Security News

CVE-2019-14822

National Vulnerability Database - Mon, 11/25/2019 - 07:15
A flaw was discovered in ibus that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.
Categories: Security News

CVE-2019-10214

National Vulnerability Database - Mon, 11/25/2019 - 06:15
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
Categories: Security News

CVE-2019-14815

National Vulnerability Database - Mon, 11/25/2019 - 06:15
kernel is vulnerable to a None
Categories: Security News

CVE-2019-14891

National Vulnerability Database - Mon, 11/25/2019 - 06:15
A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management (conmon) processes being killed if a workload process triggers an out-of-memory (OOM) condition for the cgroup. An attacker could abuse this flaw to get host network access on an cri-o host.
Categories: Security News

CVE-2019-10174

National Vulnerability Database - Mon, 11/25/2019 - 06:15
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
Categories: Security News

CVE-2019-11287

National Vulnerability Database - Fri, 11/22/2019 - 19:15
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web management plugin that is vulnerable to a denial of service attack. The "X-Reason" HTTP Header can be leveraged to insert a malicious Erlang format string that will expand and consume the heap, resulting in the server crashing.
Categories: Security News

CVE-2019-11291

National Vulnerability Database - Fri, 11/22/2019 - 18:15
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, federation and shovel, which do not properly sanitize user input. A remote authenticated malicious user with administrative access could craft a cross site scripting attack via the vhost or node name fields that could grant access to virtual hosts and policy management information.
Categories: Security News

CVE-2019-15593

National Vulnerability Database - Fri, 11/22/2019 - 17:15
GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments.
Categories: Security News

CVE-2019-16285

National Vulnerability Database - Fri, 11/22/2019 - 17:15
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive.
Categories: Security News

CVE-2019-16286

National Vulnerability Database - Fri, 11/22/2019 - 17:15
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.
Categories: Security News

CVE-2019-16287

National Vulnerability Database - Fri, 11/22/2019 - 17:15
An attacker may be able to leverage the application filter bypass vulnerability to gain privileged access to create a file on the local file system whose presence puts the device in Administrative Mode, which will allow the attacker to executed commands with elevated privileges.
Categories: Security News

CVE-2019-18909

National Vulnerability Database - Fri, 11/22/2019 - 17:15
The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges.
Categories: Security News

CVE-2019-18910

National Vulnerability Database - Fri, 11/22/2019 - 17:15
The Citrix Receiver wrapper function does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with local user privileges.
Categories: Security News

CVE-2019-13566

National Vulnerability Database - Fri, 11/22/2019 - 16:15
An issue was discovered in the ROS communications-related packages (aka ros_comm or ros-melodic-ros-comm) through 1.14.3. A buffer overflow allows attackers to cause a denial of service and possibly execute arbitrary code via an IP address with a long hostname.
Categories: Security News

CVE-2019-18622

National Vulnerability Database - Fri, 11/22/2019 - 16:15
An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger a SQL injection attack through the designer feature.
Categories: Security News

CVE-2019-3654

National Vulnerability Database - Fri, 11/22/2019 - 15:15
Authentication Bypass vulnerability in the Microsoft Windows client in McAfee Client Proxy (MCP) prior to 3.0.0 allows local user to bypass scanning of web traffic and gain access to blocked sites for a short period of time via generating an authorization key on the client which should only be generated by the network administrator.
Categories: Security News

CVE-2014-2214

National Vulnerability Database - Fri, 11/22/2019 - 14:15
Multiple cross-site scripting (XSS) vulnerabilities in POSH (aka Posh portal or Portaneo) 3.0 through 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) error parameter to /includes/plugins/mobile/scripts/login.php or (2) id parameter to portal/openrssarticle.php
Categories: Security News

CVE-2014-6310

National Vulnerability Database - Fri, 11/22/2019 - 14:15
Buffer overflow in CHICKEN 4.9.0 and 4.9.0.1 may allow remote attackers to execute arbitrary code via the 'select' function.
Categories: Security News

CVE-2014-6311

National Vulnerability Database - Fri, 11/22/2019 - 14:15
generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges.
Categories: Security News

CVE-2019-16763

National Vulnerability Database - Fri, 11/22/2019 - 14:15
In Pannellum from 2.5.0 through 2.5.4 URLs were not sanitized for data URIs (or vbscript:), allowing for potential XSS attacks. Such an attack would require a user to click on a hot spot to execute and would require an attacker-provided configuration. The most plausible potential attack would be if pannellum.htm was hosted on a domain that shared cookies with the targeted site's user authentication; an <iframe> could then be embedded on the attacker's site using pannellum.htm from the targeted site, which would allow the attacker to potentially access information from the targeted site as the authenticated user (or worse if the targeted site did not have adequate CSRF protections) if the user clicked on a hot spot in the attacker's embedded panorama viewer. This was patched in version 2.5.5.
Categories: Security News

Pages