Security News

CVE-2018-13309

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's password.
Categories: Security News

CVE-2018-13310

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Cross-site scripting in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript via the user's username.
Categories: Security News

CVE-2018-13311

National Vulnerability Database - Mon, 11/26/2018 - 18:29
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
Categories: Security News

CVE-2018-13312

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to execute arbitrary JavaScript by modifying the "Input your notice URL" field.
Categories: Security News

CVE-2018-13315

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Incorrect access control in formPasswordSetup in TOTOLINK A3002RU version 1.0.8 allows attackers to change the admin user's password via an unauthenticated POST request.
Categories: Security News

CVE-2018-13317

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Password disclosure in password.htm in TOTOLINK A3002RU version 1.0.8 allows attackers to obtain the plaintext password for the admin user by making a GET request for password.htm.
Categories: Security News

CVE-2018-13318

National Vulnerability Database - Mon, 11/26/2018 - 18:29
System command injection in User.create method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute system commands via the "name" parameter.
Categories: Security News

CVE-2018-13319

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Incorrect access control in get_portal_info in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to determine sensitive device information via an unauthenticated POST request.
Categories: Security News

CVE-2018-13320

National Vulnerability Database - Mon, 11/26/2018 - 18:29
System Command Injection in network.set_auth_settings in Buffalo TS5600D1206 version 3.70-0.10 allows attackers to execute system commands via the adminUsername and adminPassword parameters.
Categories: Security News

CVE-2018-13321

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Incorrect access controls in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allow attackers to call dangerous internal functions via the "method" parameter.
Categories: Security News

CVE-2018-13322

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Directory traversal in list_folders method in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to list directory contents via the "path" parameter.
Categories: Security News

CVE-2018-13323

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Cross-site scripting in detail.html in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to execute JavaScript via the "username" cookie.
Categories: Security News

CVE-2018-13324

National Vulnerability Database - Mon, 11/26/2018 - 18:29
Incorrect access control in nasapi in Buffalo TS5600D1206 version 3.61-0.10 allows attackers to bypass authentication by sending a modified HTTP Host header.
Categories: Security News

CVE-2018-14663

National Vulnerability Database - Mon, 11/26/2018 - 18:29
An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the trailing data being smuggled to the backend as a valid record while not seen by dnsdist. This is an issue when dnsdist is deployed as a DNS Firewall and used to filter some records that should not be received by the backend. This issue occurs only when either the 'useClientSubnet' or the experimental 'addXPF' parameters are used when declaring a new backend.
Categories: Security News

CVE-2018-11066

National Vulnerability Database - Mon, 11/26/2018 - 15:29
Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain a Remote Code Execution vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.
Categories: Security News

CVE-2018-11067

National Vulnerability Database - Mon, 11/26/2018 - 15:29
Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain an open redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.
Categories: Security News

CVE-2018-11076

National Vulnerability Database - Mon, 11/26/2018 - 15:29
Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0 and 7.4.1 and Dell EMC Integrated Data Protection Appliance (IDPA) 2.0 are affected by an information exposure vulnerability. Avamar Java management console's SSL/TLS private key may be leaked in the Avamar Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.
Categories: Security News

CVE-2018-11077

National Vulnerability Database - Mon, 11/26/2018 - 15:29
'getlogs' utility in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1 and 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 is affected by an OS command injection vulnerability. A malicious Avamar admin user may potentially be able to execute arbitrary commands under root privilege.
Categories: Security News

CVE-2018-18807

National Vulnerability Database - Mon, 11/26/2018 - 15:29
The web application of the TIBCO Statistica component of TIBCO Software Inc.'s TIBCO Statistica Server contains vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS) attacks. Affected releases are TIBCO Software Inc.'s TIBCO Statistica Server versions up to and including 13.4.0.
Categories: Security News

CVE-2018-19565

National Vulnerability Database - Mon, 11/26/2018 - 15:29
A buffer over-read in crop_masked_pixels in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information.
Categories: Security News

Pages