News aggregator

CVE-2019-0258

National Vulnerability Database - Fri, 02/15/2019 - 13:29
SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
Categories: Security News

CVE-2019-0259

National Vulnerability Database - Fri, 02/15/2019 - 13:29
SAP BusinessObjects, versions 4.2 and 4.3, (Visual Difference) allows an attacker to upload any file (including script files) without proper file format validation.
Categories: Security News

CVE-2019-0261

National Vulnerability Database - Fri, 02/15/2019 - 13:29
Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP HANA 2 SPS0 (second S stands for stack)).
Categories: Security News

CVE-2019-0262

National Vulnerability Database - Fri, 02/15/2019 - 13:29
SAP WebIntelligence BILaunchPad, versions 4.10, 4.20, does not sufficiently encode user-controlled inputs in generated HTML reports, resulting in Cross-Site Scripting (XSS) vulnerability.
Categories: Security News

CVE-2019-0265

National Vulnerability Database - Fri, 02/15/2019 - 13:29
SLD Registration of ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. Fixed in versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT,KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49,KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49. 7.73 KERNEL from 7.21 to 7.22, 7.45, 7.49, 7.53, 7.73, 7.75.
Categories: Security News

CVE-2019-0251

National Vulnerability Database - Fri, 02/15/2019 - 13:29
The Fiori Launchpad of SAP BusinessObjects, before versions 4.2 and 4.3, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Categories: Security News

CVE-2019-0254

National Vulnerability Database - Fri, 02/15/2019 - 13:29
SAP Disclosure Management (before version 10.1 Stack 1301) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Categories: Security News

CVE-2019-0255

National Vulnerability Database - Fri, 02/15/2019 - 13:29
SAP NetWeaver AS ABAP Platform, Krnl64nuc 7.74, krnl64UC 7.73, 7.74, Kernel 7.73, 7.74, 7.75, fails to validate type of installation for an ABAP Server system correctly. That behavior may lead to situation, where business user achieves access to the full SAP Menu, that is 'Easy Access Menu'. The situation can be misused by any user to leverage privileges to business functionality.
Categories: Security News

CVE-2019-0256 (business_one)

National Vulnerability Database - Fri, 02/15/2019 - 13:29
Under certain conditions SAP Business One Mobile Android App, version 1.2.12, allows an attacker to access information which would otherwise be restricted.
Categories: Security News

CVE-2019-6974 (linux_kernel)

National Vulnerability Database - Fri, 02/15/2019 - 10:29
In the Linux kernel before 4.20.8, kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandles reference counting because of a race condition, leading to a use-after-free.
Categories: Security News

CVE-2019-8347 (beescms)

National Vulnerability Database - Fri, 02/15/2019 - 10:29
BEESCMS 4.0 has a CSRF vulnerability to add arbitrary VIP accounts via the admin/admin_member.php?action=add&nav=add_web_user&admin_p_nav=user URI.
Categories: Security News

CVE-2019-8345 (es_file_explorer_file_manager)

National Vulnerability Database - Fri, 02/15/2019 - 09:29
The Help feature in the ES File Explorer File Manager application 4.1.9.7.4 for Android allows session hijacking by a Man-in-the-middle attacker on the local network because HTTPS is not used, and an attacker's web site is displayed in a WebView with no information about the URL.
Categories: Security News

CVE-2019-8341 (jinja2)

National Vulnerability Database - Fri, 02/15/2019 - 02:29
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI.
Categories: Security News

CVE-2019-8343 (netwide_assembler)

National Vulnerability Database - Fri, 02/15/2019 - 02:29
In Netwide Assembler (NASM) 2.14.02, there is a use-after-free in paste_tokens in asm/preproc.c.
Categories: Security News

Vuln: Linux Kernel CVE-2018-5391 Remote Denial of Service Vulnerability

SecurityFocus Vulnerabilities - Fri, 02/15/2019 - 00:00
Linux Kernel CVE-2018-5391 Remote Denial of Service Vulnerability
Categories: Security News

Vuln: Mozilla Firefox and Firefox ESR CVE-2019-5785 Integer Overflow Vulnerability

SecurityFocus Vulnerabilities - Fri, 02/15/2019 - 00:00
Mozilla Firefox and Firefox ESR CVE-2019-5785 Integer Overflow Vulnerability
Categories: Security News

Vuln: Apache JSPWiki CVE-2018-20242 Cross Site Scripting Vulnerability

SecurityFocus Vulnerabilities - Thu, 02/14/2019 - 00:00
Apache JSPWiki CVE-2018-20242 Cross Site Scripting Vulnerability
Categories: Security News

Vuln: Apache Portable Runtime Utility CVE-2017-12613 Multiple Information Disclosure Vulnerabilities

SecurityFocus Vulnerabilities - Thu, 02/14/2019 - 00:00
Apache Portable Runtime Utility CVE-2017-12613 Multiple Information Disclosure Vulnerabilities
Categories: Security News

Vuln: Linux Kernel CVE-2017-7895 Multiple Security Bypass Vulnerabilities

SecurityFocus Vulnerabilities - Thu, 02/14/2019 - 00:00
Linux Kernel CVE-2017-7895 Multiple Security Bypass Vulnerabilities
Categories: Security News

CVE-2019-6589

National Vulnerability Database - Wed, 02/13/2019 - 19:29
On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.3, 12.1.0-12.1.3.7, and 11.6.0-11.6.3.2, a reflected Cross Site Scripting (XSS) vulnerability is present in an undisclosed page of the BIG-IP TMUI (Traffic Management User Interface) also known as the BIG-IP configuration utility.
Categories: Security News

Pages