Security News

CVE-2016-9488

National Vulnerability Database - Tue, 06/05/2018 - 10:29
ManageEngine Applications Manager versions 12 and 13 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.
Categories: Security News

CVE-2016-9490

National Vulnerability Database - Tue, 06/05/2018 - 10:29
ManageEngine Applications Manager versions 12 and 13 suffer from a Reflected Cross-Site Scripting vulnerability. Applications Manager is prone to a Cross-Site Scripting vulnerability in parameter LIMIT, in URL path /DiagAlertAction.do?REQTYPE=AJAX&LIMIT=1233. The URL is also available without authentication.
Categories: Security News

CVE-2018-6662

National Vulnerability Database - Tue, 06/05/2018 - 10:29
Privilege Escalation vulnerability in McAfee Management of Native Encryption (MNE) before 4.1.4 allows local users to gain elevated privileges via a crafted user input.
Categories: Security News

CVE-2018-8923

National Vulnerability Database - Tue, 06/05/2018 - 10:29
Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology File Station before 1.1.4-0122 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.
Categories: Security News

CVE-2018-8924

National Vulnerability Database - Tue, 06/05/2018 - 10:29
Cross-site scripting (XSS) vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name.
Categories: Security News

CVE-2018-1000180

National Vulnerability Database - Tue, 06/05/2018 - 09:29
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Categories: Security News

CVE-2018-1000181

National Vulnerability Database - Tue, 06/05/2018 - 09:29
Kitura 2.3.0 and earlier have an unintended read access to unauthorised files and folders that can be exploited by a crafted URL resulting in information disclosure.
Categories: Security News

CVE-2018-1000200

National Vulnerability Database - Tue, 06/05/2018 - 09:29
The Linux Kernel versions 4.14, 4.15, and 4.16 has a null pointer dereference which can result in an out of memory (OOM) killing of large mlocked processes. The issue arises from an oom killed process's final thread calling exit_mmap(), which calls munlock_vma_pages_all() for mlocked vmas.This can happen synchronously with the oom reaper's unmap_page_range() since the vma's VM_LOCKED bit is cleared before munlocking (to determine if any other vmas share the memory and are mlocked).
Categories: Security News

CVE-2018-11743

National Vulnerability Database - Tue, 06/05/2018 - 09:29
The init_copy function in kernel.c in mruby 1.4.1 makes initialize_copy calls for TT_ICLASS objects, which allows attackers to cause a denial of service (mrb_hash_keys uninitialized pointer and application crash) or possibly have unspecified other impact.
Categories: Security News

CVE-2018-11722

National Vulnerability Database - Tue, 06/05/2018 - 08:29
WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard coded.
Categories: Security News

CVE-2018-1252

National Vulnerability Database - Tue, 06/05/2018 - 08:29
RSA Web Threat Detection versions prior to 6.4, contain an SQL injection vulnerability in the Administration and Forensics applications. An authenticated malicious user with low privileges could potentially exploit this vulnerability to execute SQL commands on the back-end database to gain unauthorized access to the tool's monitoring and user information by supplying specially crafted input data to the affected application.
Categories: Security News

CVE-2018-11554

National Vulnerability Database - Tue, 06/05/2018 - 07:29
The forgotten-password feature in index.php/member/reset/reset_email.html in YzmCMS v3.2 through v3.7 has a Response Discrepancy Information Exposure issue and an unexpectedly long lifetime for a verification code, which makes it easier for remote attackers to hijack accounts via a brute-force approach.
Categories: Security News

CVE-2018-11678

National Vulnerability Database - Tue, 06/05/2018 - 07:29
plugins/box/users/users.plugin.php in Monstra CMS 3.0.4 allows Login Rate Limiting Bypass via manipulation of the login_attempts cookie.
Categories: Security News

CVE-2018-11737

National Vulnerability Database - Tue, 06/05/2018 - 07:29
An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from release 4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found in the function ntfs_fix_idxrec in tsk/fs/ntfs_dent.cpp which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Categories: Security News

CVE-2018-11738

National Vulnerability Database - Tue, 06/05/2018 - 07:29
An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from release 4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found in the function ntfs_make_data_run in tsk/fs/ntfs.c which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service attack.
Categories: Security News

CVE-2018-11739

National Vulnerability Database - Tue, 06/05/2018 - 07:29
An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) from release 4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found in the function raw_read in tsk/img/raw.c which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service attack.
Categories: Security News

CVE-2018-11740

National Vulnerability Database - Tue, 06/05/2018 - 07:29
An issue was discovered in libtskbase.a in The Sleuth Kit (TSK) from release 4.0.2 through to 4.6.1. An out-of-bounds read of a memory region was found in the function tsk_UTF16toUTF8 in tsk/base/tsk_unicode.c which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service attack.
Categories: Security News

CVE-2017-18286

National Vulnerability Database - Tue, 06/05/2018 - 02:29
nZEDb v0.7.3.3 has XSS in the 404 error page.
Categories: Security News

CVE-2018-11735

National Vulnerability Database - Tue, 06/05/2018 - 02:29
index.php?action=createaccount in Ximdex 4.0 has XSS via the sname or fname parameter.
Categories: Security News

CVE-2018-11736

National Vulnerability Database - Tue, 06/05/2018 - 02:29
An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file.
Categories: Security News

Pages