News aggregator

CVE-2018-7304

National Vulnerability Database - Wed, 02/21/2018 - 15:29
Tiki 17.1 does not validate user input for special characters; consequently, a CSV Injection attack can open a CMD.EXE or Calculator window on the victim machine to perform malicious activity, as demonstrated by an "=cmd|' /C calc'!A0" payload during User Creation.
Categories: Security News

CVE-2018-7305

National Vulnerability Database - Wed, 02/21/2018 - 15:29
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
Categories: Security News

CVE-2017-12161

National Vulnerability Database - Wed, 02/21/2018 - 13:29
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.
Categories: Security News

CVE-2018-7289

National Vulnerability Database - Wed, 02/21/2018 - 13:29
An issue was discovered in armadito-windows-driver/src/communication.c in Armadito 0.12.7.2. Malware with filenames containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI. This happens because characters that cannot be converted from Unicode are replaced with '?' characters.
Categories: Security News

CVE-2018-7261

National Vulnerability Database - Wed, 02/21/2018 - 11:29
There are multiple Persistent XSS vulnerabilities in Radiant CMS 1.1.4. They affect Personal Preferences (Name and Username) and Configuration (Site Title, Dev Site Domain, Page Parts, and Page Fields).
Categories: Security News

CVE-2018-7280

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The Ninja Forms plugin before 3.2.14 for WordPress has XSS.
Categories: Security News

CVE-2013-4891

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The xss_clean function in CodeIgniter before 2.1.4 might allow remote attackers to bypass an intended protection mechanism and conduct cross-site scripting (XSS) attacks via an unclosed HTML tag.
Categories: Security News

CVE-2015-5314

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The eap_pwd_process function in eap_server/eap_server_pwd.c in hostapd 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when used with (1) an internal EAP server or (2) a RADIUS server and EAP-pwd is enabled in a runtime configuration, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Categories: Security News

CVE-2015-5315

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The eap_pwd_process function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6 does not validate that the reassembly buffer is large enough for the final fragment when EAP-pwd is enabled in a network configuration profile, which allows remote attackers to cause a denial of service (process termination) via a large final fragment in an EAP-pwd message.
Categories: Security News

CVE-2015-5316

National Vulnerability Database - Wed, 02/21/2018 - 11:29
The eap_pwd_perform_confirm_exchange function in eap_peer/eap_pwd.c in wpa_supplicant 2.x before 2.6, when EAP-pwd is enabled in a network configuration profile, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an EAP-pwd Confirm message followed by the Identity exchange.
Categories: Security News

CVE-2015-5725

National Vulnerability Database - Wed, 02/21/2018 - 11:29
SQL injection vulnerability in the offset method in the Active Record class in CodeIgniter before 2.2.4 allows remote attackers to execute arbitrary SQL commands via vectors involving the offset variable.
Categories: Security News

CVE-2016-0343

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote authenticated users to obtain sensitive information by reading an error message. IBM X-Force ID: 111784.
Categories: Security News

CVE-2016-0344

National Vulnerability Database - Wed, 02/21/2018 - 11:29
Cross-site scripting (XSS) vulnerability in the My Reports component in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. IBM X-Force ID: 111785.
Categories: Security News

CVE-2016-0345

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.3, and 3.5 before 3.5.0.1 allows remote authenticated users to obtain the installation path via vectors involving Birt report rendering. IBM X-Force ID: 111786.
Categories: Security News

CVE-2016-0348

National Vulnerability Database - Wed, 02/21/2018 - 11:29
Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3, 3.3.1, 3.3.2, and 3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM X-Force ID: 111813.
Categories: Security News

CVE-2016-0351

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 does not set the secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. IBM X-Force ID: 111890.
Categories: Security News

CVE-2016-0366

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 might allow remote attackers to obtain sensitive information by leveraging weak encryption. IBM X-Force ID: 112071.
Categories: Security News

CVE-2016-0367

National Vulnerability Database - Wed, 02/21/2018 - 11:29
IBM Security Identity Manager Virtual Appliance 7.0.x before 7.0.1.3-ISS-SIM-IF0001 allows remote authenticated users to obtain sensitive information by reading an error message. IBM X-Force ID: 112072.
Categories: Security News

CVE-2016-0369

National Vulnerability Database - Wed, 02/21/2018 - 11:29
XML external entity (XXE) vulnerability in IBM Forms Experience Builder 8.5, 8.5.1, and 8.6 allows remote authenticated users to obtain sensitive information via crafted XML data. IBM X-Force ID: 112088.
Categories: Security News

CVE-2013-0267

National Vulnerability Database - Wed, 02/21/2018 - 10:29
The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation.
Categories: Security News

Pages