Security News

CVE-2018-7289

National Vulnerability Database - Wed, 02/21/2018 - 13:29
An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI. This happens because characters that cannot be converted from Unicode are replaced with '?' characters.
Categories: Security News

CVE-2018-7261

National Vulnerability Database - Wed, 02/21/2018 - 11:29
There are multiple Persistent XSS vulnerabilities in Radiant CMS 1.1.4. They affect Personal Preferences (Name and Username) and Configuration (Site Title, Dev Site Domain, Page Parts, and Page Fields).
Categories: Security News

CVE-2018-7280

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The Ninja Forms plugin before 3.2.14 for WordPress has XSS.
Categories: Security News

CVE-2013-4891

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The xss_clean function in CodeIgniter before 2.1.4 might allow remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag.
Categories: Security News

CVE-2015-5314

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Categories: Security News

CVE-2015-5315

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Categories: Security News

CVE-2015-5316

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6, when EAP-pwd is enabled in a network configuration profile, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an EAP-pwd Confirm message followed by the Identity exchange.
Categories: Security News

CVE-2015-5725

National Vulnerability Database - Wed, 02/21/2018 - 11:29
SQL injection vulnerability in the offset method in the Active Record class in CodeIgniter before 2.2.4 allows remote attackers to execute arbitrary SQL commands via vectors involving the offset variable.
Categories: Security News

CVE-2016-0343

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote authenticated users to obtain sensitive information by reading an error message. IBM X-Force ID: 111784.
Categories: Security News

CVE-2016-0344

National Vulnerability Database - Wed, 02/21/2018 - 11:29
Cross-site scripting (XSS) vulnerability in the My Reports component in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111785.
Categories: Security News

CVE-2016-0345

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote authenticated users to obtain the installation path via vectors involving Birt report rendering. IBM X-Force ID: 111786.
Categories: Security News

CVE-2016-0348

National Vulnerability Database - Wed, 02/21/2018 - 11:29
Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3, 3.3.1, 3.3.2, and 3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111813.
Categories: Security News

CVE-2016-0351

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 does not set the secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. IBM X-Force ID: 111890.
Categories: Security News

CVE-2016-0366

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 might allow remote attackers to obtain sensitive information by leveraging weak encryption. IBM X-Force ID: 112071.
Categories: Security News

CVE-2016-0367

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 allows remote authenticated users to obtain sensitive information by reading an error message. IBM X-Force ID: 112072.
Categories: Security News

CVE-2016-0369

National Vulnerability Database - Wed, 02/21/2018 - 11:29
XML external entity (XXE) vulnerability in IBM Forms Experience Builder 8.5, 8.5.1, and 8.6 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 112088.
Categories: Security News

CVE-2013-0267

National Vulnerability Database - Wed, 02/21/2018 - 10:29
The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation.
Categories: Security News

CVE-2015-0203

National Vulnerability Database - Wed, 02/21/2018 - 10:29
The qpidd broker in Apache Qpid 0.30 and earlier allows remote authenticated users to cause a denial of service (daemon crash) via an AMQP message with (1) an invalid range in a sequence set, (2) content-bearing methods other than message-transfer, or (3) a session-gap control before a corresponding session-attach.
Categories: Security News

CVE-2015-6569

National Vulnerability Database - Wed, 02/21/2018 - 10:29
Race condition in the LoadBalancer module in the Atlassian Floodlight Controller before 1.2 allows remote attackers to cause a denial of service (NULL pointer dereference and thread crash) via a state manipulation attack.
Categories: Security News

CVE-2018-5716

National Vulnerability Database - Wed, 02/21/2018 - 10:29
An issue was discovered in Reprise License Manager 11.0. This vulnerability is a Path Traversal where the attacker, by changing a field in the Web Request, can have access to files on the File System of the Server. By specifying a pathname in the POST parameter "lf" to the goform/edit_lf_get_data URI, the attacker can retrieve the content of a file.
Categories: Security News

Pages