Security News

CVE-2018-14700

National Vulnerability Database - Mon, 12/03/2018 - 17:29
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
Categories: Security News

CVE-2018-14701

National Vulnerability Database - Mon, 12/03/2018 - 17:29
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
Categories: Security News

CVE-2018-14702

National Vulnerability Database - Mon, 12/03/2018 - 17:29
Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
Categories: Security News

CVE-2018-14703

National Vulnerability Database - Mon, 12/03/2018 - 17:29
Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.
Categories: Security News

CVE-2018-14704

National Vulnerability Database - Mon, 12/03/2018 - 17:29
Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.
Categories: Security News

CVE-2018-14706

National Vulnerability Database - Mon, 12/03/2018 - 17:29
System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.
Categories: Security News

CVE-2018-14707

National Vulnerability Database - Mon, 12/03/2018 - 17:29
Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations.
Categories: Security News

CVE-2018-14708

National Vulnerability Database - Mon, 12/03/2018 - 17:29
An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic.
Categories: Security News

CVE-2018-14709

National Vulnerability Database - Mon, 12/03/2018 - 17:29
Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.
Categories: Security News

CVE-2018-3854

National Vulnerability Database - Mon, 12/03/2018 - 17:29
An exploitable information disclosure vulnerability exists in the password protection functionality of Quicken Deluxe 2018 for Mac version 5.2.2. A specially crafted sqlite3 request can cause the removal of the password protection, allowing an attacker to access and modify the data without knowing the password. An attacker needs to have access to the password-protected files to trigger this vulnerability.
Categories: Security News

CVE-2018-4019

National Vulnerability Database - Mon, 12/03/2018 - 17:29
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_normal_mode` parameter.
Categories: Security News

CVE-2018-4020

National Vulnerability Database - Mon, 12/03/2018 - 17:29
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_ac_mode` POST parameter parameter.
Categories: Security News

CVE-2018-4021

National Vulnerability Database - Mon, 12/03/2018 - 17:29
An exploitable command injection vulnerability exists in the way Netgate pfSense CE 2.4.4-RELEASE processes the parameters of a specific POST request. The attacker can exploit this and gain the ability to execute arbitrary commands on the system. An attacker needs to be able to send authenticated POST requests to the administration web interface. Command injection is possible in the `powerd_battery_mode` POST parameter.
Categories: Security News

CVE-2018-6439

National Vulnerability Database - Mon, 12/03/2018 - 16:29
A Vulnerability in the configdownload command of Brocade Fabric OS command line interface (CLI) versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow a local attacker to escape the restricted shell and, gain root access.
Categories: Security News

CVE-2018-6440

National Vulnerability Database - Mon, 12/03/2018 - 16:29
A vulnerability in the proxy service of Brocade Fabric OS versions before 8.2.1, 8.1.2f, 8.0.2f, 7.4.2d could allow remote unauthenticated attackers to obtain sensitive information and possibly cause a denial of service attack.
Categories: Security News

CVE-2018-19826

National Vulnerability Database - Mon, 12/03/2018 - 14:29
In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters.
Categories: Security News

CVE-2018-19827

National Vulnerability Database - Mon, 12/03/2018 - 14:29
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Categories: Security News

CVE-2018-19835

National Vulnerability Database - Mon, 12/03/2018 - 14:29
Metinfo 6.1.3 has reflected XSS via the admin/column/move.php lang_columnerr4 parameter.
Categories: Security News

CVE-2018-19836

National Vulnerability Database - Mon, 12/03/2018 - 14:29
In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter.
Categories: Security News

CVE-2018-16863

National Vulnerability Database - Mon, 12/03/2018 - 12:29
It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7.
Categories: Security News

Pages