Security News

CVE-2019-3794

National Vulnerability Database - Thu, 07/18/2019 - 12:15
Cloud Foundry UAA, versions prior to v73.4.0, does not set an X-FRAME-OPTIONS header on various endpoints. A remote user can perform clickjacking attacks on UAA's frontend sites.
Categories: Security News

CVE-2019-9231

National Vulnerability Database - Thu, 07/18/2019 - 12:15
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions before 7.20A.202.307. A Cross-Site Request Forgery (CSRF) vulnerability in the management web interface allows remote attackers to execute malicious and unauthorized actions, because CSRFProtection=1 is not a default and is not documented.
Categories: Security News

CVE-2019-1010104

National Vulnerability Database - Thu, 07/18/2019 - 12:15
TechyTalk Quick Chat WordPress Plugin All up to the latest is affected by: SQL Injection. The impact is: Access to the database. The component is: like_escape is used in Quick-chat.php line 399. The attack vector is: Crafted ajax request.
Categories: Security News

CVE-2019-13509

National Vulnerability Database - Thu, 07/18/2019 - 12:15
In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
Categories: Security News

CVE-2019-13575 (everest_forms)

National Vulnerability Database - Thu, 07/18/2019 - 11:15
A SQL injection vulnerability exists in WPEverest Everest Forms plugin for WordPress through 1.4.9. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via includes/evf-entry-functions.php
Categories: Security News

CVE-2019-13607

National Vulnerability Database - Thu, 07/18/2019 - 11:15
The Opera Mini application through 16.0.14 for iOS has a UXSS vulnerability that can be triggered by performing navigation to a javascript: URL.
Categories: Security News

CVE-2019-13915

National Vulnerability Database - Thu, 07/18/2019 - 11:15
b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files. First, the attacker can write code in the editor, and compile and run it approximately three times to read an arbitrary file. Second, the attacker can create a symlink, and then place the symlink into a ZIP archive. An unzip operation leads to read access, and write access (depending on file permissions), to the symlink target. Third, the attacker can import a Git repository that contains a symlink, similarly leading to read and write access.
Categories: Security News

CVE-2019-9230

National Vulnerability Database - Thu, 07/18/2019 - 11:15
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.253. A cross-site scripting (XSS) vulnerability in the search function of the management web interface allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.
Categories: Security News

CVE-2019-1010066

National Vulnerability Database - Thu, 07/18/2019 - 10:15
Lawrence Livermore National Laboratory msr-safe v1.1.0 is affected by: Incorrect Access Control. The impact is: An attacker could modify model specific registers. The component is: ioctl handling. The attack vector is: An attacker could exploit a bug in ioctl interface whitelist checking, in order to write to model specific registers, normally a function reserved for the root user. The fixed version is: v1.2.0.
Categories: Security News

CVE-2019-1010069

National Vulnerability Database - Thu, 07/18/2019 - 10:15
moinejf abcm2ps 8.13.20 is affected by: Incorrect Access Control. The impact is: Allows attackers to cause a denial of service attack via a crafted file. The component is: front.c, function txt_add. The fixed version is: after commit commit 08aef597656d065e86075f3d53fda89765845eae.
Categories: Security News

CVE-2019-1010073

National Vulnerability Database - Thu, 07/18/2019 - 10:15
BACnet Stack bacserv 0.9.1 and 0.8.5 is affected by: Buffer Overflow. The impact is: exploit was not explored. The component is: bacserv BVLC forwarded NPDU. bvlc_bdt_forward_npdu() calls bvlc_encode_forwarded_npdu() which copies the content from the request into a local in the bvlc_bdt_forward_npdu() stack frame and clobbers the canary. The attack vector is: A BACnet/IP device with BBMD enabled based on this library connected to IP network. The fixed version is: 0.8.6.
Categories: Security News

CVE-2019-1010054 (dolibarr)

National Vulnerability Database - Thu, 07/18/2019 - 09:15
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access malitious urls.
Categories: Security News

CVE-2019-1010094 (domainmod)

National Vulnerability Database - Thu, 07/18/2019 - 09:15
domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrator logged in, open the html page.
Categories: Security News

CVE-2019-1010095 (domainmod)

National Vulnerability Database - Thu, 07/18/2019 - 09:15
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: http://127.0.0.1/admin/users/add.php. The attack vector is: After the administrator logged in, open the html page.
Categories: Security News

CVE-2019-1010096 (domainmod)

National Vulnerability Database - Thu, 07/18/2019 - 09:15
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrator logged in, open the html page.
Categories: Security News

CVE-2016-10762 (camptix_event_ticketing)

National Vulnerability Database - Thu, 07/18/2019 - 08:15
The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used.
Categories: Security News

CVE-2016-10763 (camptix_event_ticketing)

National Vulnerability Database - Thu, 07/18/2019 - 08:15
The CampTix Event Ticketing plugin before 1.5 for WordPress allows XSS in the admin section via a ticket title or body.
Categories: Security News

Bugtraq: [SECURITY] [DSA 4267-1] kamailio security update

SecurityFocus Vulnerabilities - Thu, 07/18/2019 - 04:20
[SECURITY] [DSA 4267-1] kamailio security update
Categories: Security News

CVE-2019-13643

National Vulnerability Database - Wed, 07/17/2019 - 23:15
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the Notifications page.
Categories: Security News

CVE-2019-13644

National Vulnerability Database - Wed, 07/17/2019 - 23:15
Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.
Categories: Security News

Pages