Security News

CVE-2017-1000355

National Vulnerability Database - Mon, 01/29/2018 - 12:29
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
Categories: Security News

CVE-2017-1000356

National Vulnerability Database - Mon, 01/29/2018 - 12:29
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an issue in the Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process and allowing a wide variety of impacts.
Categories: Security News

CVE-2017-12626

National Vulnerability Database - Mon, 01/29/2018 - 12:29
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
Categories: Security News

CVE-2018-6381

National Vulnerability Database - Mon, 01/29/2018 - 12:29
In ZZIPlib 0.13.67, there is a segmentation fault caused by invalid memory access in the zzip_disk_fread function (zzip/mmapped.c) because the size variable is not validated against the amount of file->stored data.
Categories: Security News

CVE-2017-14190

National Vulnerability Database - Mon, 01/29/2018 - 11:29
A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6.2, 5.4.0 to 5.4.7, 5.2 and earlier, allows attacker to inject arbitrary web script or HTML via maliciously crafted "Host" header in user HTTP requests.
Categories: Security News

CVE-2017-14698

National Vulnerability Database - Mon, 01/29/2018 - 11:29
ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U, DSL-N66U, and DSL-AC750 routers allow remote attackers to change passwords of arbitrary users via the http_passwd parameter to mod_login.asp.
Categories: Security News

CVE-2017-14699

National Vulnerability Database - Mon, 01/29/2018 - 11:29
Multiple XML external entity (XXE) vulnerabilities in the AiCloud feature on ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC56U, DSL-N10_C1, DSL-N12U C1, DSL-N12E C1, DSL-N14U, DSL-N14U-B1, DSL-N16, DSL-N16U, DSL-N17U, DSL-N66U, and DSL-AC750 routers allow remote authenticated users to read arbitrary files via a crafted DTD in (1) an UPDATEACCOUNT or (2) a PROPFIND request.
Categories: Security News

CVE-2017-1779

National Vulnerability Database - Mon, 01/29/2018 - 11:29
IBM Cognos Analytics 11.0 could store cached credentials locally that could be obtained by a local user. IBM X-Force ID: 136824.
Categories: Security News

CVE-2017-1783

National Vulnerability Database - Mon, 01/29/2018 - 11:29
IBM Cognos Analytics 11.0 could allow a local user to change parameters set from the Cognos Analytics menus without proper authentication. IBM X-Force ID: 136857.
Categories: Security News

CVE-2017-1784

National Vulnerability Database - Mon, 01/29/2018 - 11:29
IBM Cognos Analytics 11.0 could produce results in temporary files that contain highly sensitive information that can be read by a local user. IBM X-Force ID: 136858.
Categories: Security News

CVE-2017-4947

National Vulnerability Database - Mon, 01/29/2018 - 11:29
VMware Realize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance.
Categories: Security News

CVE-2017-4951

National Vulnerability Database - Mon, 01/29/2018 - 11:29
VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices.
Categories: Security News

CVE-2018-1364

National Vulnerability Database - Mon, 01/29/2018 - 11:29
IBM Content Navigator 2.0 and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 137449.
Categories: Security News

CVE-2017-18078

National Vulnerability Database - Mon, 01/29/2018 - 00:29
systemd-tmpfiles in systemd before 237 attempts to support ownership/permission changes on hardlinked files even if the fs.protected_hardlinks sysctl is turned off, which allows local users to bypass intended access restrictions via vectors involving a hard link to a file for which the user lacks write access, as demonstrated by changing the ownership of the /etc/passwd file.
Categories: Security News

CVE-2017-18079

National Vulnerability Database - Mon, 01/29/2018 - 00:29
drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact because the port->exists value can change after it is validated.
Categories: Security News

CVE-2018-5720

National Vulnerability Database - Mon, 01/29/2018 - 00:29
An issue was discovered on DODOCOOL DC38 3-in-1 N300 Mini Wireless Range Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify all the settings. This vulnerability can lead to changing an existing user's username and password, changing the Wi-Fi password, etc.
Categories: Security News

CVE-2018-6007

National Vulnerability Database - Mon, 01/29/2018 - 00:29
CSRF exists in the JS Support Ticket 1.1.0 component for Joomla! and allows attackers to inject HTML or edit a ticket.
Categories: Security News

CVE-2018-6008

National Vulnerability Database - Mon, 01/29/2018 - 00:29
Arbitrary File Download exists in the Jtag Members Directory 5.3.7 component for Joomla! via the download_file parameter.
Categories: Security News

CVE-2018-6363

National Vulnerability Database - Mon, 01/29/2018 - 00:29
SQL Injection exists in Task Rabbit Clone 1.0 via the single_blog.php id parameter.
Categories: Security News

CVE-2018-6364

National Vulnerability Database - Mon, 01/29/2018 - 00:29
SQL Injection exists in Multilanguage Real Estate MLM Script through 3.0 via the /product-list.php srch parameter.
Categories: Security News

Pages