Security News

CVE-2019-11825

National Vulnerability Database - Sun, 06/30/2019 - 11:15
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.
Categories: Security News

CVE-2019-11826

National Vulnerability Database - Sun, 06/30/2019 - 11:15
Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter.
Categories: Security News

CVE-2019-11827

National Vulnerability Database - Sun, 06/30/2019 - 11:15
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
Categories: Security News

CVE-2019-11828

National Vulnerability Database - Sun, 06/30/2019 - 11:15
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Categories: Security News

CVE-2019-11829

National Vulnerability Database - Sun, 06/30/2019 - 11:15
OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.
Categories: Security News

CVE-2019-13075

National Vulnerability Database - Sun, 06/30/2019 - 10:15
Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a LINK element for a non-HTML page. This is related to a behavior of Firefox before 68.
Categories: Security News

CVE-2019-13072

National Vulnerability Database - Sat, 06/29/2019 - 22:15
Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page.
Categories: Security News

CVE-2019-13067

National Vulnerability Database - Sat, 06/29/2019 - 20:15
njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c. This issue occurs after the fix for CVE-2019-12207 is in place.
Categories: Security News

CVE-2019-13068

National Vulnerability Database - Sat, 06/29/2019 - 20:15
public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field).
Categories: Security News

CVE-2016-10761

National Vulnerability Database - Sat, 06/29/2019 - 16:15
Logitech Unifying devices before 2016-02-26 allow keystroke injection, bypassing encryption, aka MouseJack.
Categories: Security News

CVE-2019-13052

National Vulnerability Database - Sat, 06/29/2019 - 16:15
Logitech Unifying devices allow live decryption if the pairing of a keyboard to a receiver is sniffed.
Categories: Security News

CVE-2019-13053

National Vulnerability Database - Sat, 06/29/2019 - 16:15
Logitech Unifying devices allow keystroke injection, bypassing encryption. The attacker must press a "magic" key combination while sniffing cryptographic data from a Radio Frequency transmission. NOTE: this issue exists because of an incomplete fix for CVE-2016-10761.
Categories: Security News

CVE-2019-13054

National Vulnerability Database - Sat, 06/29/2019 - 16:15
The Logitech R500 presentation clicker allows attackers to determine the AES key, leading to keystroke injection. On Windows, any text may be injected by using ALT+NUMPAD input to bypass the restriction on the characters A through Z.
Categories: Security News

CVE-2019-13055

National Vulnerability Database - Sat, 06/29/2019 - 16:15
Certain Logitech Unifying devices allow attackers to dump AES keys and addresses, leading to the capability of live decryption of Radio Frequency transmissions, as demonstrated by an attack against a Logitech K360 keyboard.
Categories: Security News

CVE-2019-13050

National Vulnerability Database - Sat, 06/29/2019 - 13:15
Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.
Categories: Security News

CVE-2019-13046

National Vulnerability Database - Sat, 06/29/2019 - 11:15
linker/linker.c in ToaruOS through 1.10.9 has insecure LD_LIBRARY_PATH handling in setuid applications.
Categories: Security News

CVE-2019-13047

National Vulnerability Database - Sat, 06/29/2019 - 11:15
kernel/sys/syscall.c in ToaruOS through 1.10.9 has incorrect access control in sys_sysfunc case 9 for TOARU_SYS_FUNC_SETHEAP, allowing arbitrary kernel pages to be mapped into user land, leading to root access.
Categories: Security News

CVE-2019-13048

National Vulnerability Database - Sat, 06/29/2019 - 11:15
kernel/sys/syscall.c in ToaruOS through 1.10.9 allows a denial of service upon a critical error in certain sys_sbrk allocation patterns (involving PAGE_SIZE, and a value less than PAGE_SIZE).
Categories: Security News

CVE-2019-13049

National Vulnerability Database - Sat, 06/29/2019 - 11:15
An integer wrap in kernel/sys/syscall.c in ToaruOS 1.10.10 allows users to map arbitrary kernel pages into userland process space via TOARU_SYS_FUNC_MMAP, leading to escalation of privileges.
Categories: Security News

CVE-2019-13038

National Vulnerability Database - Sat, 06/29/2019 - 10:15
mod_auth_mellon through 0.14.2 has an Open Redirect via the login?ReturnTo= substring, as demonstrated by omitting the // after http: in the target URL.
Categories: Security News

Pages