Security News

CVE-2018-10971

National Vulnerability Database - Thu, 05/10/2018 - 11:29
An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The Plane function in image/image.hpp allows remote attackers to cause a denial of service (attempted excessive memory allocation) via a crafted file.
Categories: Security News

CVE-2018-10972

National Vulnerability Database - Thu, 05/10/2018 - 11:29
An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The TransformPaletteC::process function in transform/palette_C.hpp allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted file.
Categories: Security News

CVE-2017-18266

National Vulnerability Database - Thu, 05/10/2018 - 10:29
The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable.
Categories: Security News

CVE-2017-6289

National Vulnerability Database - Thu, 05/10/2018 - 10:29
In Android before the 2018-05-05 security patch level, NVIDIA Trusted Execution Environment (TEE) contains a memory corruption (due to unusual root cause) vulnerability, which if run within the speculative execution of the TEE, may lead to local escalation of privileges. This issue is rated as critical. Android: A-72830049. Reference: N-CVE-2017-6289.
Categories: Security News

CVE-2017-6293

National Vulnerability Database - Thu, 05/10/2018 - 10:29
In Android before the 2018-05-05 security patch level, NVIDIA Tegra X1 TZ contains a vulnerability in Widevine TA where the software writes data past the end, or before the beginning, of the intended buffer, which may lead to escalation of Privileges. This issue is rated as high. Android: A-69377364. Reference: N-CVE-2017-6293.
Categories: Security News

CVE-2018-10655

National Vulnerability Database - Thu, 05/10/2018 - 10:29
DLPnpAuditor.exe in DeviceLock Plug and Play Auditor (freeware) 5.72 has a Unicode Buffer Overflow (SEH).
Categories: Security News

CVE-2018-10803

National Vulnerability Database - Thu, 05/10/2018 - 10:29
Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. This can be exploited through CSRF.
Categories: Security News

CVE-2018-6246

National Vulnerability Database - Thu, 05/10/2018 - 10:29
In Android before the 2018-05-05 security patch level, NVIDIA Widevine Trustlet contains a vulnerability in Widevine TA where the software reads data past the end, or before the beginning, of the intended buffer, which may lead to Information Disclosure. This issue is rated as moderate. Android: A-69383916. Reference: N-CVE-2018-6246.
Categories: Security News

CVE-2018-6254

National Vulnerability Database - Thu, 05/10/2018 - 10:29
In Android before the 2018-05-05 security patch level, NVIDIA Media Server contains an out-of-bounds read (due to improper input validation) vulnerability which could lead to local information disclosure. This issue is rated as moderate. Android: A-64340684. Reference: N-CVE-2018-6254.
Categories: Security News

CVE-2018-7933

National Vulnerability Database - Thu, 05/10/2018 - 10:29
Huawei home gateway products HiRouter-CD20 and WS5200 with the versions before HiRouter-CD20-10 1.9.6 and the versions before WS5200-10 1.9.6 have a path traversal vulnerability. Due to the lack of validation while these home gateway products install APK plugins, an attacker tricks a user into installing a malicious APK plugin, and plugin can overwrite arbitrary file of devices. Successful exploit may result in arbitrary code execution or privilege escalation.
Categories: Security News

CVE-2018-7940

National Vulnerability Database - Thu, 05/10/2018 - 10:29
Huawei smart phones Mate 10 and Mate 10 Pro with earlier versions than 8.0.0.129(SP2C00) and earlier versions than 8.0.0.129(SP2C01) have an authentication bypass vulnerability. An attacker with high privilege obtains the smart phone and bypass the activation function by some specific operations.
Categories: Security News

CVE-2018-7941

National Vulnerability Database - Thu, 05/10/2018 - 10:29
Huawei iBMC V200R002C60 have an authentication bypass vulnerability. A remote attacker with low privilege may craft specific messages to upload authentication certificate to the affected products. Due to improper validation of the upload authority, successful exploit may cause privilege elevation.
Categories: Security News

CVE-2018-9849

National Vulnerability Database - Thu, 05/10/2018 - 10:29
Pulse Secure Pulse Connect Secure 8.1.x before 8.1R14, 8.2.x before 8.2R11, and 8.3.x before 8.3R5 do not properly process nested XML entities, which allows remote attackers to cause a denial of service (memory consumption and memory errors) via a crafted XML document.
Categories: Security News

CVE-2017-2601

National Vulnerability Database - Thu, 05/10/2018 - 09:29
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
Categories: Security News

CVE-2018-1130

National Vulnerability Database - Thu, 05/10/2018 - 09:29
Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls.
Categories: Security News

CVE-2018-8910

National Vulnerability Database - Thu, 05/10/2018 - 09:29
Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Drive before 1.0.1-10253 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments.
Categories: Security News

CVE-2018-8914

National Vulnerability Database - Thu, 05/10/2018 - 09:29
SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter.
Categories: Security News

CVE-2018-8915

National Vulnerability Database - Thu, 05/10/2018 - 09:29
Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title parameter.
Categories: Security News

Bugtraq: [security bulletin] MFSBGN03804 - HP Service Manager Software, Remote Disclosure of Information

SecurityFocus Vulnerabilities - Thu, 05/10/2018 - 05:20
[security bulletin] MFSBGN03804 - HP Service Manager Software, Remote Disclosure of Information
Categories: Security News

Bugtraq: [SECURITY] [DSA 4198-1] prosody security update

SecurityFocus Vulnerabilities - Thu, 05/10/2018 - 05:20
[SECURITY] [DSA 4198-1] prosody security update
Categories: Security News

Pages