Security News

CVE-2018-12095

National Vulnerability Database - Mon, 06/11/2018 - 07:29
A Reflected Cross-Site Scripting web vulnerability has been discovered in the OEcms v3.1 web-application. The vulnerability is located in the mod parameter of info.php.
Categories: Security News

CVE-2018-12099

National Vulnerability Database - Mon, 06/11/2018 - 07:29
Grafana before 5.2.0-beta1 has XSS vulnerabilities in dashboard links.
Categories: Security News

CVE-2018-12100

National Vulnerability Database - Mon, 06/11/2018 - 07:29
Sonatype Nexus Repository Manager before 3.12.0 has XSS in multiple areas in the Administration UI.
Categories: Security News

CVE-2018-10360

National Vulnerability Database - Mon, 06/11/2018 - 06:29
The do_core_note function in readelf.c in libmagic.a in file 5.33 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file.
Categories: Security News

CVE-2018-12025

National Vulnerability Database - Mon, 06/11/2018 - 06:29
The transferFrom function of a smart contract implementation for FuturXE (FXE), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized transfer of digital assets because of a logic error. The developer messed up with the boolean judgment - if the input value is smaller than or equal to allowed value, the transfer session would stop execution by returning false. This makes no sense, because the transferFrom() function should require the transferring value to not exceed the allowed value in the first place. Suppose this function asks for the allowed value to be smaller than the input. Then, the attacker could easily ignore the allowance: after this condition, the `allowed[from][msg.sender] -= value;` would cause an underflow because the allowed part is smaller than the value. The attacker could transfer any amount of FuturXe tokens of any accounts to an appointed account (the `_to` address) because the allowed value is initialized to 0, and the attacker could bypass this restriction even without the victim's private key.
Categories: Security News

CVE-2018-12089

National Vulnerability Database - Mon, 06/11/2018 - 06:29
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0.
Categories: Security News

CVE-2018-12090

National Vulnerability Database - Mon, 06/11/2018 - 06:29
There is unauthenticated reflected cross-site scripting (XSS) in LAMS before 3.1 that allows a remote attacker to introduce arbitrary JavaScript via manipulation of an unsanitized GET parameter during a forgotPasswordChange.jsp?key= password change.
Categories: Security News

Vuln: Adobe Flash Player CVE-2018-5002 Stack Buffer Overflow Vulnerability

SecurityFocus Vulnerabilities - Mon, 06/11/2018 - 00:00
Adobe Flash Player CVE-2018-5002 Stack Buffer Overflow Vulnerability
Categories: Security News

Vuln: Flexera Software FlexNet Publisher CVE-2015-8277 Buffer Overflow Vulnerability

SecurityFocus Vulnerabilities - Mon, 06/11/2018 - 00:00
Flexera Software FlexNet Publisher CVE-2015-8277 Buffer Overflow Vulnerability
Categories: Security News

Vuln: Jetty CVE-2015-2080 Information Disclosure Vulnerability

SecurityFocus Vulnerabilities - Mon, 06/11/2018 - 00:00
Jetty CVE-2015-2080 Information Disclosure Vulnerability
Categories: Security News

CVE-2018-12088

National Vulnerability Database - Sun, 06/10/2018 - 19:29
S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts of files. This is related to the checksum_basic_mapping function.
Categories: Security News

CVE-2018-12085

National Vulnerability Database - Sat, 06/09/2018 - 07:29
Liblouis 3.6.0 has a stack-based Buffer Overflow in the function parseChars in compileTranslationTable.c, a different vulnerability than CVE-2018-11440.
Categories: Security News

Bugtraq: [SECURITY] [DSA 4219-1] jruby security update

SecurityFocus Vulnerabilities - Sat, 06/09/2018 - 00:20
[SECURITY] [DSA 4219-1] jruby security update
Categories: Security News

Bugtraq: DefenseCode ThunderScan SAST Advisory: WordPress Contact Form Maker Plugin Multiple Security Vulnerabilities

SecurityFocus Vulnerabilities - Sat, 06/09/2018 - 00:20
DefenseCode ThunderScan SAST Advisory: WordPress Contact Form Maker Plugin Multiple Security Vulnerabilities
Categories: Security News

Bugtraq: DefenseCode ThunderScan SAST Advisory: WordPress Form Maker Plugin Multiple Security Vulnerabilities

SecurityFocus Vulnerabilities - Sat, 06/09/2018 - 00:20
DefenseCode ThunderScan SAST Advisory: WordPress Form Maker Plugin Multiple Security Vulnerabilities
Categories: Security News

CVE-2018-12020

National Vulnerability Database - Fri, 06/08/2018 - 17:29
mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represent an original filename that contains line feed characters in conjunction with GOODSIG or VALIDSIG status codes.
Categories: Security News

CVE-2018-0225

National Vulnerability Database - Fri, 06/08/2018 - 16:29
The Enterprise Console in Cisco AppDynamics App iQ Platform before 4.4.3.10598 (HF4) allows SQL injection, aka the Security Advisory 2089 issue.
Categories: Security News

CVE-2018-1281

National Vulnerability Database - Fri, 06/08/2018 - 15:29
The clustered setup of Apache MXNet allows users to specify which IP address and port the scheduler will listen on via the DMLC_PS_ROOT_URI and DMLC_PS_ROOT_PORT env variables. In versions older than 1.0.0, however, the MXNet framework will listen on 0.0.0.0 rather than user specified DMLC_PS_ROOT_URI once a scheduler node is initialized. This exposes the instance running MXNet to any attackers reachable via the interface they didn't expect to be listening on. For example: If a user wants to run a clustered setup locally, they may specify to run on 127.0.0.1. But since MXNet will listen on 0.0.0.0, it makes the port accessible on all network interfaces.
Categories: Security News

CVE-2018-4233

National Vulnerability Database - Fri, 06/08/2018 - 14:29
An issue was discovered in certain Apple products. iOS before 11.4 is affected. Safari before 11.1.1 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
Categories: Security News

CVE-2018-4234

National Vulnerability Database - Fri, 06/08/2018 - 14:29
An issue was discovered in certain Apple products. macOS before 10.13.5 is affected. The issue involves the "IOHIDFamily" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
Categories: Security News

Pages