News aggregator

CVE-2018-7730

National Vulnerability Database - Tue, 03/06/2018 - 13:29
An issue was discovered in Exempi through 2.4.4. A certain case of a 0xffffffff length is mishandled in XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp, leading to a heap-based buffer over-read in the PSD_MetaHandler::CacheFileData() function.
Categories: Security News

CVE-2018-7731

National Vulnerability Database - Tue, 03/06/2018 - 13:29
An issue was discovered in Exempi through 2.4.4. XMPFiles/source/FormatSupport/WEBP_Support.cpp does not check whether a bitstream has a NULL value, leading to a NULL pointer dereference in the WEBP::VP8XChunk class.
Categories: Security News

CVE-2018-7732

National Vulnerability Database - Tue, 03/06/2018 - 13:29
An issue was discovered in YxtCMF 3.1. SQL Injection exists in ShitiController.class.php via the ids array parameter to exam/shiti/delshiti.html.
Categories: Security News

CVE-2018-7733

National Vulnerability Database - Tue, 03/06/2018 - 13:29
An issue was discovered in YxtCMF 3.1. RbacController.class.php has CSRF, as demonstrated by modifying an administrator account via index.php/admin/user/add_post.html.
Categories: Security News

CVE-2018-1000100

National Vulnerability Database - Tue, 03/06/2018 - 12:29
GPAC MP4Box version 0.7.1 and earlier contains a Buffer Overflow vulnerability in src/isomedia/avc_ext.c lines 2417 to 2420 that can result in Heap chunks being modified, this could lead to RCE. This attack appear to be exploitable via an attacker supplied MP4 file that when run by the victim may result in RCE.
Categories: Security News

CVE-2018-1000101

National Vulnerability Database - Tue, 03/06/2018 - 12:29
Mingw-w64 version 5.0.3 and earlier contains an Improper Null Termination (CWE-170) vulnerability in mingw-w64-crt (libc)->(v)snprintf that can result in The bug may be used to corrupt subsequent string functions. This attack appear to be exploitable via Depending on the usage, worst case: network.
Categories: Security News

CVE-2018-7722

National Vulnerability Database - Tue, 03/06/2018 - 12:29
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /ws.php?format=json request. CSRF exploitation, related to CVE-2017-10681, may be possible.
Categories: Security News

CVE-2018-7723

National Vulnerability Database - Tue, 03/06/2018 - 12:29
The management panel in Piwigo 2.9.3 has stored XSS via the virtual_name parameter in a /admin.php?page=cat_list request, a different issue than CVE-2017-9836. CSRF exploitation, related to CVE-2017-10681, may be possible.
Categories: Security News

CVE-2018-7724

National Vulnerability Database - Tue, 03/06/2018 - 12:29
The management panel in Piwigo 2.9.3 has stored XSS via the name parameter in a /admin.php?page=photo-${photo_number} request. CSRF exploitation, related to CVE-2017-10681, may be possible.
Categories: Security News

CVE-2018-7725

National Vulnerability Database - Tue, 03/06/2018 - 12:29
An issue was discovered in ZZIPlib 0.13.68. An invalid memory address dereference was discovered in zzip_disk_fread in mmapped.c. The vulnerability causes an application crash, which leads to denial of service.
Categories: Security News

CVE-2018-7726

National Vulnerability Database - Tue, 03/06/2018 - 12:29
An issue was discovered in ZZIPlib 0.13.68. There is a bus error caused by the __zzip_parse_root_directory function of zip.c. Attackers could leverage this vulnerability to cause a denial of service via a crafted zip file.
Categories: Security News

CVE-2018-7727

National Vulnerability Database - Tue, 03/06/2018 - 12:29
An issue was discovered in ZZIPlib 0.13.68. There is a memory leak triggered in the function zzip_mem_disk_new in memdisk.c, which will lead to a denial of service attack.
Categories: Security News

CVE-2017-6280

National Vulnerability Database - Tue, 03/06/2018 - 11:29
NIVIDIA driver contains a possible out-of-bounds read vulnerability due to a leak which may lead to information disclosure. This issue is rated as moderate. Android: A-63851980.
Categories: Security News

CVE-2017-6282

National Vulnerability Database - Tue, 03/06/2018 - 11:29
NVIDIA Tegra kernel driver contains a vulnerability in NVMAP where an attacker has the ability to write an arbitrary value to an arbitrary location which may lead to an escalation of privileges. This issue is rated as high.
Categories: Security News

CVE-2017-6283

National Vulnerability Database - Tue, 03/06/2018 - 11:29
NVIDIA Security Engine contains a vulnerability in the RSA function where the keyslot read/write lock permissions are cleared on a chip reset which may lead to information disclosure. This issue is rated as high.
Categories: Security News

CVE-2017-6284

National Vulnerability Database - Tue, 03/06/2018 - 11:29
NVIDIA Security Engine contains a vulnerability in the Deterministic Random Bit Generator (DRBG) where the DRBG does not properly initialize and store or transmits sensitive data using a weakened encryption scheme that is unable to protect sensitive data which may lead to information disclosure.This issue is rated as moderate.
Categories: Security News

CVE-2017-6295

National Vulnerability Database - Tue, 03/06/2018 - 11:29
NVIDIA TrustZone Software contains a vulnerability in the Keymaster implementation where the software reads data past the end, or before the beginning, of the intended buffer; and may lead to denial of service or information disclosure. This issue is rated as high.
Categories: Security News

CVE-2017-6296

National Vulnerability Database - Tue, 03/06/2018 - 11:29
NVIDIA TrustZone Software contains a TOCTOU issue in the DRM application which may lead to the denial of service or possible escalation of privileges. This issue is rated as moderate.
Categories: Security News

CVE-2017-9783

National Vulnerability Database - Tue, 03/06/2018 - 11:29
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) before commit 6c3710430be26feb5371cb0377e5355d6f9a27ca allows remote attackers to inject arbitrary web script or HTML via the Description field in a Site name updated.
Categories: Security News

CVE-2017-9786

National Vulnerability Database - Tue, 03/06/2018 - 11:29
Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP) before commit 6c3710430be26feb5371cb0377e5355d6f9a27ca allows remote attackers to inject arbitrary web script or HTML via the Description field in My account Name updated, related to home.php and actions-log.php.
Categories: Security News

Pages