Security News

CVE-2019-11535

National Vulnerability Database - Wed, 07/17/2019 - 16:15
Unsanitized user input in the web interface for Linksys WiFi extender products (RE6400 and RE6300 through 1.2.04.022) allows for remote command execution. An attacker can access system OS configurations and commands that are not intended for use beyond the web UI.
Categories: Security News

CVE-2019-13584

National Vulnerability Database - Wed, 07/17/2019 - 15:15
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 allows Directory Traversal via a forged HTTP request.
Categories: Security News

CVE-2019-13585

National Vulnerability Database - Wed, 07/17/2019 - 15:15
The remote admin webserver on FANUC Robotics Virtual Robot Controller 8.23 has a Buffer Overflow via a forged HTTP request.
Categories: Security News

CVE-2019-13631

National Vulnerability Database - Wed, 07/17/2019 - 15:15
In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the Linux kernel through 5.2.1, a malicious USB device can send an HID report that triggers an out-of-bounds write during generation of debugging messages.
Categories: Security News

CVE-2019-13614

National Vulnerability Database - Wed, 07/17/2019 - 14:15
CMD_SET_CONFIG_COUNTRY in the TP-Link Device Debug protocol in TP-Link Archer C1200 1.0.0 Build 20180502 rel.45702 and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server.
Categories: Security News

CVE-2019-1010091

National Vulnerability Database - Wed, 07/17/2019 - 13:15
tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab.
Categories: Security News

CVE-2019-12175

National Vulnerability Database - Wed, 07/17/2019 - 13:15
In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, a NULL pointer dereference in the Kerberos (aka KRB) protocol parser leads to DoS because a case-type index is mishandled.
Categories: Security News

CVE-2019-12475

National Vulnerability Database - Wed, 07/17/2019 - 13:15
In MicroStrategy Web before 10.4.6, there is stored XSS in metric due to insufficient input validation.
Categories: Security News

CVE-2019-13346

National Vulnerability Database - Wed, 07/17/2019 - 13:15
In MyT 1.5.1, the User[username] parameter has XSS.
Categories: Security News

CVE-2019-13403

National Vulnerability Database - Wed, 07/17/2019 - 13:15
Temenos CWX version 8.9 has an Broken Access Control vulnerability in the module /CWX/Employee/EmployeeEdit2.aspx, leading to the viewing of user information.
Categories: Security News

CVE-2019-13613

National Vulnerability Database - Wed, 07/17/2019 - 13:15
CMD_FTEST_CONFIG in the TP-Link Device Debug protocol in TP-Link Wireless Router Archer Router version 1.0.0 Build 20180502 rel.45702 (EU) and earlier is prone to a stack-based buffer overflow, which allows a remote attacker to achieve code execution or denial of service by sending a crafted payload to the listening server.
Categories: Security News

CVE-2019-10352

National Vulnerability Database - Wed, 07/17/2019 - 12:15
A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
Categories: Security News

CVE-2019-10353

National Vulnerability Database - Wed, 07/17/2019 - 12:15
CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did not expire, thereby allowing attackers able to obtain them to bypass CSRF protection.
Categories: Security News

CVE-2019-10354

National Vulnerability Database - Wed, 07/17/2019 - 12:15
A vulnerability in the Stapler web framework used in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier allowed attackers to access view fragments directly, bypassing permission checks and possibly obtain sensitive information.
Categories: Security News

CVE-2019-13573

National Vulnerability Database - Wed, 07/17/2019 - 12:15
A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
Categories: Security News

CVE-2019-13626

National Vulnerability Database - Wed, 07/17/2019 - 12:15
SDL (Simple DirectMedia Layer) 2.x through 2.0.9 has a heap-based buffer over-read in Fill_IMA_ADPCM_block, caused by an integer overflow in IMA_ADPCM_decode() in audio/SDL_wave.c.
Categories: Security News

CVE-2019-13453

National Vulnerability Database - Wed, 07/17/2019 - 11:15
Zipios before 0.1.7 does not properly handle certain malformed zip archives and can go into an infinite loop, causing a denial of service. This is related to zipheadio.h:readUint32() and zipfile.cpp:Zipfile::Zipfile().
Categories: Security News

CVE-2019-4211 (qradar_security_information_and_event_manager)

National Vulnerability Database - Wed, 07/17/2019 - 10:15
IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 159131.
Categories: Security News

CVE-2019-4430

National Vulnerability Database - Wed, 07/17/2019 - 10:15
IBM Maximo Asset Management 7.6 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 162887.
Categories: Security News

CVE-2018-1921

National Vulnerability Database - Wed, 07/17/2019 - 10:15
IBM Campaign 9.1.0, 9.1.2, 10.1, and 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152857.
Categories: Security News

Pages