News aggregator

CVE-2017-14034

National Vulnerability Database - Wed, 11/15/2017 - 23:29
The restore_tqb_pixels function in hevc_filter.c in libavcodec, as used in libbpg 0.9.7 and other products, miscalculates a memcpy destination address, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact.
Categories: Security News

CVE-2017-16841

National Vulnerability Database - Wed, 11/15/2017 - 22:29
LanSweeper 6.0.100.75 has XSS via the description parameter to /Calendar/CalendarActions.aspx.
Categories: Security News

CVE-2017-16842

National Vulnerability Database - Wed, 11/15/2017 - 22:29
Cross-site scripting (XSS) vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML.
Categories: Security News

CVE-2017-16834

National Vulnerability Database - Wed, 11/15/2017 - 21:29
PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an unprivileged account but root code execution depends on these files, which allows local users to gain privileges by leveraging access to this unprivileged account.
Categories: Security News

CVE-2017-16836

National Vulnerability Database - Wed, 11/15/2017 - 21:29
Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse 10.0.59.SIP.PC20.CT software allow Unauthenticated Stored XSS via the actionHandler/ajax_managed_services.php service parameter.
Categories: Security News

CVE-2017-16837

National Vulnerability Database - Wed, 11/15/2017 - 21:29
Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not validated and can cause arbitrary code execution, which allows local users to overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these function pointers.
Categories: Security News

CVE-2017-8807

National Vulnerability Database - Wed, 11/15/2017 - 21:29
vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cache 4.1.x before 4.1.9 and 5.x before 5.2.1 allows remote attackers to obtain sensitive information from process memory because a VFP_GetStorage buffer is larger than intended in certain circumstances involving -sfile Stevedore transient objects.
Categories: Security News

Bugtraq: [CVE-2017-15288] A privilege escalation vulnerability in the Scala compilation daemon

SecurityFocus Vulnerabilities - Wed, 11/15/2017 - 18:20
[CVE-2017-15288] A privilege escalation vulnerability in the Scala compilation daemon
Categories: Security News

Bugtraq: [SECURITY] [DSA 4033-1] konversation security update

SecurityFocus Vulnerabilities - Wed, 11/15/2017 - 18:20
[SECURITY] [DSA 4033-1] konversation security update
Categories: Security News

CVE-2017-15102

National Vulnerability Database - Wed, 11/15/2017 - 16:29
The tower_probe function in drivers/usb/misc/legousbtower.c in the Linux kernel before 4.8.1 allows local users (who are physically proximate for inserting a crafted USB device) to gain privileges by leveraging a write-what-where condition that occurs after a race condition and a NULL pointer dereference.
Categories: Security News

CVE-2017-15115

National Vulnerability Database - Wed, 11/15/2017 - 16:29
The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel before 4.14 does not check whether the intended netns is used in a peel-off action, which allows local users to cause a denial of service (use-after-free and system crash) or possibly have unspecified other impact via crafted system calls.
Categories: Security News

CVE-2017-5532

National Vulnerability Database - Wed, 11/15/2017 - 16:29
A vulnerability in the report renderer component of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO JasperReports Library, TIBCO JasperReports Library for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, TIBCO Jaspersoft Reporting and Analytics for AWS, TIBCO Jaspersoft Studio, and TIBCO Jaspersoft Studio for ActiveMatrix BPM may allow a subset of authorized users to perform persistent cross-site scripting (XSS) attacks. Affected releases are TIBCO JasperReports Server 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0 and below, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0 and below, TIBCO JasperReports Library 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0; 6.4.1, TIBCO JasperReports Library for ActiveMatrix BPM 6.4.1 and below, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0 and below, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0 and below, TIBCO Jaspersoft Studio 6.2.3 and below; 6.3.0; 6.3.1; 6.3.2; 6.4.0, and TIBCO Jaspersoft Studio for ActiveMatrix BPM 6.4.0 and below.
Categories: Security News

CVE-2017-5533

National Vulnerability Database - Wed, 11/15/2017 - 16:29
A vulnerability in the server content cache of TIBCO JasperReports Server, TIBCO JasperReports Server Community Edition, TIBCO JasperReports Server for ActiveMatrix BPM, TIBCO Jaspersoft for AWS with Multi-Tenancy, and TIBCO Jaspersoft Reporting and Analytics for AWS contains a vulnerability which fails to prevent remote access to all the contents of the web application, including key configuration files. Affected releases are TIBCO JasperReports Server 6.4.0, TIBCO JasperReports Server Community Edition 6.4.0, TIBCO JasperReports Server for ActiveMatrix BPM 6.4.0, TIBCO Jaspersoft for AWS with Multi-Tenancy 6.4.0, TIBCO Jaspersoft Reporting and Analytics for AWS 6.4.0.
Categories: Security News

CVE-2014-0219

National Vulnerability Database - Wed, 11/15/2017 - 13:29
Apache Karaf enables a shutdown port on the loopback interface, which allows local users to cause a denial of service (shutdown) by sending a shutdown command to all listening high ports.
Categories: Security News

CVE-2014-2845

National Vulnerability Database - Wed, 11/15/2017 - 13:29
Cyberduck before 4.4.4 on Windows does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof FTP-SSL servers via a certificate issued by an arbitrary root Certification Authority.
Categories: Security News

CVE-2014-3150

National Vulnerability Database - Wed, 11/15/2017 - 13:29
Livebox 1.1 allows remote authenticated users to upload arbitrary configuration files, download the configuration file, or obtain sensitive information via crafted Javascript.
Categories: Security News

CVE-2014-4000

National Vulnerability Database - Wed, 11/15/2017 - 11:29
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).
Categories: Security News

CVE-2017-14961

National Vulnerability Database - Wed, 11/15/2017 - 11:29
In IKARUS anti.virus 2.16.7, the ntguard.sys driver contains an Arbitrary Write vulnerability because of not validating input values from IOCtl 0x8300000c.
Categories: Security News

CVE-2017-15269

National Vulnerability Database - Wed, 11/15/2017 - 11:29
The PSFTPd 10.0.4 Build 729 server does not prevent FTP bounce scans by default. These can be performed using "nmap -b" and allow performing scans via the FTP server.
Categories: Security News

CVE-2017-15270

National Vulnerability Database - Wed, 11/15/2017 - 11:29
The PSFTPd 10.0.4 Build 729 server does not properly escape data before writing it into a Comma Separated Values (CSV) file. This can be used by attackers to hide data in the Graphical User Interface (GUI) view and create arbitrary entries to a certain extent. Special characters such as '"' and ',' and '\r' are not escaped and can be used to add new entries to the log.
Categories: Security News

Pages