Security News

CVE-2019-16992

National Vulnerability Database - Sun, 09/29/2019 - 20:15
The Keybase app 2.13.2 for iOS provides potentially insufficient notice that it is employing a user's private key to sign a certain cryptocurrency attestation (that an address at keybase.io can be used for Stellar payments to the user), which might be incompatible with a user's personal position on the semantics of an attestation.
Categories: Security News

CVE-2019-16930

National Vulnerability Database - Sat, 09/28/2019 - 18:15
Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a full node that owns a shielded address, related to mishandling of exceptions during deserialization of note plaintexts. This affects anyone who has disclosed their zaddr to a third party.
Categories: Security News

CVE-2019-16941

National Vulnerability Database - Sat, 09/28/2019 - 12:15
NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).
Categories: Security News

CVE-2019-16935

National Vulnerability Database - Fri, 09/27/2019 - 22:15
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
Categories: Security News

CVE-2019-16925

National Vulnerability Database - Fri, 09/27/2019 - 20:15
Flower 1.0.0 has XSS via the name parameter in an @app.task call.
Categories: Security News

CVE-2019-16926

National Vulnerability Database - Fri, 09/27/2019 - 20:15
Flower 1.0.0 has XSS via a crafted worker name.
Categories: Security News

CVE-2019-16928

National Vulnerability Database - Fri, 09/27/2019 - 17:15
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
Categories: Security News

CVE-2019-3736

National Vulnerability Database - Fri, 09/27/2019 - 17:15
Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a password storage vulnerability in the ACM component. A remote authenticated malicious user with root privileges may potentially use a support tool to decrypt encrypted passwords stored locally on the system to use it to access other components using the privileges of the compromised user.
Categories: Security News

CVE-2019-3746

National Vulnerability Database - Fri, 09/27/2019 - 17:15
Dell EMC Integrated Data Protection Appliance versions prior to 2.3 do not limit the number of authentication attempts to the ACM API. An authenticated remote user may exploit this vulnerability to launch a brute-force authentication attack in order to gain access to the system.
Categories: Security News

CVE-2019-3747

National Vulnerability Database - Fri, 09/27/2019 - 17:15
Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a stored cross-site scripting vulnerability. A remote malicious ACM admin user may potentially exploit this vulnerability to store malicious HTML or JavaScript code in Cloud DR add-on specific field. When victim users access the page through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application.
Categories: Security News

CVE-2019-3766

National Vulnerability Database - Fri, 09/27/2019 - 17:15
Dell EMC ECS versions prior to 3.4.0.0 contain an improper restriction of excessive authentication attempts vulnerability. An unauthenticated remote attacker may potentially perform a password brute-force attack to gain access to the targeted accounts.
Categories: Security News

CVE-2019-11927

National Vulnerability Database - Fri, 09/27/2019 - 17:15
An integer overflow in WhatsApp media parsing libraries allows a remote attacker to perform an out-of-bounds write on the heap via specially-crafted EXIF tags in WEBP images. This issue affects WhatsApp for Android before version 2.19.143 and WhatsApp for iOS before version 2.19.100.
Categories: Security News

CVE-2019-16685

National Vulnerability Database - Fri, 09/27/2019 - 16:15
Dolibarr 9.0.5 has stored XSS vulnerability via a User Group Description section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
Categories: Security News

CVE-2019-16686

National Vulnerability Database - Fri, 09/27/2019 - 16:15
Dolibarr 9.0.5 has stored XSS in a User Note section to note.php. A user with no privileges can inject script to attack the admin.
Categories: Security News

CVE-2019-16687

National Vulnerability Database - Fri, 09/27/2019 - 16:15
Dolibarr 9.0.5 has stored XSS in a User Profile in a Signature section to card.php. A user with the "Create/modify other users, groups and permissions" privilege can inject script and can also achieve privilege escalation.
Categories: Security News

CVE-2019-16688

National Vulnerability Database - Fri, 09/27/2019 - 16:15
Dolibarr 9.0.5 has stored XSS in an Email Template section to mails_templates.php. A user with no privileges can inject script to attack the admin. (This stored XSS can affect all types of user privilege from Admin to users with no permissions.)
Categories: Security News

CVE-2019-16927

National Vulnerability Database - Fri, 09/27/2019 - 16:15
Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the TextPage::findGaps function in TextOutputDev.cc, a different vulnerability than CVE-2019-9877.
Categories: Security News

CVE-2019-9433

National Vulnerability Database - Fri, 09/27/2019 - 15:15
In libvpx, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80479354
Categories: Security News

CVE-2019-9434

National Vulnerability Database - Fri, 09/27/2019 - 15:15
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with heap information written to the log with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80432895
Categories: Security News

CVE-2019-9435

National Vulnerability Database - Fri, 09/27/2019 - 15:15
In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-80146682
Categories: Security News

Pages