News aggregator

CVE-2018-1154

National Vulnerability Database - Thu, 08/02/2018 - 15:29
In SecurityCenter versions prior to 5.7.0, a username enumeration issue could allow an unauthenticated attacker to automate the discovery of username aliases via brute force, ultimately facilitating unauthorized access. Server response output has been unified to correct this issue.
Categories: Security News

CVE-2018-1155

National Vulnerability Database - Thu, 08/02/2018 - 15:29
In SecurityCenter versions prior to 5.7.0, a cross-site scripting (XSS) issue could allow an authenticated attacker to inject JavaScript code into an image filename parameter within the Reports feature area. Properly updated input validation techniques have been implemented to correct this issue.
Categories: Security News

CVE-2018-14851

National Vulnerability Database - Thu, 08/02/2018 - 15:29
exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.
Categories: Security News

CVE-2018-3834

National Vulnerability Database - Thu, 08/02/2018 - 15:29
An exploitable permanent denial of service vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the kind of firmware image that is going to be installed and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent brick condition. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve a signed firmware image.
Categories: Security News

CVE-2018-10921

National Vulnerability Database - Thu, 08/02/2018 - 14:29
Certain input files may trigger an integer overflow in ttembed input file processing. This overflow could potentially lead to corruption of the input file due to a lack of checking return codes of fgetc/fputc function calls.
Categories: Security News

CVE-2018-10922

National Vulnerability Database - Thu, 08/02/2018 - 14:29
An input validation flaw exists in ttembed. With a crafted input file, an attacker may be able to trigger a denial of service condition due to ttembed trusting attacker controlled values.
Categories: Security News

CVE-2018-7649

National Vulnerability Database - Thu, 08/02/2018 - 13:29
Monitorix before 3.10.1 allows XSS via CGI variables.
Categories: Security News

Bugtraq: Executable installers are vulnerable^WEVIL (case 55): escalation of privilege with VMware Player 12.5.9

SecurityFocus Vulnerabilities - Thu, 08/02/2018 - 13:20
Executable installers are vulnerable^WEVIL (case 55): escalation of privilege with VMware Player 12.5.9
Categories: Security News

Bugtraq: [slackware-security] blueman (SSA:2018-213-01)

SecurityFocus Vulnerabilities - Thu, 08/02/2018 - 13:20
[slackware-security] blueman (SSA:2018-213-01)
Categories: Security News

Bugtraq: CVE-2016-7085 NOT fixed in VMware-player-12.5.9-7535481.exe

SecurityFocus Vulnerabilities - Thu, 08/02/2018 - 13:20
CVE-2016-7085 NOT fixed in VMware-player-12.5.9-7535481.exe
Categories: Security News

CVE-2017-9118

National Vulnerability Database - Thu, 08/02/2018 - 11:29
PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.
Categories: Security News

CVE-2017-9120

National Vulnerability Database - Thu, 08/02/2018 - 11:29
PHP 7.x through 7.1.5 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a long string because of an Integer overflow in mysqli_real_escape_string.
Categories: Security News

CVE-2018-1336

National Vulnerability Database - Thu, 08/02/2018 - 10:29
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
Categories: Security News

CVE-2018-1554

National Vulnerability Database - Thu, 08/02/2018 - 10:29
IBM Maximo Asset Management 7.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 142891.
Categories: Security News

CVE-2018-8037

National Vulnerability Database - Thu, 08/02/2018 - 10:29
A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
Categories: Security News

CVE-2018-10920

National Vulnerability Database - Thu, 08/02/2018 - 09:29
Improper input validation bug in DNS resolver component of Knot Resolver before 2.4.1 allows remote attacker to poison cache.
Categories: Security News

CVE-2018-12448

National Vulnerability Database - Thu, 08/02/2018 - 09:29
Whale Browser before 1.3.48.4 displays no URL information but only a title of a web page on the browser's address bar when visiting a non-http page, which allows an attacker to display a malicious web page with a fake domain name.
Categories: Security News

CVE-2018-8032

National Vulnerability Database - Thu, 08/02/2018 - 09:29
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.
Categories: Security News

CVE-2018-2933

National Vulnerability Database - Thu, 08/02/2018 - 08:29
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. Note: Please refer to MOS document
Categories: Security News

CVE-2018-3108

National Vulnerability Database - Thu, 08/02/2018 - 08:29
Vulnerability in the Oracle Fusion Middleware component of Oracle Fusion Middleware (subcomponent: Oracle Nofication Service). Supported versions that are affected are 12.2.1.2 and 12.2.1.3. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Fusion Middleware. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Fusion Middleware accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).
Categories: Security News

Pages