Security News

CVE-2018-16733

National Vulnerability Database - Sat, 09/08/2018 - 11:29
In Go Ethereum (aka geth) before 1.8.14, TraceChain in eth/api_tracer.go does not verify that the end block is after the start block.
Categories: Security News

CVE-2018-16715

National Vulnerability Database - Sat, 09/08/2018 - 06:29
An issue was discovered in Absolute Software CTES Windows Agent through 1.0.0.1479. The security permissions on the %ProgramData%\CTES folder and sub-folders may allow write access to low-privileged user accounts. This allows unauthorized replacement of service program executable (EXE) or dynamically loadable library (DLL) files, causing elevated (SYSTEM) user access. Configuration control files or data files under this folder could also be similarly modified to affect service process behavior.
Categories: Security News

CVE-2018-16454

National Vulnerability Database - Fri, 09/07/2018 - 18:29
PHP Scripts Mall Olx Clone 3.4.2 has XSS.
Categories: Security News

CVE-2018-9283

National Vulnerability Database - Fri, 09/07/2018 - 18:29
An XSS issue was discovered in CremeCRM 1.6.12. It is affected by 10 stored Cross-Site Scripting (XSS) vulnerabilities in the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters in the contact creation and modification page. The payload is stored within the application database and allows the execution of JavaScript code each time a client visit an infected page.
Categories: Security News

CVE-2018-15483

National Vulnerability Database - Fri, 09/07/2018 - 18:29
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Denial of Service can occur through the open HTTP interface, aka KONE-04.
Categories: Security News

CVE-2018-15484

National Vulnerability Database - Fri, 09/07/2018 - 18:29
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Remote Code Execution is possible through the open HTTP interface by modifying autoexec.bat, aka KONE-01.
Categories: Security News

CVE-2018-15485

National Vulnerability Database - Fri, 09/07/2018 - 18:29
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. FTP does not require authentication or authorization, aka KONE-03.
Categories: Security News

CVE-2018-15486

National Vulnerability Database - Fri, 09/07/2018 - 18:29
An issue was discovered on KONE Group Controller (KGC) devices before 4.6.5. Unauthenticated Local File Inclusion and File modification is possible through the open HTTP interface by modifying the name parameter of the file endpoint, aka KONE-02.
Categories: Security News

CVE-2018-15552

National Vulnerability Database - Fri, 09/07/2018 - 18:29
The "PayWinner" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable "maxTickets" (which is private, yet predictable and readable by the eth.getStorageAt function). Therefore, it allows attackers to always win and get rewards.
Categories: Security News

CVE-2018-16059

National Vulnerability Database - Fri, 09/07/2018 - 18:29
Endress+Hauser WirelessHART Fieldgate SWG70 3.x devices allow Directory Traversal via the fcgi-bin/wgsetcgi filename parameter.
Categories: Security News

CVE-2018-16363

National Vulnerability Database - Fri, 09/07/2018 - 18:29
The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via the lang parameter in a wp-admin/admin.php?page=wp_file_manager request because set_transient is used in file_folder_manager.php and there is an echo of lang in lib\wpfilemanager.php.
Categories: Security News

CVE-2017-17691

National Vulnerability Database - Fri, 09/07/2018 - 18:29
Homeputer CL Studio fur HomeMatic 4.0 Rel 160808 and earlier uses cleartext to exchange the username and password between server and client instances, which allows remote attackers to obtain sensitive information via a man in the middle attack.
Categories: Security News

CVE-2018-12897

National Vulnerability Database - Fri, 09/07/2018 - 18:29
SolarWinds DameWare Mini Remote Control before 12.1 has a Buffer Overflow.
Categories: Security News

CVE-2018-14396

National Vulnerability Database - Fri, 09/07/2018 - 18:29
An issue was discovered in Creme CRM 1.6.12. The salesman creation page is affected by 10 stored cross-site scripting vulnerabilities involving the firstname, lastname, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters.
Categories: Security News

CVE-2018-14397

National Vulnerability Database - Fri, 09/07/2018 - 18:29
An issue was discovered in Creme CRM 1.6.12. The organization creation page is affected by 9 stored cross-site scripting vulnerabilities involving the name, billing_address-address, billing_address-zipcode, billing_address-city, billing_address-department, shipping_address-address, shipping_address-zipcode, shipping_address-city, and shipping_address-department parameters.
Categories: Security News

CVE-2018-14398

National Vulnerability Database - Fri, 09/07/2018 - 18:29
An issue was discovered in Creme CRM 1.6.12. The value of the cancel button uses the content of the HTTP Referer header, and could be used to trick a user into visiting a fake login page in order to steal credentials.
Categories: Security News

CVE-2018-15474

National Vulnerability Database - Fri, 09/07/2018 - 18:29
** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula Injection) in /lib/plugins/usermanager/admin.php in DokuWiki 2018-04-22a and earlier allows remote attackers to exfiltrate sensitive data and to execute arbitrary code via a value that is mishandled in a CSV export. NOTE: the vendor has stated "this is not a security problem in DokuWiki."
Categories: Security News

CVE-2018-16709

National Vulnerability Database - Fri, 09/07/2018 - 15:29
Fuji Xerox DocuCentre-V 3065, ApeosPort-VI C3371, ApeosPort-V C4475, ApeosPort-V C3375, DocuCentre-VI C2271, ApeosPort-V C5576, DocuCentre-IV C2263, DocuCentre-V C2263, and ApeosPort-V 5070 devices allow remote attackers to read or write to files via crafted PJL commands.
Categories: Security News

CVE-2018-16710

National Vulnerability Database - Fri, 09/07/2018 - 15:29
** DISPUTED ** OctoPrint through 1.3.9 allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests on port 8081. NOTE: the vendor disputes the significance of this report because their documentation states that with "blind port forwarding ... Putting OctoPrint onto the public internet is a terrible idea, and I really can't emphasize that enough."
Categories: Security News

CVE-2018-16460

National Vulnerability Database - Fri, 09/07/2018 - 14:29
A command Injection in ps package versions <1.0.0 for Node.js allowed arbitrary commands to be executed when attacker controls the PID.
Categories: Security News

Pages