Security News

CVE-2018-10252

National Vulnerability Database - Mon, 05/14/2018 - 10:29
An issue was discovered on Actiontec WCB6200Q before 1.1.10.20a devices. The admin login session cookie is insecurely generated making admin session hijacking possible. When an admin logs in, a session cookie is generated using the time of day rounded to 10ms. Since the web server returns its current time of day in responses, it is possible to step backward through possible session values until a working one is found. Once a working session ID is found, an attacker then has admin control of the device and can add a secondary SSID to create a backdoor to the network.
Categories: Security News

CVE-2018-10989

National Vulnerability Database - Mon, 05/14/2018 - 10:29
Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of "password" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access restrictions by leveraging access to the local network. NOTE: one or more user's guides distributed by ISPs state "At a minimum, you should set a login password."
Categories: Security News

CVE-2018-10990

National Vulnerability Database - Mon, 05/14/2018 - 10:29
On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.
Categories: Security News

CVE-2018-0589

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors.
Categories: Security News

CVE-2018-0590

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors.
Categories: Security News

CVE-2018-0591

National Vulnerability Database - Mon, 05/14/2018 - 09:29
The KINEPASS App for Android Ver 3.1.1 and earlier, and for iOS Ver 3.1.2 and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Categories: Security News

CVE-2018-5230

National Vulnerability Database - Mon, 05/14/2018 - 09:29
The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0 before version 7.8.4 and from version 7.9.0 before version 7.9.2 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the error message of custom fields when an invalid value is specified.
Categories: Security News

CVE-2018-0583

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Cross-site scripting vulnerability in ASUS RT-AC1200HP Firmware version prior to 3.0.0.4.380.4180 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

CVE-2018-0585

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

CVE-2018-0586

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors.
Categories: Security News

CVE-2018-0587

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors.
Categories: Security News

CVE-2018-0588

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Directory traversal vulnerability in the AJAX function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to read arbitrary files via unspecified vectors.
Categories: Security News

CVE-2018-0578

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Cross-site scripting vulnerability in PixelYourSite plugin prior to version 5.3.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

CVE-2018-0579

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Cross-site scripting vulnerability in Open Graph for Facebook, Google+ and Twitter Card Tags plugin prior to version 2.2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

CVE-2018-0580

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Untrusted search path vulnerability in CELSYS, Inc CLIP STUDIO series (CLIP STUDIO PAINT (for Windows) EX/PRO/DEBUT Ver.1.7.3 and earlier, CLIP STUDIO ACTION (for Windows) Ver.1.5.5 and earlier, with its timestamp prior to April 25, 2018, 12:11:31, and CLIP STUDIO MODELER (for Windows) Ver.1.6.3 and earlier, with its timestamp prior to April 25, 2018, 17:02:49) allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory.
Categories: Security News

CVE-2018-0581

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Cross-site scripting vulnerability in ASUS RT-AC87U Firmware version prior to 3.0.0.4.378.9383 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

CVE-2018-0582

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Cross-site scripting vulnerability in ASUS RT-AC68U Firmware version prior to 3.0.0.4.380.1031 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

CVE-2017-16860

National Vulnerability Database - Mon, 05/14/2018 - 09:29
The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message.
Categories: Security News

CVE-2018-0568

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Unrestricted file upload vulnerability in SiteBridge Inc. Joruri Gw Ver 3.2.0 and earlier allows remote authenticated users to execute arbitrary PHP code via unspecified vectors.
Categories: Security News

CVE-2018-0576

National Vulnerability Database - Mon, 05/14/2018 - 09:29
Cross-site scripting vulnerability in Events Manager plugin prior to version 5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

Pages