Security News

CVE-2013-4040

National Vulnerability Database - Tue, 05/01/2018 - 14:29
IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2.x before 7.2.1.5 and 7.2.x before 7.2.2.0 on Unix use weak permissions (755) for unspecified configuration and log files, which allows local users to obtain sensitive information by reading the files. IBM X-Force ID: 86176.
Categories: Security News

CVE-2017-14012

National Vulnerability Database - Tue, 05/01/2018 - 14:29
Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at rest. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Categories: Security News

CVE-2017-14014

National Vulnerability Database - Tue, 05/01/2018 - 14:29
Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media. CVSS v3 base score: 4.6; CVSS vector string: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Categories: Security News

CVE-2017-5535

National Vulnerability Database - Tue, 05/01/2018 - 14:29
The GridServer Broker, GridServer Driver, and GridServer Engine components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities related to both the improper use of encryption mechanisms and the use of weak ciphers. A malicious actor could theoretically compromise the traffic between any of the components. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.
Categories: Security News

CVE-2017-5536

National Vulnerability Database - Tue, 05/01/2018 - 14:29
The GridServer Broker, and GridServer Director components of TIBCO Software Inc. TIBCO DataSynapse GridServer Manager contain vulnerabilities which may allow an authenticated user to perform cross-site scripting (XSS). In addition, an authenticated user could be a victim of a cross-site request forgery (CSRF) attack. Affected releases include TIBCO Software Inc.'s TIBCO DataSynapse GridServer Manager: versions up to and including 5.1.3; 6.0.0; 6.0.1; 6.0.2; 6.1.0; 6.1.1; and 6.2.0.
Categories: Security News

CVE-2018-6589

National Vulnerability Database - Tue, 05/01/2018 - 14:29
CA Spectrum 10.1 prior to 10.01.02.PTF_10.1.239 and 10.2.x prior to 10.2.3 allows remote attackers to cause a denial of service via unspecified vectors.
Categories: Security News

CVE-2018-9232

National Vulnerability Database - Tue, 05/01/2018 - 14:29
Due to the lack of firmware authentication in the upgrade process of T&W WIFI Repeater BE126 devices, an attacker can craft a malicious firmware and use it as an update.
Categories: Security News

CVE-2018-9336

National Vulnerability Database - Tue, 05/01/2018 - 14:29
openvpnserv.exe (aka the interactive service helper) in OpenVPN 2.4.x before 2.4.6 allows a local attacker to cause a double-free of memory by sending a malformed request to the interactive service. This could cause a denial-of-service through memory corruption or possibly have unspecified other impact including privilege escalation.
Categories: Security News

CVE-2017-18264

National Vulnerability Database - Tue, 05/01/2018 - 13:29
An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 before 4.0.10.20, 4.4.x, 4.6.x, and 4.7.0 prereleases. The restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions (e.g., version 5). This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). This occurs because some implementations of the PHP substr function return false when given '' as the first argument.
Categories: Security News

CVE-2017-17020

National Vulnerability Database - Tue, 05/01/2018 - 12:29
On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 devices with firmware 1.14.09 and earlier, and DCS-5020L devices with firmware before 1.15.01, command injection in alphapd (binary responsible for running the camera's web server) allows remote authenticated attackers to execute code through sanitized /setSystemAdmin user input in the AdminID field being passed directly to a call to system.
Categories: Security News

CVE-2018-10365

National Vulnerability Database - Tue, 05/01/2018 - 12:29
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
Categories: Security News

CVE-2018-10583

National Vulnerability Database - Tue, 05/01/2018 - 12:29
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.
Categories: Security News

CVE-2018-8938

National Vulnerability Database - Tue, 05/01/2018 - 12:29
A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server.
Categories: Security News

CVE-2018-8939

National Vulnerability Database - Tue, 05/01/2018 - 12:29
An SSRF issue was discovered in NmAPI.exe in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can submit specially crafted requests via the NmAPI executable to (1) gain unauthorized access to the WhatsUp Gold system, (2) obtain information about the WhatsUp Gold system, or (3) execute remote commands.
Categories: Security News

CVE-2018-1502

National Vulnerability Database - Tue, 05/01/2018 - 10:29
IBM Content Manager Enterprise Edition Resource Manager 8.4.3 and 9.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 141338.
Categories: Security News

CVE-2018-10371

National Vulnerability Database - Tue, 05/01/2018 - 09:29
An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1.3 for WordPress. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser via a page title.
Categories: Security News

CVE-2018-10581

National Vulnerability Database - Tue, 05/01/2018 - 09:29
In Octopus Deploy 3.4.x before 2018.4.7, an authenticated user is able to view/update/save variable values within the Tenant Variables area for Environments that do not exist within their associated Team scoping. This occurs in situations where this authenticated user also belongs to multiple teams, where one of the Teams has the VariableEdit permission or VariableView permissions for the Environment.
Categories: Security News

Vuln: PHP CVE-2017-16642 Heap Based Buffer Overflow Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/01/2018 - 00:00
PHP CVE-2017-16642 Heap Based Buffer Overflow Vulnerability
Categories: Security News

Vuln: NTP CVE-2018-7185 Denial of Service Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/01/2018 - 00:00
NTP CVE-2018-7185 Denial of Service Vulnerability
Categories: Security News

Vuln: NTP CVE-2018-7184 Denial of Service Vulnerability

SecurityFocus Vulnerabilities - Tue, 05/01/2018 - 00:00
NTP CVE-2018-7184 Denial of Service Vulnerability
Categories: Security News

Pages