Security News

CVE-2018-1779

National Vulnerability Database - Tue, 11/20/2018 - 09:29
IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802.
Categories: Security News

CVE-2018-19367

National Vulnerability Database - Tue, 11/20/2018 - 04:29
Portainer through 1.19.2 provides an API endpoint (/api/users/admin/check) to verify that the admin user is already created. This API endpoint will return 404 if admin was not created and 204 if it was already created. Attackers can set an admin password in the 404 case.
Categories: Security News

CVE-2018-19335

National Vulnerability Database - Tue, 11/20/2018 - 04:29
Google Monorail before 2018-06-07 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with a crafted groupby value) can be used to obtain sensitive information about the content of bug reports.
Categories: Security News

CVE-2018-19334

National Vulnerability Database - Tue, 11/20/2018 - 04:29
Google Monorail before 2018-05-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with an unsupported axis) can be used to obtain sensitive information about the content of bug reports.
Categories: Security News

CVE-2018-10099

National Vulnerability Database - Tue, 11/20/2018 - 04:29
Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) vulnerability because CSV downloads are affected by CSRF, and calculations of download times (for requests with duplicated columns) can be used to obtain sensitive information about the content of bug reports.
Categories: Security News

Vuln: VMware vSphere Data Protection CVE-2018-11076 OS Command Injection Vulnerability

SecurityFocus Vulnerabilities - Tue, 11/20/2018 - 00:00
VMware vSphere Data Protection CVE-2018-11076 OS Command Injection Vulnerability
Categories: Security News

CVE-2018-17906

National Vulnerability Database - Mon, 11/19/2018 - 15:29
Philips iSite and IntelliSpace PACS, iSite PACS, all versions, and IntelliSpace PACS, all versions. Default credentials and no authentication within third party software may allow an attacker to compromise a component of the system.
Categories: Security News

CVE-2018-9209

National Vulnerability Database - Mon, 11/19/2018 - 13:29
Unauthenticated arbitrary file upload vulnerability in FineUploader php-traditional-server <= v1.2.2
Categories: Security News

CVE-2018-9207

National Vulnerability Database - Mon, 11/19/2018 - 12:29
Arbitrary file upload in jQuery Upload File <= 4.0.2
Categories: Security News

CVE-2018-15759

National Vulnerability Database - Mon, 11/19/2018 - 09:29
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perform broker operations.
Categories: Security News

CVE-2018-15761

National Vulnerability Database - Mon, 11/19/2018 - 09:29
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges.
Categories: Security News

CVE-2018-17190

National Vulnerability Database - Mon, 11/19/2018 - 09:29
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code too. Note that this does not affect standalone clusters with authentication enabled. While the master host typically has less outbound access to other resources than a worker, the execution of code on the master is nevertheless unexpected.
Categories: Security News

CVE-2018-1841

National Vulnerability Database - Mon, 11/19/2018 - 09:29
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
Categories: Security News

CVE-2018-18519

National Vulnerability Database - Mon, 11/19/2018 - 03:29
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.
Categories: Security News

Vuln: Oracle Java SE/Java SE Embedded CVE-2018-3139 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 11/19/2018 - 00:00
Oracle Java SE/Java SE Embedded CVE-2018-3139 Remote Security Vulnerability
Categories: Security News

Vuln: Oracle Java SE/Java SE Embedded CVE-2018-3136 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 11/19/2018 - 00:00
Oracle Java SE/Java SE Embedded CVE-2018-3136 Remote Security Vulnerability
Categories: Security News

Vuln: Oracle Java SE/Java SE Embedded CVE-2018-13785 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 11/19/2018 - 00:00
Oracle Java SE/Java SE Embedded CVE-2018-13785 Remote Security Vulnerability
Categories: Security News

Vuln: Oracle Java SE/Java SE Embedded/JRockit CVE-2018-3214 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 11/19/2018 - 00:00
Oracle Java SE/Java SE Embedded/JRockit CVE-2018-3214 Remote Security Vulnerability
Categories: Security News

CVE-2018-19355

National Vulnerability Database - Sun, 11/18/2018 - 19:29
modules/orderfiles/ajax/upload.php in the Customer Files Upload addon 2018-08-01 for PrestaShop (1.5 through 1.7) allows remote attackers to execute arbitrary code by uploading a php file via modules/orderfiles/upload.php with auptype equal to product (for upload destinations under modules/productfiles), order (for upload destinations under modules/files), or cart (for upload destinations under modules/cartfiles).
Categories: Security News

CVE-2008-7320

National Vulnerability Database - Sun, 11/18/2018 - 14:29
** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate attackers to read plaintext passwords by using the quickAllow dialog at an unattended workstation, if the keyring is unlocked. NOTE: this is disputed by a software maintainer because the behavior represents a design decision.
Categories: Security News

Pages