Security News

CVE-2018-0354

National Vulnerability Database - Thu, 06/07/2018 - 17:29
A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Cisco Bug IDs: CSCvf76417.
Categories: Security News

CVE-2018-0355

National Vulnerability Database - Thu, 06/07/2018 - 17:29
A vulnerability in the web UI of Cisco Unified Communications Manager (Unified CM) could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against the user of the web UI of an affected system. The vulnerability is due to insufficient protections for HTML inline frames (iframes) by the web UI of the affected software. An attacker could exploit this vulnerability by persuading a user of the affected UI to navigate to an attacker-controlled web page that contains a malicious HTML iframe. A successful exploit could allow the attacker to conduct click-jacking or other client-side browser attacks on the affected system. Cisco Bug IDs: CSCvg19761.
Categories: Security News

CVE-2018-0356

National Vulnerability Database - Thu, 06/07/2018 - 17:29
A vulnerability in the web framework of Cisco WebEx could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Cisco Bug IDs: CSCvi63757.
Categories: Security News

CVE-2018-0357

National Vulnerability Database - Thu, 06/07/2018 - 17:29
A vulnerability in the web framework of Cisco WebEx could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected software via the HTTP GET and HTTP POST methods. An attacker who can convince a user to follow an attacker-supplied link could execute arbitrary script or HTML code in the user's browser in the context of an affected site. Cisco Bug IDs: CSCvi71274.
Categories: Security News

CVE-2018-3758

National Vulnerability Database - Thu, 06/07/2018 - 17:29
Unrestricted file upload (RCE) in express-cart module before 1.1.7 allows a privileged user to gain access in the hosting machine.
Categories: Security News

CVE-2018-10619

National Vulnerability Database - Thu, 06/07/2018 - 16:29
An unquoted search path or element in RSLinx Classic Versions 3.90.01 and prior and FactoryTalk Linx Gateway Versions 3.90.00 and prior may allow an authorized, but non-privileged local user to execute arbitrary code and allow a threat actor to escalate user privileges on the affected workstation.
Categories: Security News

CVE-2018-12042

National Vulnerability Database - Thu, 06/07/2018 - 16:29
Roxy Fileman through v1.4.5 has Directory traversal via the php/download.php f parameter.
Categories: Security News

CVE-2018-12043

National Vulnerability Database - Thu, 06/07/2018 - 16:29
content/content.blueprintspages.php in Symphony 2.7.6 has XSS via the pages content page.
Categories: Security News

CVE-2017-6290

National Vulnerability Database - Thu, 06/07/2018 - 15:29
In Android before the 2018-06-05 security patch level, NVIDIA TLK TrustZone contains a possible out of bounds write due to an integer overflow which could lead to local escalation of privilege with no additional execution privileges needed. User interaction not needed for exploitation. This issue is rated as high. Version: N/A. Android: A-69559414. Reference: N-CVE-2017-6290.
Categories: Security News

CVE-2017-6292

National Vulnerability Database - Thu, 06/07/2018 - 15:29
In Android before the 2018-06-05 security patch level, NVIDIA TLZ TrustZone contains a possible out of bounds write due to integer overflow which could lead to local escalation of privilege in the TrustZone with no additional execution privileges needed. User interaction is not needed for exploitation. This issue is rated as high. Version: N/A. Android: A-69480285. Reference: N-CVE-2017-6292.
Categories: Security News

CVE-2017-6294

National Vulnerability Database - Thu, 06/07/2018 - 15:29
In Android before the 2018-06-05 security patch level, NVIDIA Tegra X1 TZ contains a possible out of bounds write due to missing bounds check which could lead to escalation of privilege from the kernel to the TZ. User interaction is not needed for exploitation. This issue is rated as high. Version: N/A. Android: A-69316825. Reference: N-CVE-2017-6294.
Categories: Security News

CVE-2018-12039

National Vulnerability Database - Thu, 06/07/2018 - 15:29
joyplus-cms 1.6.0 allows Remote Code Execution because of an Arbitrary SQL command execution issue in manager/index.php involving use of a "/!select/" substring in place of a select substring.
Categories: Security News

CVE-2018-12036

National Vulnerability Database - Thu, 06/07/2018 - 14:29
OWASP Dependency-Check before 3.2.0 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.
Categories: Security News

CVE-2018-6670

National Vulnerability Database - Thu, 06/07/2018 - 14:29
External Entity Attack vulnerability in the ePO extension in McAfee Common UI (CUI) 2.0.2 allows remote authenticated users to view confidential information via a crafted HTTP request parameter.
Categories: Security News

CVE-2018-12031

National Vulnerability Database - Thu, 06/07/2018 - 12:29
Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via server/node_upgrade_srv.js directory traversal with the firmware parameter in a downloadFirmware action.
Categories: Security News

CVE-2018-12016

National Vulnerability Database - Thu, 06/07/2018 - 10:29
libephymain.so in GNOME Web (aka Epiphany) through 3.28.2.1 allows remote attackers to cause a denial of service (application crash) via certain window.open and document.write calls.
Categories: Security News

CVE-2018-1514

National Vulnerability Database - Thu, 06/07/2018 - 10:29
IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 141622.
Categories: Security News

CVE-2018-1547

National Vulnerability Database - Thu, 06/07/2018 - 10:29
IBM Robotic Process Automation with Automation Anywhere 10.0 could allow a remote attacker to execute arbitrary code on the system, caused by improper output encoding in an CSV export. By persuading a victim to download the CSV export, to open it in Microsoft Excel and to confirm the two security questions, an attacker could exploit this vulnerability to run any command or program on the victim's machine. IBM X-Force ID: 142651.
Categories: Security News

CVE-2018-12015

National Vulnerability Database - Thu, 06/07/2018 - 09:29
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink and a regular file with the same name.
Categories: Security News

CVE-2018-7688

National Vulnerability Database - Thu, 06/07/2018 - 09:29
A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions.
Categories: Security News

Pages