Security News

Bugtraq: Re: SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet

SecurityFocus Vulnerabilities - Tue, 05/15/2018 - 08:20
Re: SEC Consult SA-20180514-0 :: Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet
Categories: Security News

Bugtraq: CVE-2018-10994: HTML tag injection in Signal-desktop

SecurityFocus Vulnerabilities - Tue, 05/15/2018 - 08:20
CVE-2018-10994: HTML tag injection in Signal-desktop
Categories: Security News

CVE-2018-10825

National Vulnerability Database - Tue, 05/15/2018 - 00:29
Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack.
Categories: Security News

Vuln: Advantech WebAccess ICSA-18-135-01 Multiple Security Vulnerabilities

SecurityFocus Vulnerabilities - Tue, 05/15/2018 - 00:00
Advantech WebAccess ICSA-18-135-01 Multiple Security Vulnerabilities
Categories: Security News

Vuln: oVirt CVE-2018-1073 User Enumeration Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/15/2018 - 00:00
oVirt CVE-2018-1073 User Enumeration Vulnerability
Categories: Security News

Vuln: OpenPGP CVE-2017-17688 Man In The Middle Information Disclosure Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/15/2018 - 00:00
OpenPGP CVE-2017-17688 Man In The Middle Information Disclosure Vulnerability
Categories: Security News

Vuln: Adobe Connect CVE-2018-4994 Authentication Bypass Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/15/2018 - 00:00
Adobe Connect CVE-2018-4994 Authentication Bypass Vulnerability
Categories: Security News

CVE-2018-11102

National Vulnerability Database - Mon, 05/14/2018 - 22:29
An issue was discovered in Libav 12.3. A read access violation in the mov_probe function in libavformat/mov.c allows remote attackers to cause a denial of service (application crash), as demonstrated by avconv.
Categories: Security News

CVE-2018-11097

National Vulnerability Database - Mon, 05/14/2018 - 21:29
An issue was discovered in cloudwu/cstring through 2016-11-09. There is a memory leak vulnerability that could lead to a program crash.
Categories: Security News

CVE-2018-11098

National Vulnerability Database - Mon, 05/14/2018 - 21:29
An issue was discovered in Frog CMS 0.9.5. There is a file upload vulnerability via the admin/?/plugin/file_manager/upload URI, a similar issue to CVE-2014-4912.
Categories: Security News

CVE-2018-11100

National Vulnerability Database - Mon, 05/14/2018 - 21:29
The decompileSETTARGET function in decompile.c in libming through 0.4.8 mishandles cases where the header indicates a file size greater than the actual size, which allows remote attackers to cause a denial of service (Segmentation fault and application crash) or possibly have unspecified other impact.
Categories: Security News

CVE-2018-11095

National Vulnerability Database - Mon, 05/14/2018 - 20:29
The decompileJUMP function in decompile.c in libming through 0.4.8 mishandles cases where the header indicates a file size greater than the actual size, which allows remote attackers to cause a denial of service (Segmentation fault and application crash) or possibly have unspecified other impact.
Categories: Security News

CVE-2018-10994

National Vulnerability Database - Mon, 05/14/2018 - 19:29
js/views/message_view.js in Open Whisper Signal (aka Signal-Desktop) before 1.10.1 allows XSS via a URL.
Categories: Security News

CVE-2018-11090

National Vulnerability Database - Mon, 05/14/2018 - 19:29
An XSS issue was discovered in MyBiz MyProcureNet 5.0.0. This vulnerability within "ProxyPage.aspx" allows an attacker to inject malicious client side scripting which will be executed in the browser of users if they visit the manipulated site.
Categories: Security News

CVE-2018-11091

National Vulnerability Database - Mon, 05/14/2018 - 19:29
An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file can be uploaded to the webserver by an attacker. It is possible for an attacker to upload a script to issue operating system commands. This vulnerability occurs because an attacker is able to adjust the "HiddenFieldControlCustomWhiteListedExtensions" parameter and add arbitrary extensions to the whitelist during the upload. For instance, if the extension .asp is added to the "HiddenFieldControlCustomWhiteListedExtensions" parameter, the server accepts "secctest.asp" as a legitimate file. Hence malicious files can be uploaded in order to execute arbitrary commands to take over the server.
Categories: Security News

CVE-2017-14439

National Vulnerability Database - Mon, 05/14/2018 - 16:29
Exploitable denial of service vulnerabilities exists in the Service Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted packet can cause a denial of service. An attacker can send a large packet to 4001/tcp to trigger this vulnerability.
Categories: Security News

CVE-2017-12120

National Vulnerability Database - Mon, 05/14/2018 - 16:29
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation, resulting in a root shell. An attacker can inject OS commands into the ip= parm in the "/goform/net_WebPingGetValue" URI to trigger this vulnerability.
Categories: Security News

CVE-2017-12121

National Vulnerability Database - Mon, 05/14/2018 - 16:29
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability.
Categories: Security News

CVE-2017-12123

National Vulnerability Database - Mon, 05/14/2018 - 16:29
An exploitable clear text transmission of password vulnerability exists in the web server and telnet functionality of Moxa EDR-810 V4.1 build 17030317. An attacker can look at network traffic to get the admin password for the device. The attacker can then use the credentials to login as admin.
Categories: Security News

CVE-2017-12124

National Vulnerability Database - Mon, 05/14/2018 - 16:29
An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.
Categories: Security News

Pages