Security News

CVE-2018-11808

National Vulnerability Database - Tue, 06/05/2018 - 23:29
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.
Categories: Security News

CVE-2018-11813

National Vulnerability Database - Tue, 06/05/2018 - 23:29
libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.
Categories: Security News

CVE-2018-7884

National Vulnerability Database - Tue, 06/05/2018 - 17:29
An issue was discovered in DisplayLink Core Software Cleaner Application 8.2.1956. When the drivers are updated to a newer version, the product launches a process as SYSTEM to uninstall the old version: cl_1956.exe is run as SYSTEM on the %systemroot%\Temp folder, where any user can write a DLL (e.g., version.dll) to perform DLL Hijacking and elevate privileges to SYSTEM.
Categories: Security News

CVE-2017-7635

National Vulnerability Database - Tue, 06/05/2018 - 17:29
QNAP NAS application Proxy Server through version 1.2.0 does not utilize CSRF protections.
Categories: Security News

CVE-2017-7636

National Vulnerability Database - Tue, 06/05/2018 - 17:29
Cross-site scripting (XSS) vulnerability in QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to inject arbitrary web script or HTML.
Categories: Security News

CVE-2017-7637

National Vulnerability Database - Tue, 06/05/2018 - 17:29
QNAP NAS application Proxy Server through version 1.2.0 allows remote attackers to run arbitrary OS commands against the system with root privileges.
Categories: Security News

CVE-2017-7639

National Vulnerability Database - Tue, 06/05/2018 - 17:29
QNAP NAS application Proxy Server through version 1.2.0 does not authenticate requests properly. Successful exploitation can lead to change of the settings of Proxy Server.
Categories: Security News

CVE-2018-1000192

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
Categories: Security News

CVE-2018-1000193

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
Categories: Security News

CVE-2018-1000194

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.
Categories: Security News

CVE-2018-1000195

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
Categories: Security News

CVE-2018-1000196

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A exposure of sensitive information vulnerability exists in Jenkins Gitlab Hook Plugin 1.4.2 and older in gitlab_notifier.rb, views/gitlab_notifier/global.erb that allows attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the configured Gitlab token.
Categories: Security News

CVE-2018-1000197

National Vulnerability Database - Tue, 06/05/2018 - 17:29
An improper authorization vulnerability exists in Jenkins Black Duck Hub Plugin 3.0.3 and older in PostBuildScanDescriptor.java that allows users with Overall/Read permission to read and write the Black Duck Hub plugin configuration.
Categories: Security News

CVE-2018-1000198

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A XML external entity processing vulnerability exists in Jenkins Black Duck Hub Plugin 3.1.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read permission to make Jenkins process XML eternal entities in an XML document.
Categories: Security News

CVE-2018-1000202

National Vulnerability Database - Tue, 06/05/2018 - 17:29
A persisted cross-site scripting vulnerability exists in Jenkins Groovy Postbuild Plugin 2.3.1 and older in various Jelly files that allows attackers able to control build badge content to define JavaScript that would be executed in another user's browser when that other user performs some UI actions.
Categories: Security News

CVE-2018-10057

National Vulnerability Database - Tue, 06/05/2018 - 17:29
The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to write the miner configuration file to arbitrary locations on the server due to missing basedir restrictions (absolute directory traversal).
Categories: Security News

CVE-2018-10058

National Vulnerability Database - Tue, 06/05/2018 - 17:29
The remote management interface of cgminer 4.10.0 and bfgminer 5.5.0 allows an authenticated remote attacker to execute arbitrary code due to a stack-based buffer overflow in the addpool, failover-only, poolquota, and save command handlers.
Categories: Security News

CVE-2018-11586

National Vulnerability Database - Tue, 06/05/2018 - 17:29
XML external entity (XXE) vulnerability in api/rest/status in SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
Categories: Security News

CVE-2018-3691

National Vulnerability Database - Tue, 06/05/2018 - 17:29
Some implementations in Intel Integrated Performance Primitives Cryptography Library before version 2018 U2.1 do not properly ensure constant execution time.
Categories: Security News

CVE-2017-7653

National Vulnerability Database - Tue, 06/05/2018 - 16:29
The Eclipse Mosquitto broker up to version 1.4.15 does not reject strings that are not valid UTF-8. A malicious client could cause other clients that do reject invalid UTF-8 strings to disconnect themselves from the broker by sending a topic string which is not valid UTF-8, and so cause a denial of service for the clients.
Categories: Security News

Pages