News aggregator

CVE-2019-1010287

National Vulnerability Database - Wed, 07/17/2019 - 17:15
Timesheet Next Gen 1.5.3 and earlier is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via a "redirect" parameter. The component is: Web login form: login.php, lines 40 and 54. The attack vector is: reflected XSS, victim may click the malicious url.
Categories: Security News

CVE-2019-11771

National Vulnerability Database - Wed, 07/17/2019 - 17:15
AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users.
Categories: Security News

CVE-2019-11772

National Vulnerability Database - Wed, 07/17/2019 - 17:15
In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.
Categories: Security News

CVE-2019-12911

National Vulnerability Database - Wed, 07/17/2019 - 17:15
Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application.
Categories: Security News

CVE-2019-12912

National Vulnerability Database - Wed, 07/17/2019 - 17:15
Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application.
Categories: Security News

CVE-2019-12913

National Vulnerability Database - Wed, 07/17/2019 - 17:15
Redbrick Shift through 3.4.3 allows an attacker to extract emails of services (such as Gmail, Outlook, etc.) used in the application.
Categories: Security News

CVE-2019-12914

National Vulnerability Database - Wed, 07/17/2019 - 17:15
Redbrick Shift through 3.4.3 allows an attacker to extract authentication tokens of services (such as Gmail, Outlook, etc.) used in the application.
Categories: Security News

CVE-2019-13636

National Vulnerability Database - Wed, 07/17/2019 - 17:15
In GNU patch through 2.7.6, the following of symlinks is mishandled in certain cases other than input files. This affects inp.c and util.c.
Categories: Security News

CVE-2019-13637

National Vulnerability Database - Wed, 07/17/2019 - 17:15
In LogMeIn join.me before 3.16.0.5505, an attacker could execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI that is defined in Windows. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user if the attacker can place a crafted library in a directory that is accessible to the vulnerable system.
Categories: Security News

CVE-2019-1917

National Vulnerability Database - Wed, 07/17/2019 - 17:15
A vulnerability in the REST API interface of Cisco Vision Dynamic Signage Director could allow an unauthenticated, remote attacker to bypass authentication on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on the affected system. The REST API is enabled by default and cannot be disabled.
Categories: Security News

CVE-2019-1010263

National Vulnerability Database - Wed, 07/17/2019 - 17:15
Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm, line 614. The attack vector is: network connectivity. The fixed version is: after commit b98a59b42ded9f9e51b2560410106207c2152d6c.
Categories: Security News

CVE-2019-1010266

National Vulnerability Database - Wed, 07/17/2019 - 17:15
lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.
Categories: Security News

CVE-2019-1010275

National Vulnerability Database - Wed, 07/17/2019 - 17:15
helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. The impact is: Unauthorized clients could connect to the server because self-signed client certs were aloowed. The component is: helm (many files updated, see https://github.com/helm/helm/pull/3152/files/1096813bf9a425e2aa4ac755b6c991b626dfab50). The attack vector is: A malicious client could connect to the server over the network. The fixed version is: 2.7.2.
Categories: Security News

Announcing the Microsoft Dynamics 365 Bounty program

Security Research & Defense - Wed, 07/17/2019 - 16:49
One of Microsoft’s many security investments to protect customers is in the partnerships we build with the external security research community. We are excited to announce the launch of the Dynamics 365 Bounty program and welcome researchers to seek out and disclose any high impact vulnerabilities they may find in Dynamics 365. Rewards up to …

Announcing the Microsoft Dynamics 365 Bounty program Read More »

Categories: Security News

CVE-2019-12876

National Vulnerability Database - Wed, 07/17/2019 - 16:15
Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.
Categories: Security News

CVE-2019-13447

National Vulnerability Database - Wed, 07/17/2019 - 16:15
An issue was discovered in Sertek Xpare 3.67. The login form does not sanitize input data. Because of this, a malicious agent could access the backend database via SQL injection.
Categories: Security News

CVE-2019-13448

National Vulnerability Database - Wed, 07/17/2019 - 16:15
An issue was discovered in Sertek Xpare 3.67. The login form does not sanitize input data. Because of this, a malicious agent could exploit the vulnerable function in order to prepare an XSS payload to send to the product's clients.
Categories: Security News

CVE-2019-13493

National Vulnerability Database - Wed, 07/17/2019 - 16:15
In Sitecore 9.0 rev 171002, Persistent XSS exists in the Media Library and File Manager. An authenticated unprivileged user can modify the uploaded file extension parameter to inject arbitrary JavaScript.
Categories: Security News

CVE-2019-13577

National Vulnerability Database - Wed, 07/17/2019 - 16:15
SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987.
Categories: Security News

CVE-2019-13619

National Vulnerability Database - Wed, 07/17/2019 - 16:15
In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ASN.1 BER dissector and related dissectors could crash. This was addressed in epan/asn1.c by properly restricting buffer increments.
Categories: Security News

Pages