Security News

CVE-2017-1316

National Vulnerability Database - Tue, 07/03/2018 - 15:29
IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 125728.
Categories: Security News

CVE-2018-11643

National Vulnerability Database - Tue, 07/03/2018 - 13:29
SQL injection vulnerability in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote authenticated users to execute arbitrary SQL commands via the filterPattern parameter.
Categories: Security News

CVE-2018-13112

National Vulnerability Database - Tue, 07/03/2018 - 13:29
get_l2len in common/get.c in Tcpreplay 4.3.0 beta 1 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via crafted packets, as demonstrated by tcpprep.
Categories: Security News

CVE-2018-13113

National Vulnerability Database - Tue, 07/03/2018 - 13:29
The transfer and transferFrom functions of a smart contract implementation for Easy Trading Token (ETT), an Ethereum token, have an integer overflow.
Categories: Security News

CVE-2018-11051

National Vulnerability Database - Tue, 07/03/2018 - 13:29
RSA Certificate Manager Versions 6.9 build 560 through 6.9 build 564 contain a path traversal vulnerability in the RSA CMP Enroll Server and the RSA REST Enroll Server. A remote unauthenticated attacker could potentially exploit this vulnerability by manipulating input parameters of the application to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application.
Categories: Security News

CVE-2018-11052

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Dell EMC ECS versions 3.2.0.0 and 3.2.0.1 contain an authentication bypass vulnerability. A remote unauthenticated attacker could exploit this vulnerability to read and modify S3 objects by supplying specially crafted S3 requests.
Categories: Security News

CVE-2018-11634

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Plaintext Storage of Passwords in the administrative console in Dialogic PowerMedia XMS before 3.5 SU2 allows local users to access the web application's user passwords in cleartext by reading /var/www/xms/xmsdb/default.db.
Categories: Security News

CVE-2018-11635

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Use of a Hard-coded Cryptographic Key used to protect cookie session data in /var/www/xms/application/config/config.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to bypass authentication.
Categories: Security News

CVE-2018-11636

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Cross-site request forgery (CSRF) vulnerability in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to execute malicious and unauthorized actions.
Categories: Security News

CVE-2018-11637

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Information leakage vulnerability in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to read arbitrary files from the /var/ directory because a symlink exists under the web root.
Categories: Security News

CVE-2018-11638

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Unrestricted Upload of a File with a Dangerous Type in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote authenticated users to upload malicious code to the web root to gain code execution.
Categories: Security News

CVE-2018-11639

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Plaintext Storage of Passwords within Cookies in /var/www/xms/application/controllers/verifyLogin.php in the administrative console in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to access a user's password in cleartext.
Categories: Security News

CVE-2018-11640

National Vulnerability Database - Tue, 07/03/2018 - 13:29
XML External Entity (XXE) vulnerability in the web service in Dialogic PowerMedia XMS before 3.5 SU2 allows remote attackers to read arbitrary files or cause a denial of service (resource consumption).
Categories: Security News

CVE-2018-11641

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Use of Hard-coded Credentials in /var/www/xms/application/controllers/gatherLogs.php in the administrative console in Dialogic PowerMedia XMS through 3.5 allows remote attackers to interact with a web service.
Categories: Security News

CVE-2018-11642

National Vulnerability Database - Tue, 07/03/2018 - 13:29
Incorrect Permission Assignment on the /var/www/xms/cleanzip.sh shell script run periodically in Dialogic PowerMedia XMS through 3.5 allows local users to execute code as the root user.
Categories: Security News

CVE-2018-11314

National Vulnerability Database - Tue, 07/03/2018 - 12:29
The External Control API in Roku and Roku TV products allow unauthorized access via a DNS Rebind attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker.
Categories: Security News

CVE-2018-11316

National Vulnerability Database - Tue, 07/03/2018 - 12:29
The UPnP HTTP server on Sonos wireless speaker products allow unauthorized access via a DNS rebinding attack. This can result in remote device control and privileged device and network information to be exfiltrated by an attacker.
Categories: Security News

CVE-2018-13102

National Vulnerability Database - Tue, 07/03/2018 - 12:29
AnyDesk before "12.06.2018 - 4.1.3" on Windows 7 SP1 has a DLL preloading vulnerability.
Categories: Security News

CVE-2018-13106

National Vulnerability Database - Tue, 07/03/2018 - 12:29
ClipperCMS 1.3.3 has stored XSS via the "Tools -> Configuration" screen of the manager/ URI.
Categories: Security News

CVE-2018-7635

National Vulnerability Database - Tue, 07/03/2018 - 11:29
Whale Browser before 1.0.41.8 displays no URL information but only a title of a web page on the browser's address bar when visiting a blank page, which allows an attacker to display a malicious web page with a fake domain name.
Categories: Security News

Pages