Security News

CVE-2018-6591

National Vulnerability Database - Mon, 02/19/2018 - 09:29
Converse.js and Inverse.js through 3.3 allow remote attackers to obtain sensitive information because it is too difficult to determine whether safe publication of private data was configured or even intended. For example, users might have an expectation that chatroom bookmarks are private, but the various interacting software components do not necessarily make that happen.
Categories: Security News

CVE-2018-7219

National Vulnerability Database - Mon, 02/19/2018 - 09:29
application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as demonstrated by changing an admin password or adding an account via a public/index.php/admin/admin/edit.html request.
Categories: Security News

CVE-2018-5378

National Vulnerability Database - Mon, 02/19/2018 - 08:29
The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.
Categories: Security News

CVE-2018-5379

National Vulnerability Database - Mon, 02/19/2018 - 08:29
The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code.
Categories: Security News

CVE-2018-5380

National Vulnerability Database - Mon, 02/19/2018 - 08:29
The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.
Categories: Security News

CVE-2018-5381

National Vulnerability Database - Mon, 02/19/2018 - 08:29
The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service.
Categories: Security News

Vuln: Google Chrome CVE-2018-6056 Remote Security Vulnerability

SecurityFocus Vulnerabilities - Mon, 02/19/2018 - 00:00
Google Chrome CVE-2018-6056 Remote Security Vulnerability
Categories: Security News

Vuln: Microsoft Windows Kernel CVE-2018-0810 Local Information Disclosure Vulnerability

SecurityFocus Vulnerabilities - Mon, 02/19/2018 - 00:00
Microsoft Windows Kernel CVE-2018-0810 Local Information Disclosure Vulnerability
Categories: Security News

CVE-2017-16924

National Vulnerability Database - Sun, 02/18/2018 - 23:29
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.
Categories: Security News

CVE-2018-6024

National Vulnerability Database - Sun, 02/18/2018 - 15:29
SQL Injection exists in the Project Log 1.5.3 component for Joomla! via the search parameter.
Categories: Security News

CVE-2018-7212

National Vulnerability Database - Sun, 02/18/2018 - 01:29
An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.
Categories: Security News

CVE-2018-7216

National Vulnerability Database - Sun, 02/18/2018 - 01:29
Cross-site request forgery (CSRF) vulnerability in esop/toolkit/profile/regData.do in Bravo Tejari Procurement Portal allows remote authenticated users to hijack the authentication of application users for requests that modify their personal data by leveraging lack of anti-CSRF tokens.
Categories: Security News

CVE-2018-7217

National Vulnerability Database - Sun, 02/18/2018 - 01:29
In Bravo Tejari Procurement Portal, uploaded files are not properly validated by the application either on the client or the server side. An attacker can take advantage of this vulnerability and upload malicious executable files to compromise the application, as demonstrated by an esop/evm/OPPreliminaryForms.do?formId=857 request.
Categories: Security News

CVE-2018-7207

National Vulnerability Database - Sat, 02/17/2018 - 23:29
National Payments Corporation of India (NPCI) Bharat Interface for Money (aka BHIM) 1.4.1 sends messages to undocumented telephone numbers in conjunction with logout/login actions, which allows remote attackers to obtain sensitive information.
Categories: Security News

CVE-2018-7208

National Vulnerability Database - Sat, 02/17/2018 - 23:29
In the coff_pointerize_aux function in coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.30, an index is not validated, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted file, as demonstrated by objcopy of a COFF object.
Categories: Security News

CVE-2018-7209

National Vulnerability Database - Sat, 02/17/2018 - 23:29
An issue was discovered in iDashboards 9.6b. It allows remote attackers to obtain sensitive information via a direct request for the idashboards/config.xml URI, as demonstrated by intranet URLs for reports.
Categories: Security News

CVE-2018-7210

National Vulnerability Database - Sat, 02/17/2018 - 23:29
An issue was discovered in iDashboards 9.6b. It allows remote attackers to obtain sensitive information via a direct request for the idb/config?CMD=installLicense URI, as demonstrated by intranet IP addresses and names of guest accounts.
Categories: Security News

CVE-2018-7211

National Vulnerability Database - Sat, 02/17/2018 - 23:29
An issue was discovered in iDashboards 9.6b. The SSO implementation is affected by a weak obfuscation library, allowing man-in-the-middle attackers to discover credentials.
Categories: Security News

CVE-2018-7197

National Vulnerability Database - Sat, 02/17/2018 - 22:29
An issue was discovered in Pluck through 4.7.4. A stored cross-site scripting (XSS) vulnerability allows remote unauthenticated users to inject arbitrary web script or HTML into admin/blog Reaction Comments via a crafted URL.
Categories: Security News

CVE-2018-7198

National Vulnerability Database - Sat, 02/17/2018 - 22:29
October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page.
Categories: Security News

Pages