Security News

CVE-2018-10213

National Vulnerability Database - Wed, 04/25/2018 - 14:29
An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. There is XSS in invitation mail received from a different user, who can modify the HTML in that mail before sending it.
Categories: Security News

CVE-2014-5014

National Vulnerability Database - Wed, 04/25/2018 - 13:29
The WordPress Flash Uploader plugin before 3.1.3 for WordPress allows remote attackers to execute arbitrary commands via vectors related to invalid characters in image_magic_path.
Categories: Security News

CVE-2017-12712

National Vulnerability Database - Wed, 04/25/2018 - 09:29
The authentication algorithm in Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017, which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via RF communications. CVSS v3 base score: 7.5, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Categories: Security News

CVE-2017-12714

National Vulnerability Database - Wed, 04/25/2018 - 09:29
Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do not restrict or limit the number of correctly formatted "RF wake-up" commands that can be received, which may allow a nearby attacker to repeatedly send commands to reduce pacemaker battery life. CVSS v3 base score: 5.3, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Categories: Security News

CVE-2017-12716

National Vulnerability Database - Wed, 04/25/2018 - 09:29
Abbott Laboratories Accent and Anthem pacemakers manufactured prior to Aug 28, 2017 transmit unencrypted patient information via RF communications to programmers and home monitoring units. Additionally, the Accent and Anthem pacemakers store the optional patient information without encryption. CVSS v3 base score: 3.1, CVSS vector string: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. Abbott has developed a firmware update to help mitigate the identified vulnerabilities.
Categories: Security News

CVE-2017-1750

National Vulnerability Database - Wed, 04/25/2018 - 09:29
IBM Jazz Reporting Service (JRS) 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 135523.
Categories: Security News

CVE-2017-7652

National Vulnerability Database - Wed, 04/25/2018 - 09:29
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.
Categories: Security News

CVE-2018-1363

National Vulnerability Database - Wed, 04/25/2018 - 09:29
IBM Jazz Reporting Service (JRS) 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 137448.
Categories: Security News

CVE-2018-1112

National Vulnerability Database - Wed, 04/25/2018 - 08:29
glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression.
Categories: Security News

CVE-2018-10310

National Vulnerability Database - Wed, 04/25/2018 - 05:29
A persistent cross-site scripting vulnerability has been identified in the web interface of the Catapult UK Cookie Consent plugin before 2.3.10 for WordPress that allows the execution of arbitrary HTML/script code in the context of a victim's browser.
Categories: Security News

CVE-2018-10366

National Vulnerability Database - Wed, 04/25/2018 - 05:29
An issue was discovered in the Users (aka Front-end user management) plugin 1.4.5 for October CMS. XSS exists in the name field.
Categories: Security News

CVE-2018-10367

National Vulnerability Database - Wed, 04/25/2018 - 05:29
An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.
Categories: Security News

CVE-2018-10368

National Vulnerability Database - Wed, 04/25/2018 - 05:29
An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement.
Categories: Security News

CVE-2018-10372

National Vulnerability Database - Wed, 04/25/2018 - 05:29
process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted binary file, as demonstrated by readelf.
Categories: Security News

CVE-2018-10373

National Vulnerability Database - Wed, 04/25/2018 - 05:29
concat_filename in dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by nm-new.
Categories: Security News

CVE-2018-10374

National Vulnerability Database - Wed, 04/25/2018 - 05:29
EasyCMS 1.3 has XSS via the s POST parameter (aka a search box value) in an index.php?s=/index/search/index.html request.
Categories: Security News

CVE-2018-10375

National Vulnerability Database - Wed, 04/25/2018 - 05:29
A file uploading vulnerability exists in /include/helpers/upload.helper.php in DedeCMS V5.7 SP2, which can be utilized by attackers to upload and execute arbitrary PHP code via the /dede/archives_do.php?dopost=uploadLitpic litpic parameter when "Content-Type: image/jpeg" is sent, but the filename ends in .php and contains PHP code.
Categories: Security News

CVE-2018-10376

National Vulnerability Database - Wed, 04/25/2018 - 05:29
An integer overflow in the transferProxy function of a smart contract implementation for SmartMesh (aka SMT), an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted _fee and _value parameters, as exploited in the wild in April 2018, aka the "proxyOverflow" issue.
Categories: Security News

CVE-2018-8801

National Vulnerability Database - Wed, 04/25/2018 - 05:29
GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component.
Categories: Security News

CVE-2018-10361

National Vulnerability Database - Wed, 04/25/2018 - 01:29
An issue was discovered in KTextEditor 5.34.0 through 5.45.0. Insecure handling of temporary files in the KTextEditor's kauth_ktexteditor_helper service (as utilized in the Kate text editor) can allow other unprivileged users on the local system to gain root privileges. The attack occurs when one user (who has an unprivileged account but is also able to authenticate as root) writes a text file using Kate into a directory owned by a another unprivileged user. The latter unprivileged user conducts a symlink attack to achieve privilege escalation.
Categories: Security News

Pages