News aggregator

CVE-2018-15360

National Vulnerability Database - Fri, 08/17/2018 - 11:29
An attacker without authentication can login with default credentials for privileged users in Eltex ESP-200 firmware version 1.2.0.
Categories: Security News

CVE-2018-15355

National Vulnerability Database - Fri, 08/17/2018 - 10:29
Usage of SSLv2 and SSLv3 leads to transmitted data decryption in Kraftway 24F2XG Router firmware 3.5.30.1118.
Categories: Security News

CVE-2018-15350

National Vulnerability Database - Fri, 08/17/2018 - 10:29
Router Default Credentials in Kraftway 24F2XG Router firmware version 3.5.30.1118 allow remote attackers to get privileged access to the router.
Categories: Security News

CVE-2018-15351

National Vulnerability Database - Fri, 08/17/2018 - 10:29
Denial of service via crafting malicious link and sending it to a privileged user can cause Denial of Service in Kraftway 24F2XG Router firmware version 3.5.30.1118.
Categories: Security News

CVE-2018-15352

National Vulnerability Database - Fri, 08/17/2018 - 10:29
An attacker with low privileges can cause denial of service in Kraftway 24F2XG Router firmware version 3.5.30.1118.
Categories: Security News

CVE-2018-15353

National Vulnerability Database - Fri, 08/17/2018 - 10:29
A Buffer Overflow exploited through web interface by remote attacker can cause remote code execution in Kraftway 24F2XG Router firmware 3.5.30.1118.
Categories: Security News

CVE-2018-15354

National Vulnerability Database - Fri, 08/17/2018 - 10:29
A Buffer Overflow exploited through web interface by remote attacker can cause denial of service in Kraftway 24F2XG Router firmware 3.5.30.1118.
Categories: Security News

CVE-2018-3783

National Vulnerability Database - Fri, 08/17/2018 - 09:29
A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset.
Categories: Security News

CVE-2018-3784

National Vulnerability Database - Fri, 08/17/2018 - 09:29
A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.
Categories: Security News

CVE-2018-3785

National Vulnerability Database - Fri, 08/17/2018 - 09:29
A command injection in git-dummy-commit v1.3.0 allows os level commands to be executed due to an unescaped parameter.
Categories: Security News

CVE-2018-10873

National Vulnerability Database - Fri, 08/17/2018 - 08:29
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts.
Categories: Security News

CVE-2018-5546

National Vulnerability Database - Fri, 08/17/2018 - 08:29
The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host. A malicious local unprivileged user may gain knowledge of sensitive information, manipulate certain data, or assume super-user privileges on the local client host.
Categories: Security News

CVE-2018-5547

National Vulnerability Database - Fri, 08/17/2018 - 08:29
Windows Logon Integration feature of F5 BIG-IP APM client prior to version 7.1.7.1 for Windows by default uses Legacy logon mode which uses a SYSTEM account to establish network access. This feature displays a certificate user interface dialog box which contains the link to the certificate policy. By clicking on the link, unprivileged users can open additional dialog boxes and get access to the local machine windows explorer which can be used to get administrator privilege. Windows Logon Integration is vulnerable when the APM client is installed by an administrator on a user machine. Users accessing the local machine can get administrator privileges
Categories: Security News

Vuln: Cisco Web Security Appliance CVE-2018-0428 Local Privilege Escalation Vulnerability

SecurityFocus Vulnerabilities - Fri, 08/17/2018 - 00:00
Cisco Web Security Appliance CVE-2018-0428 Local Privilege Escalation Vulnerability
Categories: Security News

CVE-2018-13435

National Vulnerability Database - Thu, 08/16/2018 - 16:29
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes iOS devices on which a jailbreak has occurred.
Categories: Security News

CVE-2018-13446

National Vulnerability Database - Thu, 08/16/2018 - 16:29
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. NOTE: the vendor indicates that this is not an attack of interest within the context of their threat model, which excludes Android devices on which rooting has occurred.
Categories: Security News

CVE-2018-14567

National Vulnerability Database - Thu, 08/16/2018 - 16:29
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
Categories: Security News

CVE-2018-15122

National Vulnerability Database - Thu, 08/16/2018 - 16:29
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
Categories: Security News

CVE-2018-11509

National Vulnerability Database - Thu, 08/16/2018 - 16:29
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.
Categories: Security News

CVE-2018-11511

National Vulnerability Database - Thu, 08/16/2018 - 16:29
The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.
Categories: Security News

Pages