2018-08-24 not yet calculated CVE-2017-11564
FULLDISC
MISC
damicms -- damicms An issue was discovered in DamiCMS 6.0.0. There is an CSRF vulnerability that can revise the administrator account's password via /admin.php?s=/Admin/doedit. 2018-08-25 not yet calculated CVE-2018-15844
MISC
davegamble/cjson -- davegamble/cjson Dave Gamble cJSON version 1.7.2 and earlier contains a CWE-415: Double Free vulnerability in cJSON library that can result in Possible crash or RCE. This attack appear to be exploitable via Attacker must be able to force victim to print JSON data, depending on how cJSON library is used this could be either local or over a network. This vulnerability appears to have been fixed in 1.7.3. 2018-08-20 not yet calculated CVE-2018-1000216
CONFIRM
davegamble/cjson -- davegamble/cjson Dave Gamble cJSON version 1.7.3 and earlier contains a CWE-416: Use After Free vulnerability in cJSON library that can result in Possible crash, corruption of data or even RCE. This attack appear to be exploitable via Depends on how application uses cJSON library. If application provides network interface then can be exploited over a network, otherwise just local.. This vulnerability appears to have been fixed in 1.7.4. 2018-08-20 not yet calculated CVE-2018-1000217
CONFIRM

davegamble/cjson -- davegamble/cjson

Dave Gamble cJSON version 1.7.6 and earlier contains a CWE-772 vulnerability in cJSON library that can result in Denial of Service (DoS). This attack appear to be exploitable via If the attacker can force the data to be printed and the system is in low memory it can force a leak of memory. This vulnerability appears to have been fixed in 1.7.7. 2018-08-20 not yet calculated CVE-2018-1000215
CONFIRM

daveismyname/simple-cms -- daveismyname/simple-cms

An issue was discovered in daveismyname simple-cms through 2014-03-11. There is a CSRF vulnerability that can delete any page via admin/?delpage=8. 2018-08-19 not yet calculated CVE-2018-15564
MISC
daveismyname/simple-cms -- daveismyname/simple-cms An issue was discovered in daveismyname simple-cms through 2014-03-11. admin/addpage.php does not require authentication for adding a page. This can also be exploited via CSRF. 2018-08-19 not yet calculated CVE-2018-15565
MISC
MISC
dell -- 2335dn_printers
 
On Dell 2335dn printers with Printer Firmware Version 2.70.05.02, Engine Firmware Version 1.10.65, and Network Firmware Version V4.02.15(2335dn MFP) 11-22-2010, the admin interface allows an authenticated attacker to retrieve the configured SMTP or LDAP password by viewing the HTML source code of the Email Settings webpage. In some cases, authentication can be achieved with the blank default password for the admin account. NOTE: the vendor indicates that this is an "End Of Support Life" product. 2018-08-23 not yet calculated CVE-2018-15748
MISC
dom4j -- dom4j
 
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. 2018-08-20 not yet calculated CVE-2018-1000632
CONFIRM
CONFIRM
MISC
dropbear -- dropbear
 
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase. 2018-08-20 not yet calculated CVE-2018-15599
MISC
MISC
MISC
easylogin -- easylogin_pro
 
An issue was discovered in EasyLogin Pro through 1.3.0. Encryptor.php contains an unserialize call that can be exploited for remote code execution in the decrypt function, if the attacker knows the key. 2018-08-24 not yet calculated CVE-2018-15576
MISC
EXPLOIT-DB
eclipse_rdf4j -- eclipse_rdf4j
 
Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file. 2018-08-20 not yet calculated CVE-2018-1000644
MISC
CONFIRM
egg-scripts -- egg-scripts
 
A command injection vulnerability in egg-scripts <v2.8.1 allows arbitrary shell command execution through a maliciously crafted command line argument. 2018-08-24 not yet calculated CVE-2018-3786
CONFIRM
CONFIRM
MISC
elefant_cms -- elefant_cms
 
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism. 2018-08-20 not yet calculated CVE-2018-15601
MISC
emerson -- deltav DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable due to improper path validation which may allow an attacker to replace executable files. 2018-08-21 not yet calculated CVE-2018-14795
BID
MISC
emerson -- deltav DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable to a buffer overflow exploit through an open communication port to allow arbitrary code execution. 2018-08-21 not yet calculated CVE-2018-14793
BID
MISC
emerson -- deltav_dcs Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a specially crafted DLL file to be placed in the search path and loaded as an internal and valid DLL, which may allow arbitrary code execution. 2018-08-23 not yet calculated CVE-2018-14797
BID
MISC
emerson -- deltav_dcs
 
Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may allow non-administrative users to change executable and library files on the affected products. 2018-08-23 not yet calculated CVE-2018-14791
BID
MISC
ffmpeg -- ffmpeg
 
The flv_write_packet function in libavformat/flvenc.c in FFmpeg through 4.0.2 does not check for an empty audio packet, leading to an assertion failure. 2018-08-23 not yet calculated CVE-2018-15822
MISC
fledrcms -- fledrcms
 
An issue was discovered in fledrCMS through 2014-02-03. There is a CSRF vulnerability that can change the administrator's password via index.php?p=done&savedata=1. 2018-08-25 not yet calculated CVE-2018-15846
MISC
flexo_cms -- flexo_cms
 
An issue was discovered in Flexo CMS v0.1.6. There is a CSRF vulnerability that can add an administrator via /admin/user/add. 2018-08-25 not yet calculated CVE-2018-15851
MISC
flightairmap -- flightairmap
 
FlightAirMap version <=v1.0-beta.21 contains a Cross Site Scripting (XSS) vulnerability in GET variable used within registration sub menu page that can result in unauthorised actions and access to data, stealing session information. This vulnerability appears to have been fixed in after commit 22b09a3. 2018-08-20 not yet calculated CVE-2018-1000642
MISC
CONFIRM
foreman -- foreman
 
A flaw was found in Foreman's katello plugin version 3.4.5. After setting a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id. 2018-08-22 not yet calculated CVE-2017-2662
CONFIRM
CONFIRM

gchq/stroom -- gchq/stroom

Stroom version <5.4.5 contains a XML External Entity (XXE) vulnerability in XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted XML file. 2018-08-20 not yet calculated CVE-2018-1000651
MISC
CONFIRM
gear_software -- multiple_products
 
GEAR Software products that include GEARAspiWDM.sys, 2.2.5.0, allow local users to cause a denial of service (Race Condition and BSoD on Windows) by not checking that user-mode memory is available right before writing to it. A check is only performed at the beginning of a long subroutine. 2018-08-24 not yet calculated CVE-2018-15499
MISC
MISC
getsimple_cms -- getsimple_cms
 
GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field. 2018-08-25 not yet calculated CVE-2018-15843
MISC
geutebrueck -- re_porter Geutebrueck re_porter 16 before 7.8.974.20 has a possibility of unauthenticated access to sensitive information including usernames and hashes via a direct request for /statistics/gscsetup.xml on TCP port 12003. 2018-08-21 not yet calculated CVE-2018-15534
MISC
EXPLOIT-DB
geutebrueck -- re_porter
 
A reflected cross-site scripting vulnerability exists in Geutebrueck re_porter 16 before 7.8.974.20 by appending a query string to /modifychannel/exec or /images/*.png on TCP port 12005. 2018-08-21 not yet calculated CVE-2018-15533
MISC
EXPLOIT-DB
github -- electron GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution. 2018-08-23 not yet calculated CVE-2018-15685
MISC
gleez_cms -- gleez_cms There is a CSRF vulnerability that can add an administrator account in Gleez CMS 1.2.0 via admin/users/add. 2018-08-25 not yet calculated CVE-2018-15845
MISC
gnu -- gnutls A cache-based side channel in GnuTLS implementation that leads to plain text recovery in cross-VM attack setting was found. An attacker could use a combination of "Just in Time" Prime+probe attack in combination with Lucky-13 attack to recover plain text using crafted packets. 2018-08-22 not yet calculated CVE-2018-10846
BID
CONFIRM
MISC
CONFIRM
gnu -- gnutls It was found that the GnuTLS implementation of HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets. 2018-08-22 not yet calculated CVE-2018-10845
BID
CONFIRM
MISC
CONFIRM
gnu -- gnutls
 
It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets. 2018-08-22 not yet calculated CVE-2018-10844
BID
CONFIRM
MISC
CONFIRM
gnu -- libtasn1
 
GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file. 2018-08-20 not yet calculated CVE-2018-1000654
CONFIRM
godot_engine -- godot_engine
 
Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b. 2018-08-20 not yet calculated CVE-2018-1000224
CONFIRM
CONFIRM
CONFIRM
hdf -- hdf5 An issue was discovered in the HDF HDF5 1.10.2 library. A SIGFPE is raised in the function H5D__chunk_init() of H5Dchunk.c during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. 2018-08-21 not yet calculated CVE-2018-15672
MISC
hdf -- hdf5
 
An issue was discovered in the HDF HDF5 1.10.2 library. Excessive stack consumption has been detected in the function H5P__get_cb() in H5Pint.c during an attempted parse of a crafted HDF file. This results in denial of service. 2018-08-21 not yet calculated CVE-2018-15671
MISC
huawei -- multiple_firewall_products Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted packets to the affected device to exploit these vulnerabilities. Successful exploit the vulnerability could lead to device deny of service. 2018-08-21 not yet calculated CVE-2017-17311
CONFIRM
huawei -- multiple_firewall_products Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a DoS vulnerability in the IPSEC IKEv1 implementations of Huawei Firewall products. Due to improper handling of the malformed messages, an attacker may sent crafted packets to the affected device to exploit these vulnerabilities. Successful exploit the vulnerability could lead to device deny of service. 2018-08-21 not yet calculated CVE-2017-17312
CONFIRM
huawei -- multiple_firewall_products Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR V300R001C00; USG5120BSR V300R001C00; USG5150BSR V300R001C00 have a Bleichenbacher Oracle vulnerability in the IPSEC IKEv1 implementations. Remote attackers can decrypt IPSEC tunnel ciphertext data by leveraging a Bleichenbacher RSA padding oracle. Cause a Bleichenbacher oracle attack. Successful exploit this vulnerability can impact IPSec tunnel security. 2018-08-21 not yet calculated CVE-2017-17305
CONFIRM
ibm -- api_connect
 
IBM API Connect 5.0.0.0 through 5.0.8.3 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 143744. 2018-08-22 not yet calculated CVE-2018-1599
CONFIRM
XF
ibm -- maximo_asset_managment
 
IBM Maximo Asset Management 7.6 through 7.6.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 145968. 2018-08-24 not yet calculated CVE-2018-1699
XF
CONFIRM
ibm -- multiple_rational_products Multiple IBM Rational products are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 135655. 2018-08-20 not yet calculated CVE-2017-1753
XF
CONFIRM
ibm -- multiple_rational_products
 
Multiple IBM Rational products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 138425. 2018-08-20 not yet calculated CVE-2018-1394
XF
CONFIRM
ibm -- sdk_java_technology_edition
 
A flaw in the java.math component in IBM SDK, Java Technology Edition 6.0, 7.0, and 8.0 may allow an attacker to inflict a denial-of-service attack with specially crafted String data. IBM X-Force ID: 141681. 2018-08-20 not yet calculated CVE-2018-1517
CONFIRM
BID
XF
ibm -- sdk_java_technology_edition
 
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 , 7.0, and 8.0) does not protect against path traversal attacks when extracting compressed dump files. IBM X-Force ID: 144882. 2018-08-20 not yet calculated CVE-2018-1656
CONFIRM
BID
XF
ibm -- security_access_manager_appliance
 
IBM Security Access Manager Appliance 9.0.4.0 and 9.0.5.0 could allow remote code execution when Advanced Access Control or Federation services are running. IBM X-Force ID: 147370. 2018-08-24 not yet calculated CVE-2018-1722
SECTRACK
XF
CONFIRM
ibm -- websphere_applicaiton_server_liberty
 
IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is configured to permit access on non-secure (http) port and using JASPIC or JSR375 authentication. 2018-08-24 not yet calculated CVE-2018-1755
SECTRACK
XF
CONFIRM
imagemagick -- imagemagick In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. 2018-08-21 not yet calculated CVE-2018-15607
BID
MISC
insteon -- insteon_hub An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server 'cache.insteon.com' and serve any signed firmware image. 2018-08-23 not yet calculated CVE-2018-3833
MISC
insteon -- insteon_hub An exploitable denial of service vulnerability exists in Insteon Hub running firmware version 1012. Leftover demo functionality allows for arbitrarily rebooting the device without authentication. An attacker can send a UDP packet to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2017-16348
MISC
insteon -- insteon_hub An exploitable firmware update vulnerability exists in Insteon Hub running firmware version 1013. The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker can upload an MPFS binary via the '/mpfsupload' HTTP form and later on upload the firmware via a POST request to 'firmware.htm'. 2018-08-23 not yet calculated CVE-2018-3832
MISC
insteon -- insteon_hub An exploitable buffer overflow vulnerability exists in the PubNub message handler for the "control" channel of Insteon Hub running firmware version 1012. Specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. A strcpy overflows the buffer insteon_pubnub.channel_cc_r, which has a size of 16 bytes. An attacker can send an arbitrarily long "c_r" parameter in order to exploit this vulnerability. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2017-14452
MISC
insteon -- insteon_hub_2245-222_devices On Insteon Hub 2245-222 devices with firmware version 1012, specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. A strcpy overflows the buffer insteon_pubnub.channel_ad_r, which has a size of 16 bytes. An attacker can send an arbitrarily long "ad_r" parameter in order to exploit this vulnerability. 2018-08-23 not yet calculated CVE-2017-14453
MISC
insteon -- insteon_hub_2245-222_devices On Insteon Hub 2245-222 devices with firmware version 1012, specially crafted replies received from the PubNub service can cause buffer overflows on a global section overwriting arbitrary data. An attacker should impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability. A strcpy overflows the buffer insteon_pubnub.channel_ak, which has a size of 16 bytes. An attacker can send an arbitrarily long "ak" parameter in order to exploit this vulnerability. 2018-08-23 not yet calculated CVE-2017-14455
MISC
insteon -- insteon_hub_2245-222_devices On Insteon Hub 2245-222 devices with firmware version 1012, specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker should send an authenticated HTTP request to trigger this vulnerability. At 0x9d01ef24 the value for the s_offset key is copied using strcpy to the buffer at $sp+0x2b0. This buffer is 32 bytes large, sending anything longer will cause a buffer overflow. 2018-08-23 not yet calculated CVE-2017-16337
MISC
jabref -- jabref
 
JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vulnerability appears to have been fixed in after commit 89f855d. 2018-08-20 not yet calculated CVE-2018-1000652
MISC
CONFIRM
java_system_solutions -- sso_plugin_for_bmc_myit
 
Reflected Cross-Site Scripting exists in the Java System Solutions SSO plugin 4.0.13.1 for BMC MyIT. A remote attacker can abuse this issue to inject client-side scripts into the "select_sso()" function. The payload is triggered when the victim opens a prepared /ux/jss-sso/arslogin?[XSS] link and then clicks the "Login" button. 2018-08-21 not yet calculated CVE-2018-15528
MISC
BUGTRAQ
jenkins -- jenkins A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL. 2018-08-23 not yet calculated CVE-2018-1999042
CONFIRM
jenkins -- jenkins A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in BasicAuthenticationFilter.java, BasicHeaderApiTokenAuthenticator.java that allows attackers to create ephemeral in-memory user records by attempting to log in using invalid credentials. 2018-08-23 not yet calculated CVE-2018-1999043
CONFIRM
jenkins -- jenkins A improper authentication vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in SecurityRealm.java, TokenBasedRememberMeServices2.java that allows attackers with a valid cookie to remain logged in even if that feature is disabled. 2018-08-23 not yet calculated CVE-2018-1999045
CONFIRM
jenkins -- jenkins A improper authorization vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in UpdateCenter.java that allows attackers to cancel a Jenkins restart scheduled through the update center. 2018-08-23 not yet calculated CVE-2018-1999047
CONFIRM
jenkins -- jenkins A denial of service vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop. 2018-08-23 not yet calculated CVE-2018-1999044
CONFIRM
jenkins -- jenkins A exposure of sensitive information vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in Computer.java that allows attackers With Overall/Read permission to access the connection log for any agent. 2018-08-23 not yet calculated CVE-2018-1999046
CONFIRM
jerryscript -- jerryscript
 
JerryScript version Tested on commit f86d7459d195c8ba58479d1861b0cc726c8b3793. Analysing history it seems that the issue has been present since commit 64a340ffeb8809b2b66bbe32fd443a8b79fdd860 contains a CWE-476: NULL Pointer Dereference vulnerability in Triggering undefined behavior at jerry-core/ecma/builtin-objects/typedarray/ecma-builtin-typedarray-prototype.c:598 (passing NULL to memcpy as 2nd argument) results in null pointer dereference (segfault) at jerry-core/jmem/jmem-heap.c:463 that can result in Crash due to segmentation fault. This attack appear to be exploitable via The victim must execute specially crafted javascript code. This vulnerability appears to have been fixed in after commit 87897849f6879df10e8ad68a41bf8cf507edf710. 2018-08-20 not yet calculated CVE-2018-1000636
CONFIRM
jsish -- jsish
 
Jsish version 2.4.65 contains a CWE-476: NULL Pointer Dereference vulnerability in Function jsi_ValueCopyMove from jsiValue.c:240 that can result in Crash due to segmentation fault. This attack appear to be exploitable via a crafted javascript code. This vulnerability appears to have been fixed in 2.4.67. 2018-08-20 not yet calculated CVE-2018-1000655
CONFIRM
latexdraw -- latexdraw
 
LatexDraw version <=4.0 contains a XML External Entity (XXE) vulnerability in SVG parsing functionality that can result in disclosure of data, server side request forgery, port scanning, possible rce. This attack appear to be exploitable via Specially crafted SVG file. 2018-08-20 not yet calculated CVE-2018-1000639
MISC
MISC
libbpg -- libbpg
 
A vulnerability was found while fuzzing libbpg 0.9.7. It is a NULL pointer dereference issue due to missing check of the return value of function malloc in the BPG encoder. This vulnerability appeared while converting a malicious JPEG file to BPG. 2018-08-22 not yet calculated CVE-2017-2575
MLIST
BID
libgd -- libgd
 
Libgd version 2.2.5 contains a Double Free Vulnerability vulnerability in gdImageBmpPtr Function that can result in Remote Code Execution . This attack appear to be exploitable via Specially Crafted Jpeg Image can trigger double free. This vulnerability appears to have been fixed in after commit ac16bdf2d41724b5a65255d4c28fb0ec46bc42f5. 2018-08-20 not yet calculated CVE-2018-1000222
CONFIRM
libgit2 -- libgit2
 
In ng_pkt in transports/smart_pkt.c in libgit2 before 0.26.6 and 0.27.x before 0.27.4, a remote attacker can send a crafted smart-protocol "ng" packet that lacks a '\0' byte to trigger an out-of-bounds read that leads to DoS. 2018-08-17 not yet calculated CVE-2018-15501
MISC
MISC
MISC
MISC
MISC
MLIST
MISC
libming -- libming An invalid memory address dereference was discovered in decompileSingleArgBuiltInFunctionCall in libming 0.4.8 before 2018-03-12. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. 2018-08-25 not yet calculated CVE-2018-15871
MISC
libming -- libming
 
An invalid memory address dereference was discovered in decompileGETVARIABLE in libming 0.4.8 before 2018-03-12. The vulnerability causes a segmentation fault and application crash, which leads to denial of service. 2018-08-25 not yet calculated CVE-2018-15870
MISC
librehealthio/lh-ehr -- librehealthio/lh-ehr LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write in letter.php (2) vulnerability in Patient file letter functions that can result in Write files with malicious content and may lead to remote code execution. This attack appear to be exploitable via User controlled input. 2018-08-20 not yet calculated CVE-2018-1000649
MISC
MISC

librehealthio/lh-ehr -- librehealthio/lh-ehr

LibreHealthIO lh-ehr version <REL-2.0.0 contains an Authenticated Local File Disclosure vulnerability in Importing of templates allows local file disclosure that can result in Disclosure of sensitive files on the server. This attack appear to be exploitable via User controlled variable in import templates function. 2018-08-20 not yet calculated CVE-2018-1000645
MISC
CONFIRM
librehealthio/lh-ehr -- librehealthio/lh-ehr LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Deletion vulnerability in Import template that can result in Denial of service. This attack appear to be exploitable via User controlled parameter. 2018-08-20 not yet calculated CVE-2018-1000647
MISC
MISC
librehealthio/lh-ehr -- librehealthio/lh-ehr LibreHealthIO LH-EHR version REL-2.0.0 contains an Authenticated Unrestricted File Write vulnerability in Import template that can result in write files with malicious content and may lead to remote code execution. 2018-08-20 not yet calculated CVE-2018-1000646
MISC
MISC
librehealthio/lh-ehr -- librehealthio/lh-ehr LibreHealthIO lh-ehr version REL-2.0.0 contains a SQL Injection vulnerability in Show Groups Popup SQL query functions that can result in Ability to perform malicious database queries. This attack appear to be exploitable via User controlled parameters. 2018-08-20 not yet calculated CVE-2018-1000650
MISC
CONFIRM
librehealthio/lh-ehr -- librehealthio/lh-ehr LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Write vulnerability in Patient file letter functions that can result in Write files with malicious content and may lead to remote code execution. This attack appear to be exploitable via User controlled parameters. 2018-08-20 not yet calculated CVE-2018-1000648
MISC
MISC
libvirt -- libvirt
 
libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing. 2018-08-20 not yet calculated CVE-2015-5160
REDHAT
MLIST
CONFIRM
CONFIRM
CONFIRM
libvirt -- libvirt
 
A NULL pointer deference flaw was found in the way libvirt from 2.5.0 to 3.0.0 handled empty drives. A remote authenticated attacker could use this flaw to crash libvirtd daemon resulting in denial of service. 2018-08-22 not yet calculated CVE-2017-2635
CONFIRM
CONFIRM
linux -- linux_kernel lldptool version 1.0.1 and older can print a raw, unsanitized attacker controlled buffer when mngAddr information is displayed. This may allow an attacker to inject shell control characters into the buffer and impact the behavior of the terminal. 2018-08-21 not yet calculated CVE-2018-10932
CONFIRM
CONFIRM
CONFIRM
linux -- linux_kernel arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles certain indirect calls, which makes it easier for attackers to conduct Spectre-v2 attacks against paravirtual guests. 2018-08-20 not yet calculated CVE-2018-15594
MISC
BID
MISC
MISC
MISC
linux -- linux_kernel
 
The pam_fscrypt module in fscrypt before 0.2.4 may incorrectly restore primary and supplementary group IDs to the values associated with the root user, which allows attackers to gain privileges via a successful login through certain applications that use Linux-PAM (aka pam). 2018-08-23 not yet calculated CVE-2018-6558
MISC
MISC
MISC
MISC
linux -- linux_kernel
 
The spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks. 2018-08-19 not yet calculated CVE-2018-15572
MISC
MISC
MISC
linux -- linux_kernel
 
It was found that the raw midi kernel driver does not protect against concurrent access which leads to a double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl() handler in rawmidi.c file. A malicious local attacker could possibly use this for privilege escalation. 2018-08-21 not yet calculated CVE-2018-10902
BID
SECTRACK
CONFIRM
MISC
mapr -- converged_data_platform_and_mapr-xd
 
An issue was discovered in the MapR File System in MapR Converged Data Platform and MapR-XD 6.x and earlier. Under certain conditions, it is possible for MapR ticket credentials to become compromised, allowing a user to escalate their privileges to act as (aka impersonate) any other user, including cluster administrators, aka bug# 31935. This affects all users who have enabled security on the MapR platform and is fixed in mapr-patch-5.2.1.42646.GA-20180731093831, mapr-patch-5.2.2.44680.GA-20180802011430, mapr-patch-6.0.0.20171109191718.GA-20180802011420, and mapr-patch-6.0.1.20180404222005.GA-20180806214919. 2018-08-23 not yet calculated CVE-2018-15804
CONFIRM
mikrotik -- routeros Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request. 2018-08-23 not yet calculated CVE-2018-1157
CONFIRM
CONFIRM
MISC
mikrotik -- routeros Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory corruption vulnerability. An authenticated remote attacker can crash the HTTP server by rapidly authenticating and disconnecting. 2018-08-23 not yet calculated CVE-2018-1159
CONFIRM
CONFIRM
MISC
mikrotik -- routeros Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a stack exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server via recursive parsing of JSON. 2018-08-23 not yet calculated CVE-2018-1158
CONFIRM
CONFIRM
MISC
mikrotik -- routeros
 
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buffer overflow through the license upgrade interface. This vulnerability could theoretically allow a remote authenticated attacker execute arbitrary code on the system. 2018-08-23 not yet calculated CVE-2018-1156
CONFIRM
CONFIRM
MISC
minicms -- minicms
 
MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerability in https://ift.tt/2MmKxuS that can result in code injection. 2018-08-20 not yet calculated CVE-2018-1000638
MISC
my_little_forum -- my_little_forum my little forum 2.4.12 allows CSRF for deletion of users. 2018-08-19 not yet calculated CVE-2018-15569
MISC
mybb -- mybb
 
An issue was discovered in the Moderator Log Notes plugin 1.1 for MyBB. It allows moderators to save notes and display them in a list in the modCP. An attacker can remotely delete all mod notes and mod note logs in the modCP and ACP via CSRF. 2018-08-24 not yet calculated CVE-2018-11502
MISC
EXPLOIT-DB
national_payments_corporation_of_india -- bhim_app_for_android The National Payments Corporation of India BHIM application 1.3 for Android does not properly restrict use of the OTP feature, which makes it easier for attackers to bypass authentication. 2018-08-24 not yet calculated CVE-2017-9819
MISC
national_payments_corporation_of_india -- bhim_app_for_android The National Payments Corporation of India BHIM application 1.3 for Android uses a custom keypad for which the input element is available to the Accessibility service, which makes it easier for attackers to bypass authentication. 2018-08-24 not yet calculated CVE-2017-9820
MISC
national_payments_corporation_of_india -- bhim_app_for_android The National Payments Corporation of India BHIM application 1.3 for Android relies on three hardcoded strings (AK-NPCIMB, IM-NPCIBM, and VK-NPCIBM) for SMS validation, which makes it easier for attackers to bypass authentication. 2018-08-24 not yet calculated CVE-2017-9821
MISC
national_payments_corporation_of_india -- bhim_app_for_android
 
The National Payments Corporation of India BHIM application 1.3 for Android relies on a four-digit passcode, which makes it easier for attackers to obtain access. 2018-08-24 not yet calculated CVE-2017-9818
MISC
nec -- aterm_wg2600hp2 An issue was discovered on the NEC Aterm WG2600HP2 1.0.2. The router has a set of web service APIs for access to and setup of the configuration. Some APIs don't require authentication. An attacker could exploit this vulnerability by sending a crafted HTTP request to retrieve DHCP clients, firmware version, and network status (ex.: curl -X http://[IP]/aterm_httpif.cgi/negotiate -d "REQ_ID=SUPPORT_IF_GET"). 2018-08-24 not yet calculated CVE-2017-12575
FULLDISC
netwave -- ip_camera Information disclosure in Netwave IP camera at get_status.cgi (via HTTP on port 8000) allows an unauthenticated attacker to exfiltrate sensitive information from the device. 2018-08-24 not yet calculated CVE-2018-11654
MISC
netwave -- ip_camera
 
Information disclosure in Netwave IP camera at //etc/RT2870STA.dat (via HTTP on port 8000) allows an unauthenticated attacker to exfiltrate sensitive information about the network configuration like the network SSID and password. 2018-08-24 not yet calculated CVE-2018-11653
MISC
node.js -- node.js
 
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written. 2018-08-21 not yet calculated CVE-2018-12115
BID
REDHAT
REDHAT
CONFIRM
node.js -- node.js
 
In all versions of Node.js 10 prior to 10.9.0, an argument processing flaw can cause `Buffer.alloc()` to return uninitialized memory. This method is intended to be safe and only return initialized, or cleared, memory. The third argument specifying `encoding` can be passed as a number, this is misinterpreted by `Buffer's` internal "fill" method as the `start` to a fill operation. This flaw may be abused where `Buffer.alloc()` arguments are derived from user input to return uncleared memory blocks that may contain sensitive information. 2018-08-21 not yet calculated CVE-2018-7166
REDHAT
CONFIRM
ome -- open_microscopy_environment_omero The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 contains an Improper Access Control vulnerability in User management that can result in administrative user with privilege restrictions logging in as a more powerful administrator. This attack appear to be exploitable via Use user administration privilege to set the password of a more powerful administrator. This vulnerability appears to have been fixed in 5.4.7. 2018-08-20 not yet calculated CVE-2018-1000634
CONFIRM
CONFIRM
ome -- open_microscopy_environment_omero The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 contains a Information Exposure Through Sent Data vulnerability in OMERO.server that can result in an Attacker gaining full administrative access to server and may be able to disable it. This vulnerability appears to have been fixed in 5.4.7. 2018-08-20 not yet calculated CVE-2018-1000635
CONFIRM
CONFIRM
ome -- open_microscopy_environment_omero
 
The Open Microscopy Environment OMERO.web version prior to 5.4.7 contains an Information Exposure Through Log Files vulnerability in the login form and change password form that can result in User's password being revealed. Attacker can log in as that user. This attack appear to be exploitable via an attacker reading the web server log. This vulnerability appears to have been fixed in 5.4.7. 2018-08-20 not yet calculated CVE-2018-1000633
CONFIRM
CONFIRM
openemr -- openemr OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL.. 2018-08-20 not yet calculated CVE-2018-1000219
MISC
CONFIRM
openemr -- openemr
 
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafted URL.. 2018-08-20 not yet calculated CVE-2018-1000218
MISC
CONFIRM
openssh -- openssh
 
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. 2018-08-17 not yet calculated CVE-2018-15473
MISC
SECTRACK
MISC
MISC
MLIST
DEBIAN
EXPLOIT-DB
EXPLOIT-DB
owasp -- antisamy OWASP OWASP ANTISAMY version 1.5.7 and earlier contains a Cross Site Scripting (XSS) vulnerability in AntiSamy.scan() - for both SAX & DOM that can result in Cross Site Scripting. 2018-08-20 not yet calculated CVE-2018-1000643
MISC
oxid -- eshop
 
An issue was discovered in the Paymorrow module 1.0.0 before 1.0.2 and 2.0.0 before 2.0.1 for OXID eShop. An attacker can bypass delivery-address change detection if the payment module doesn't use eShop's checkout procedure properly. To do so, the attacker must change the delivery address to one that is not verified by the Paymorrow module. 2018-08-20 not yet calculated CVE-2018-14020
CONFIRM
CONFIRM
oxid -- multiple_products
 
An issue was discovered in OXID eShop Enterprise Edition before 5.3.8, 6.0.x before 6.0.3, and 6.1.x before 6.1.0; Professional Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0; and Community Edition before 4.10.8, 5.x and 6.0.x before 6.0.3, and 6.1.x before 6.1.0. An attacker could gain access to the admin panel or a customer account when using the password reset function. To do so, it is required to own a domain name similar to the one the victim uses for their e-mail accounts. 2018-08-20 not yet calculated CVE-2018-12579
CONFIRM
CONFIRM
pallets_project -- flash
 
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. 2018-08-20 not yet calculated CVE-2018-1000656
CONFIRM
CONFIRM
pango -- pango
 
libpango in Pango before 1.42.4, as used in hexchat and other products, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted text. 2018-08-24 not yet calculated CVE-2018-15120
MISC
CONFIRM
CONFIRM
MLIST
UBUNTU
philips -- intellispace_cardiovascular_products In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version 3.1 or prior and Xcelera Version 4.1 or prior), an unquoted search path or element vulnerability has been identified, which may allow an attacker to execute arbitrary code and escalate their level of privileges. 2018-08-22 not yet calculated CVE-2018-14789
MISC
CONFIRM
philips -- intellispace_cardiovascular_products
 
In Philips' IntelliSpace Cardiovascular (ISCV) products (ISCV Version 2.x or prior and Xcelera Version 4.1 or prior), an attacker with escalated privileges could access folders which contain executables where authenticated users have write permissions, and could then execute arbitrary code with local administrative permissions. 2018-08-22 not yet calculated CVE-2018-14787
MISC
CONFIRM
philips -- pagewriter In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all versions prior to May 2018, an attacker with both the superuser password and physical access can enter the superuser password that can be used to access and modify all settings on the device, as well as allow the user to reset existing passwords. 2018-08-22 not yet calculated CVE-2018-14801
BID
MISC
CONFIRM
philips -- pagewriter
 
In Philips PageWriter TC10, TC20, TC30, TC50, TC70 Cardiographs, all versions prior to May 2018, the PageWriter device does not sanitize data entered by user. This can lead to buffer overflow or format string vulnerabilities. 2018-08-22 not yet calculated CVE-2018-14799
BID
MISC
CONFIRM
phpmyadmin -- phpmyadmin
 
An issue was discovered in phpMyAdmin before 4.8.3. A Cross-Site Scripting vulnerability has been found where an attacker can use a crafted file to manipulate an authenticated user who loads that file through the import feature. 2018-08-24 not yet calculated CVE-2018-15605
SECTRACK
CONFIRM
CONFIRM
phpwhois -- phpwhois
 
phpWhois allows remote attackers to execute arbitrary code via a crafted whois record. 2018-08-20 not yet calculated CVE-2015-5243
MISC
CONFIRM
CONFIRM
CONFIRM
MISC
CONFIRM
pimcore -- pimcore
 
Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions. 2018-08-24 not yet calculated CVE-2018-14059
MISC
FULLDISC
EXPLOIT-DB
MISC
pkgconf -- pkgconf
 
pkgconf version 1.5.0 to 1.5.2 contains a Buffer Overflow vulnerability in dequote() that can result in dequote() function returns 1-byte allocation if initial length is 0, leading to buffer overflow. This attack appear to be exploitable via specially crafted .pc file. This vulnerability appears to have been fixed in 1.5.3. 2018-08-20 not yet calculated CVE-2018-1000221
CONFIRM
planex -- cs-qr20 An issue was discovered on the PLANEX CS-QR20 1.30. A hidden and undocumented management page allows an attacker to execute arbitrary code on the device when the user is authenticated. The management page was used for debugging purposes, once you login and access the page directly (/admin/system_command.asp), you can execute any command. 2018-08-24 not yet calculated CVE-2017-12576
FULLDISC
planex -- cs-qr20 An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded account / password ("admin:password") is used in the Android application that allows attackers to use a hidden API URL "/goform/SystemCommand" to execute any command with root permission. 2018-08-24 not yet calculated CVE-2017-12577
FULLDISC
planex -- cs-w50hd_devices An issue was discovered on PLANEX CS-W50HD devices with firmware before 030720. The device has a command-injection vulnerability in the web management UI on NAS settings page "/cgi-bin/nasset.cgi". An attacker can send a crafted HTTP POST request to execute arbitrary code. Authentication is required before executing the attack. 2018-08-24 not yet calculated CVE-2017-12573
FULLDISC
planex -- cs-w50hd_devices An issue was discovered on PLANEX CS-W50HD devices with firmware before 030720. A hardcoded credential "supervisor:dangerous" was injected into web authentication database "/.htpasswd" during booting process, which allows attackers to gain unauthorized access and control the device completely; the account can't be modified or deleted. 2018-08-24 not yet calculated CVE-2017-12574
FULLDISC
portfoliocms -- portfoliocms An issue was discovered in portfolioCMS 1.0.5. There is CSRF to create new pages via admin/portfolio.php?newpage=true. 2018-08-25 not yet calculated CVE-2018-15848
MISC
portfoliocms -- portfoliocms An issue was discovered in portfolioCMS 1.0.5. There is CSRF to update the website settings via admin/aboutus.php. 2018-08-25 not yet calculated CVE-2018-15849
MISC
posim -- evo POSIM EVO 15.13 for Windows includes hardcoded database credentials for the "root" database user. "root" access to POSIM EVO's database may result in a breach of confidentiality, integrity, or availability or allow for attackers to remotely execute code on associated POSIM EVO clients. 2018-08-23 not yet calculated CVE-2018-15808
MISC
posim -- evo
 
POSIM EVO 15.13 for Windows includes an "Emergency Override" administrative account that may be accessed through POSIM's "override" feature. This Override prompt expects a code that is computed locally using a deterministic algorithm. This code may be generated by an attacker and used to bypass any POSIM EVO login prompt. 2018-08-23 not yet calculated CVE-2018-15807
MISC
postgresql -- postgresql
 
The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software. 2018-08-20 not yet calculated CVE-2016-7048
CONFIRM
CONFIRM
puppet -- puppet_enterprise
 
When users are configured to use startTLS with RBAC LDAP, at login time, the user's credentials are sent via plaintext to the LDAP server. This affects Puppet Enterprise 2018.1.3, 2017.3.9, and 2016.4.14, and is fixed in Puppet Enterprise 2018.1.4, 2017.3.10, and 2016.4.15. It scored an 8.5 CVSS score. 2018-08-24 not yet calculated CVE-2018-11749
CONFIRM
puppycms -- puppycms An issue was discovered in puppyCMS 5.1. There is an XSS vulnerability via menu.php in the "Add Page/URL" URL link field. 2018-08-25 not yet calculated CVE-2018-15847
MISC
pycryptodome -- pycryptodome
 
PyCryptodome before 3.6.6 has an integer overflow in the data_len variable in AESNI.c, related to the AESNI_encrypt and AESNI_decrypt functions, leading to the mishandling of messages shorter than 16 bytes. 2018-08-19 not yet calculated CVE-2018-15560
MISC
MISC
pyro -- pyro
 
pyro before 3.15 unsafely handles pid files in temporary directory locations and opening the pid file as root. An attacker can use this flaw to overwrite arbitrary files via symlinks. 2018-08-20 not yet calculated CVE-2011-2765
CONFIRM
CONFIRM
CONFIRM
red_hat -- cloudforms_management_engine_5
 
Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback). 2018-08-22 not yet calculated CVE-2017-7528
CONFIRM
red_hat -- openstack_enterprise
 
A flaw was found in openstack-tripleo-common as shipped with Red Hat Openstack Enterprise 10 and 11. The sudoers file as installed with OSP's openstack-tripleo-common package is much too permissive. It contains several lines for the mistral user that have wildcards that allow directory traversal with '..' and it grants full passwordless root access to the validations user. 2018-08-22 not yet calculated CVE-2017-2627
CONFIRM
red_hat -- satellite_5
 
It was found that Satellite 5 configured with SSL/TLS for the PostgreSQL backend failed to correctly validate X.509 server certificate host name fields. A man-in-the-middle attacker could use this flaw to spoof a PostgreSQL server using a specially crafted X.509 certificate. 2018-08-22 not yet calculated CVE-2017-7513
CONFIRM
redaxo -- redaxo_cms An issue was discovered in REDAXO CMS 4.7.2. There is a CSRF vulnerability that can add an administrator account via index.php?page=user. 2018-08-25 not yet calculated CVE-2018-15850
MISC
rsa -- archer
 
The WorkPoint component, which is embedded in all RSA Archer, versions 6.1.x, 6.2.x, 6.3.x prior to 6.3.0.7 and 6.4.x prior to 6.4.0.1, contains a SQL injection vulnerability. A malicious user could potentially exploit this vulnerability to execute SQL commands on the back-end database to read certain data. Embedded WorkPoint is upgraded to version 4.10.16, which contains a fix for the vulnerability. 2018-08-24 not yet calculated CVE-2018-11065
FULLDISC
BID
SECTRACK
rsa -- netwitness_platform_and_security_analytics
 
RSA NetWitness Platform versions prior to 11.1.0.2 and RSA Security Analytics versions prior to 10.6.6 are vulnerable to a server-side template injection vulnerability due to insecure configuration of the template engine used in the product. A remote authenticated malicious RSA NetWitness Server user with an Admin or Operator role could exploit this vulnerability to execute arbitrary commands on the server with root privileges. 2018-08-24 not yet calculated CVE-2018-11061
FULLDISC
BID
SECTRACK
SECTRACK
rust -- rust
 
Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in std::collections::vec_deque::VecDeque::reserve() function that can result in Arbitrary code execution, but no proof-of-concept exploit is currently published.. This vulnerability appears to have been fixed in after commit fdfafb510b1a38f727e920dccbeeb638d39a8e60; stable release 1.22.0 and later. 2018-08-20 not yet calculated CVE-2018-1000657
CONFIRM
CONFIRM
samba -- samba A missing input sanitization flaw was found in the implementation of LDP database used for the LDAP server. An attacker could use this flaw to cause a denial of service against a samba server, used as a Active Directory Domain Controller. All versions of Samba from 4.8.0 onwards are vulnerable 2018-08-22 not yet calculated CVE-2018-1140
BID
CONFIRM
CONFIRM
CONFIRM
CONFIRM
samba -- samba A null pointer dereference flaw was found in the way samba checked database outputs from the LDB database layer. An authenticated attacker could use this flaw to crash a samba server in an Active Directory Domain Controller configuration. Samba versions before 4.7.9 and 4.8.4 are vulnerable. 2018-08-22 not yet calculated CVE-2018-10918
BID
CONFIRM
CONFIRM
UBUNTU
CONFIRM
samba -- samba The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks. An authenticated attacker could use this flaw to extract confidential attribute values using LDAP search expressions. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable. 2018-08-22 not yet calculated CVE-2018-10919
BID
CONFIRM
CONFIRM
UBUNTU
DEBIAN
CONFIRM
samba -- samba
 
A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A man-in-the-middle attacker could use this flaw to read the credential and other details passed between the samba server and client. 2018-08-22 not yet calculated CVE-2018-1139
BID
CONFIRM
CONFIRM
UBUNTU
CONFIRM
samba -- samba
 
A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable. 2018-08-22 not yet calculated CVE-2018-10858
BID
CONFIRM
CONFIRM
UBUNTU
DEBIAN
CONFIRM
samsung -- smartthings_hub_sth-eth-250 An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly parses the user-controlled JSON payload, leading to a JSON injection which in turn leads to a SQL injection in the video-core database. An attacker can send a series of HTTP requests to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3879
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable buffer overflow vulnerability exists in the camera "create" feature of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly extracts the "state" field from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3905
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, 'on_url' callback. An attacker can send an HTTP request to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3907
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable buffer overflow vulnerability exists in the camera "replace" feature of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly extracts the URL field from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3902
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable vulnerability exists in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, 'onmessagecomplete' callback. An attacker can send an HTTP request to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3909
MISC
samsung -- smartthings_hub_sth-eth-250 On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17, the video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. A strcpy overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long "user" value in order to exploit this vulnerability. 2018-08-23 not yet calculated CVE-2018-3863
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable buffer overflow vulnerability exists in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. The strcpy at [8] overflows the destination buffer, which has a size of 40 bytes. An attacker can send an arbitrarily long 'callbackUrl' value in order to exploit this vulnerability. 2018-08-23 not yet calculated CVE-2018-3866
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable stack-based buffer overflow vulnerability exists in the samsungWifiScan callback notification of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly handles the answer received from a smart camera, leading to a buffer overflow on the stack. An attacker can send a series of HTTP requests to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3867
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process insecurely extracts the fields from the "clips" table of its SQLite database, leading to a buffer overflow on the stack. An attacker can send a series of HTTP requests to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3919
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable stack-based buffer overflow vulnerability exists in the database 'find-by-cameraId' functionality of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly handles existing records inside its SQLite database, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3880
MISC
samsung -- smartthings_hub_sth-eth-250 Multiple exploitable buffer overflow vulnerabilities exist in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. A strncpy overflows the destination buffer, which has a size of 16 bytes. An attacker can send an arbitrarily long "region" value in order to exploit this vulnerability. 2018-08-23 not yet calculated CVE-2018-3878
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable buffer overflow vulnerability exists in the remote video-host communication of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process insecurely parses the AWSELB cookie while communicating with remote video-host servers, leading to a buffer overflow on the heap. An attacker able to impersonate the remote HTTP servers could trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3925
MISC
samsung -- smartthings_hub_sth-eth-250 On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17, the video-core process insecurely extracts the fields from the "shard" table of its SQLite database, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. The strcpy call overflows the destination buffer, which has a size of 16 bytes. An attacker can send an arbitrarily long "region" value in order to exploit this vulnerability. 2018-08-23 not yet calculated CVE-2018-3917
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process listens on port 39500 and relays any unauthenticated message to SmartThings' remote servers, which insecurely handle JSON messages, leading to partially controlled requests generated toward the internal video-core process. An attacker can send an HTTP request to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3911
MISC
samsung -- smartthings_hub_sth-eth-250 An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly extracts the videoHostUrl field from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3872
MISC
samsung -- smartthings_hub_sth-eth-250 On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17, the video-core process insecurely extracts the fields from the "shard" table of its SQLite database, leading to a buffer overflow on the stack. The strcpy call overflows the destination buffer, which has a size of 128 bytes. An attacker can send an arbitrarily long "secretKey" value in order to exploit this vulnerability. 2018-08-23 not yet calculated CVE-2018-3912
MISC
samsung -- smartthings_hub_sth-eth-250 On Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17, the video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability. The memcpy call overflows the destination buffer, which has a size of 512 bytes. An attacker can send an arbitrarily long "url" value in order to overwrite the saved-PC with 0x42424242. 2018-08-23 not yet calculated CVE-2018-3903
MISC
samsung -- smartthings_hub_sth-eth-250
 
An exploitable vulnerability exists in the smart cameras RTSP configuration of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The device incorrectly handles spaces in the URL field, leading to an arbitrary operating system command injection. An attacker can send a series of HTTP requests to trigger this vulnerability. 2018-08-23 not yet calculated CVE-2018-3856
MISC
signal_messenger -- open_whisper_signal
 
Open Whisper Signal (aka Signal-Desktop) before 1.15.0-beta.10 allows information leakage. 2018-08-20 not yet calculated CVE-2018-14023
MISC
MISC
soundtouch -- soundtouch
 
soundtouch version up to and including 2.0.0 contains a Buffer Overflow vulnerability in SoundStretch/WavFile.cpp:WavInFile::readHeaderBlock() that can result in arbitrary code execution. This attack appear to be exploitable via victim must open maliocius file in soundstretch utility. 2018-08-20 not yet calculated CVE-2018-1000223
CONFIRM
spice -- spice
 
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. 2018-08-17 not yet calculated CVE-2018-10873
CONFIRM
CONFIRM
UBUNTU
swoole -- swoole
 
The unpack implementation in Swoole version 4.0.4 lacks correct size checks in the deserialization process. An attacker can craft a serialized object to exploit this vulnerability and cause a SEGV. 2018-08-17 not yet calculated CVE-2018-15503
MISC
MISC
MISC
symantec -- encryption_management_server
 
The Symantec Encryption Management Server (SEMS) product, prior to version 3.4.2 MP1, may be susceptible to a denial of service (DoS) exploit. A DoS attack is a type of attack whereby the perpetrator attempts to make a particular machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a specific host within a network. 2018-08-20 not yet calculated CVE-2018-5243
BID
SECTRACK
CONFIRM
symantec -- norton_ppower_eraser_and_symdiag
 
Norton Power Eraser (prior to 5.3.0.24) and SymDiag (prior to 2.1.242) may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead. Depending on how the application is configured, it will generally follow a specific search path to locate the DLL. The vulnerability can be exploited by a simple file write (or potentially an over-write) which results in a foreign DLL running under the context of the application. 2018-08-22 not yet calculated CVE-2018-5238
BID
CONFIRM
symantec -- norton_utilities Norton Utilities (prior to 16.0.3.44) may be susceptible to a DLL Preloading vulnerability, which is a type of issue that can occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead. Depending on how the application is configured, it will generally follow a specific search path to locate the DLL. The vulnerability can be exploited by a simple file write (or potentially an over-write) which results in a foreign DLL running under the context of the application. 2018-08-22 not yet calculated CVE-2018-5235
BID
CONFIRM
technicolor -- tc7200.20_cable_modem_devices
 
Technicolor TC7200.20 devices allow remote attackers to cause a denial of service (networking outage) via a flood of random MAC addresses, as demonstrated by macof. 2018-08-25 not yet calculated CVE-2018-15852
MISC
tecrail -- responsive_filemanager /filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 does not properly validate file paths in archives, allowing for the extraction of crafted archives to overwrite arbitrary files via an extract action, aka Directory Traversal. 2018-08-24 not yet calculated CVE-2018-15536
FULLDISC
tecrail -- responsive_filemanager
 
/filemanager/ajax_calls.php in tecrail Responsive FileManager before 9.13.4 uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize get_file sequences such as ".." that can resolve to a location that is outside of that directory, aka Directory Traversal. 2018-08-24 not yet calculated CVE-2018-15535
FULLDISC
tp5cms -- tp5cms tp5cms through 2017-05-25 has XSS via the admin.php/article/index.html q parameter. 2018-08-19 not yet calculated CVE-2018-15566
MISC
tp5cms -- tp5cms tp5cms through 2017-05-25 has CSRF via admin.php/category/delete.html. 2018-08-19 not yet calculated CVE-2018-15568
MISC
tridium -- niagara An attacker can log into the local Niagara platform (Niagara AX Framework Versions 3.8 and prior or Niagara 4 Framework Versions 4.4 and prior) using a disabled account name and a blank password, granting the attacker administrator access to the Niagara system. 2018-08-20 not yet calculated CVE-2017-16748
BID
MISC
tridium -- niagara A path traversal vulnerability in Tridium Niagara AX Versions 3.8 and prior and Niagara 4 systems Versions 4.4 and prior installed on Microsoft Windows Systems can be exploited by leveraging valid platform (administrator) credentials. 2018-08-20 not yet calculated CVE-2017-16744
BID
MISC
ubuntu -- ubuntu
 
The MOTD update script in the base-files package in Ubuntu 18.04 LTS before 10.1ubuntu2.2, and Ubuntu 18.10 before 10.1ubuntu6 incorrectly handled temporary files. A local attacker could use this issue to cause a denial of service, or possibly escalate privileges if kernel symlink restrictions were disabled. 2018-08-21 not yet calculated CVE-2018-6557
SECTRACK
UBUNTU
ucopia -- wireless_appliance_devices Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the user home folder. 2018-08-21 not yet calculated CVE-2018-15481
MISC

victoralagwu/cmssite -- victoralagwu/cmssite

An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the Author field of the "Leave a Comment" screen. 2018-08-20 not yet calculated CVE-2018-15603
MISC
villagedefrance -- opencart-overclocked
 
OpenCart-Overclocked version <=1.11.1 contains a Cross Site Scripting (XSS) vulnerability in User input entered unsanitised within JS function in the template that can result in Unauthorised actions and access to data, stealing session information, denial of service. This attack appear to be exploitable via Malicious input passed in GET parameter. 2018-08-20 not yet calculated CVE-2018-1000640
MISC
CONFIRM
waimai -- super_cms
 
In waimai Super Cms 20150505, there is stored XSS via the /admin.php/Foodcat/editsave fcname parameter. 2018-08-19 not yet calculated CVE-2018-15570
MISC
wi2be -- smart_hp_wmt Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attackers to obtain sensitive information via /Status/SystemStatusRpm.esp. 2018-08-20 not yet calculated CVE-2018-14079
MISC
wi2be -- smart_hp_wmt Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attackers to reset the admin password via the /ConfigWizard/ChangePwd.esp?2admin URL (Attackers can login using the "admin" username with password "admin" after a successful attack). 2018-08-20 not yet calculated CVE-2018-14078
MISC
wi2be -- smart_hp_wmt
 
Wi2be SMART HP WMT R1.2.20_201400922 allows unauthorized remote attackers to backup the device configuration via a direct request to /Maintenance/configfile.cfg. 2018-08-20 not yet calculated CVE-2018-14077
MISC
wolfcms -- wolfcms WolfCMS 0.8.3.1 has XSS via the /?/admin/page/add slug parameter. 2018-08-25 not yet calculated CVE-2018-15842
MISC
x.org -- libx11 An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact. 2018-08-24 not yet calculated CVE-2018-14599
MLIST
SECTRACK
CONFIRM
CONFIRM
MLIST
x.org -- libx11 An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution. 2018-08-24 not yet calculated CVE-2018-14600
MLIST
SECTRACK
CONFIRM
CONFIRM
MLIST
x.org -- libx11 An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault). 2018-08-24 not yet calculated CVE-2018-14598
MLIST
SECTRACK
CONFIRM
CONFIRM
MLIST
xkbcommon -- xkbcommon Unchecked NULL pointer usage when parsing invalid atoms in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because lookup failures are mishandled. 2018-08-25 not yet calculated CVE-2018-15859
MISC
MISC
xkbcommon -- xkbcommon Unchecked NULL pointer usage when handling invalid aliases in CopyKeyAliasesToKeymap in xkbcomp/keycodes.c in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file. 2018-08-25 not yet calculated CVE-2018-15858
MISC
MISC
xkbcommon -- xkbcommon Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because the XkbFile for an xkb_geometry section was mishandled. 2018-08-25 not yet calculated CVE-2018-15855
MISC
MISC
xkbcommon -- xkbcommon An infinite loop when reaching EOL unexpectedly in compose/parser.c (aka the keymap parser) in xkbcommon before 0.8.1 could be used by local attackers to cause a denial of service during parsing of crafted keymap files. 2018-08-25 not yet calculated CVE-2018-15856
MISC
MISC
xkbcommon -- xkbcommon An invalid free in ExprAppendMultiKeysymList in xkbcomp/ast-build.c in xkbcommon before 0.8.1 could be used by local attackers to crash xkbcommon keymap parsers or possibly have unspecified other impact by supplying a crafted keymap file. 2018-08-25 not yet calculated CVE-2018-15857
MISC
MISC
xkbcommon -- xkbcommon Unchecked NULL pointer usage in ExprResolveLhs in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file that triggers an xkb_intern_atom failure. 2018-08-25 not yet calculated CVE-2018-15861
MISC
MISC
xkbcommon -- xkbcommon Unchecked NULL pointer usage in resolve_keysym in xkbcomp/parser.y in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because a map access attempt can occur for a map that was never created. 2018-08-25 not yet calculated CVE-2018-15864
MISC
MISC
xkbcommon -- xkbcommon Unchecked NULL pointer usage in ResolveStateAndPredicate in xkbcomp/compat.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with a no-op modmask expression. 2018-08-25 not yet calculated CVE-2018-15863
MISC
MISC
xkbcommon -- xkbcommon Unchecked NULL pointer usage in LookupModMask in xkbcomp/expr.c in xkbcommon before 0.8.2 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file with invalid virtual modifiers. 2018-08-25 not yet calculated CVE-2018-15862
MISC
MISC

xkbcommon -- xkbcommon

Endless recursion exists in xkbcomp/expr.c in xkbcommon and libxkbcommon before 0.8.1, which could be used by local attackers to crash xkbcommon users by supplying a crafted keymap file that triggers boolean negation. 2018-08-25 not yet calculated CVE-2018-15853
MISC
MISC
xkbcommon -- xkbcommon
 
Unchecked NULL pointer usage in xkbcommon before 0.8.1 could be used by local attackers to crash (NULL pointer dereference) the xkbcommon parser by supplying a crafted keymap file, because geometry tokens were desupported incorrectly. 2018-08-25 not yet calculated CVE-2018-15854
MISC
MISC
yeswiki -- yeswiki
 
YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user entered parameter in i18n.inc.php that can result in execution of code, disclosure of information. 2018-08-20 not yet calculated CVE-2018-1000641
MISC
MISC
zutils -- zutils
 
zutils version prior to version 1.8-pre2 contains a Buffer Overflow vulnerability in zcat that can result in Potential denial of service or arbitrary code execution. This attack appear to be exploitable via the victim openning a crafted compressed file. This vulnerability appears to have been fixed in 1.8-pre2. 2018-08-20 not yet calculated CVE-2018-1000637
CONFIRM
MLIST
zzcms -- zzcms
 
zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx. 2018-08-20 not yet calculated CVE-2018-1000653
MISC
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.




from US-CERT: The United States Computer Emergency Readiness Team https://www.us-cert.gov/ncas/bulletins/SB18-239-0

Comments

Popular posts from this blog

Krebs - NY Charges First American Financial for Massive Data Leak

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"