Security News

CVE-2018-13397

National Vulnerability Database - Mon, 11/05/2018 - 17:29
There was an argument injection vulnerability in Sourcetree for Windows from version 0.5.1.0 before version 3.0.0 via Git subrepositories in Mercurial repositories. An attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.
Categories: Security News

CVE-2018-18957

National Vulnerability Database - Mon, 11/05/2018 - 17:29
An issue has been found in libIEC61850 v1.3. It is a stack-based buffer overflow in prepareGooseBuffer in goose/goose_publisher.c.
Categories: Security News

CVE-2018-18956

National Vulnerability Database - Mon, 11/05/2018 - 16:29
The ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x through 4.0.5 allows remote attackers to cause a denial of service (segfault and daemon crash) via crafted input to the SMTP parser, as exploited in the wild in November 2018.
Categories: Security News

CVE-2018-18820

National Vulnerability Database - Mon, 11/05/2018 - 14:29
A buffer overflow was discovered in the URL-authentication backend of the Icecast before 2.4.4. If the backend is enabled, then any malicious HTTP client can send a request for that specific resource including a crafted header, leading to denial of service and potentially remote code execution.
Categories: Security News

CVE-2018-9208

National Vulnerability Database - Mon, 11/05/2018 - 08:29
Unauthenticated arbitrary file upload vulnerability in jQuery Picture Cut <= v1.1Beta
Categories: Security News

CVE-2018-18933

National Vulnerability Database - Mon, 11/05/2018 - 04:29
The u3d plugin 9.3.0.10809 (aka plugins\U3DBrowser.fpi) in FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information via a U3D sample.
Categories: Security News

CVE-2018-18934

National Vulnerability Database - Mon, 11/05/2018 - 04:29
An issue was discovered in PopojiCMS v2.0.1. admin_component.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code (that is extracted and can be executed). This can also be exploited via CSRF.
Categories: Security News

CVE-2018-18935

National Vulnerability Database - Mon, 11/05/2018 - 04:29
An issue was discovered in PopojiCMS v2.0.1. It has CSRF via the po-admin/route.php?mod=component&act=addnew URI, as demonstrated by adding a level=1 account.
Categories: Security News

CVE-2018-18936

National Vulnerability Database - Mon, 11/05/2018 - 04:29
An issue was discovered in PopojiCMS v2.0.1. admin_library.php allows remote attackers to delete arbitrary files via directory traversal in the po-admin/route.php?mod=library&act=delete id parameter.
Categories: Security News

CVE-2018-18937

National Vulnerability Database - Mon, 11/05/2018 - 04:29
An issue has been found in libIEC61850 v1.3. It is a NULL pointer dereference in ClientDataSet_getValues in client/ied_connection.c.
Categories: Security News

CVE-2018-18938

National Vulnerability Database - Mon, 11/05/2018 - 04:29
An issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in index.php?m=core&f=index via an ontoggle attribute to details/open/ within a second input field.
Categories: Security News

CVE-2018-18939

National Vulnerability Database - Mon, 11/05/2018 - 04:29
An issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in index.php?m=core&f=index via a seventh input field.
Categories: Security News

CVE-2018-18942

National Vulnerability Database - Mon, 11/05/2018 - 04:29
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the admin/theme_configs/form data[ThemeConfig][logo] parameter.
Categories: Security News

CVE-2018-18943

National Vulnerability Database - Mon, 11/05/2018 - 04:29
An issue was discovered in baserCMS before 4.1.4. In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI.
Categories: Security News

CVE-2018-18949

National Vulnerability Database - Mon, 11/05/2018 - 04:29
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
Categories: Security News

CVE-2018-18950

National Vulnerability Database - Mon, 11/05/2018 - 04:29
KindEditor through 4.1.11 has a path traversal vulnerability in php/upload_json.php. Anyone can browse a file or directory in the kindeditor/attached/ folder via the path parameter without authentication.
Categories: Security News

CVE-2018-18952

National Vulnerability Database - Mon, 11/05/2018 - 04:29
JEECMS 9.3 has XSS via an index.do#/content/update?type=update URI.
Categories: Security News

CVE-2018-18928

National Vulnerability Database - Sun, 11/04/2018 - 15:29
International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.
Categories: Security News

CVE-2018-18919

National Vulnerability Database - Sun, 11/04/2018 - 01:29
The WP Editor.md plugin 10.0.1 for WordPress allows XSS via the comment area.
Categories: Security News

CVE-2018-18924

National Vulnerability Database - Sun, 11/04/2018 - 01:29
The image-upload feature in ProjeQtOr 7.2.5 allows remote attackers to execute arbitrary code by uploading a .shtml file with "#exec cmd" because rejected files remain on the server, with predictable filenames, after a "This file is not a valid image" error message.
Categories: Security News

Pages